Shulou(Shulou.com)06/02 Report--

What this article shares with you is an example analysis of two important loopholes in Tomcat. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Today, Tomcat has revealed two new and important vulnerabilities, which are:

CVE-2011-337***pache Tomcat Information disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

◆ Tomcat 7.0.0 to 7.0.21

◆ Tomcat 6.0.30 to 6.0.33

◆ Earlier versions are not affected

Description:

For performance reasons, information parsed from a request is often

Cached in two places: the internal request object and the internal

Processor object. These objects are not recycled at exactly the same time.

When certain errors occur that needed to be added to the access log, the

Access logging process triggers the re-population of the request object

After it has been recycled. However, the request object was not recycled

Before being used for the next request. That lead to information leakage

(e.g. Remote IP address, HTTP headers) from the previous request to the

Next request.

The issue was resolved be ensuring that the request and response objects

Were recycled after being re-populated to generate the necessary access

Log entries.

The solution:

◆ Tomcat 7.0.x users should upgrade to 7.0.22 or later

◆ Tomcat 6.0.x should be upgraded to version 6.0.35 or later

CVE-2012-0022 Apache Tomcat Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

◆ Tomcat 7.0.0 to 7.0.22

◆ Tomcat 6.0.0 to 6.0.33

◆ Tomcat 5.5.0 to 5.5.34

◆ Earlier, unsupported versions may also be affected

Description:

Analysis of the recent hash collision vulnerability identified unrelated

Inefficiencies with Apache Tomcat's handling of large numbers of

Parameters and parameter values. These inefficiencies could allow an

Attacker, via a specially crafted request, to cause large amounts of CPU

To be used which in turn could create a denial of service.

The issue was addressed by modifying the Tomcat parameter handling code

To efficiently process large numbers of parameters and parameter values.

Mitigation:

Users of affected versions should apply one of the following mitigations:

◆ Tomcat 7.0.x users should upgrade to 7.0.23 or later

◆ Tomcat 6.0.x users should upgrade to 6.0.35 or later

◆ Tomcat 5.5.x users should upgrade to 5.5.35 or later

The above is an example analysis of two important loopholes in Tomcat. The editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.