You are here

T-580: Apache Tomcat May Ignore @ServletSecurity Annotation Protections

March 16, 2011 - 3:05pm

Addthis

PROBLEM:

Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by an error related to ignoring @ServletSecurity annotations. An attacker could exploit this vulnerability to bypass security restrictions and launch further attacks on the system.

PLATFORM:

Apache Tomcat versions 7.0.0 through 7.0.10.

ABSTRACT:

Apache Tomcat May Ignore @ServletSecurity Annotation Protections. A remote user may be able to bypass @ServletSecurity annotation protections.

reference LINKS:

Apache Tomcat Advisory: Apache Tomcat 7.0.11
CVE-2011-1088
Security Tracker Alert ID:1025215
OSVDB ID: 71027
Secunia Advisory: SA43684
Bugtraq ID: 46685
IBM X-Force ID: 65971

IMPACT ASSESSMENT:

Moderate

Discussion:

The vulnerability is caused due to the application not properly enforcing "@ServletSecurity" annotations when loading servlets. This can be exploited to e.g. bypass the security constraints specified via the annotations and disclose certain information.

Impact:

The system ignores @ServletSecurity annotations when starting a web application. As a result, some areas of the application not receive the expected protection. A remote user may be able to bypass @ServletSecurity annotation protections.

Solution:

Upgrade to the latest version of Apache Tomcat to version 7.0.11.
Apache Tomcat 7.0.11 Downloads
Apache Tomcat Versions
Apache Tomcat Update

 

 

Addthis