You are here

T-598: Apache Tomcat HTTP BIO Connector Error Discloses Information From Different Requests to Remote Users

April 8, 2011 - 5:35am

Addthis

PROBLEM:

A vulnerability was reported in Apache Tomcat. A remote user may be able to obtain information from a different request.

PLATFORM:

Apache Tomcat v7.0.0 - v7.0.11

ABSTRACT:

When using HTTP pipelining, the system may return information from a different request to a remote user. The vulnerability resides in the HTTP BIO connector.

reference  LINKS:

Apache Tomcat Security Alert
CVE-2011-1475
SecurityTracker Alert ID: 1025303

IMPACT ASSESSMENT:

Medium

Discussion:

Changes introduced to the HTTP BIO connector to support Servlet 3.0 asynchronous requests did not fully account for HTTP pipelining. As a result, when using HTTP pipelining a range of unexpected behaviours occurred including the mixing up of responses between requests. While the mix-up in responses was only observed between requests from the same user, a mix-up of responses for requests from different users may also be possible.

Impact:

Users of affected versions should apply one of the following mitigations.

Solution:

Upgrade to a Tomcat 7.0.12 or later
Switch to the NIO or APR/native HTTP connectors that do not exhibit this issue

1. Updates Tomcat v4
2. Updates Tomcat v3
3. Updates Tomcat v7

 

Addthis