U radu programskog paketa Apache Tomcat uočena su tri nova sigurnosna propusta. Napadač ih može iskoristiti za napad uskraćivanjem usluga (DoS), zaobilaženje ograničenja te otkrivanje osjetljivih podataka.
Paket:
Apache Tomcat 7.x
Operacijski sustavi:
Sun Solaris 9, Sun Solaris 10
Kritičnost:
6.5
Problem:
neodgovarajuća provjera ulaznih podataka, pogreška u programskoj komponenti
Sigurnosne ranjivosti su posljedica pogrešaka u komponentama "MemoryUserDatabase" i "AJP protocol connector" te neodgovarajuće provjere određenih ulaznih podataka.
Posljedica:
Zloćudni korisnik navedene propuste može iskoristiti za zaobilaženje postavljenih ograničenja, otkrivanje osjetljivih podataka te DoS (eng. Denial of Service) napad.
Rješenje:
Svim se korisnicima navedenog paketa, u svrhu zaštite sigurnosti, savjetuje njegova nadogradnja na novije inačice.
Oracle Solaris Apache Tomcat Multiple Vulnerabilities
Secunia Advisory SA47736
Release Date 2012-01-27
Criticality level Moderately criticalModerately critical
Impact Security Bypass
Exposure of sensitive information
DoS
Where From remote
Authentication level Available in Customer Area
Report reliability Available in Customer Area
Solution Status Vendor Patch
Systems affected Available in Customer Area
Approve distribution Available in Customer Area
Remediation status Secunia CSI, Secunia PSI
Automated scanning Secunia CSI, Secunia PSI
Operating System
Sun Solaris 10.x
Sun Solaris 9
Secunia CVSS Score Available in Customer Area
CVE Reference(s) CVE-2011-2204 CVSS available in Customer Area
CVE-2011-2526 CVSS available in Customer Area
CVE-2011-3190 CVSS available in Customer Area
Description
Oracle has acknowledged a weakness, a security issue and two vulnerabilities in Apache Tomcat included in Solaris, which can be exploited by malicious, local users to disclose sensitive information, bypass certain security restrictions, and cause a DoS (Denial of Service) and by malicious people to disclose potentially sensitive information and bypass certain security restrictions.
For more information:
SA44981
SA45232
SA45748
Solution
Apply patches.
Further details available in Customer Area
Original Advisory
http://blogs.oracle.com/sunsecurity/entry/cve_2011_3190_vulnerability_in
http://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_apache_tomcat2
Posljednje sigurnosne preporuke