Vulnerability in Apache Tomcat kept hidden for months |
Written by Rebecca Mints |
Tuesday, 10 March 2009 01:19 |
A vulnerability on Apache Tomcat had been discovered by Fujitsu as early as October 2008 but it is only now that Apache Foundation is coming out with a security advisory. Issues with the open source organization JSP and Servlet Container, also known by Apache users as Tomcat had been listed in the Mitre National Vulnerability Database as CVE-2008-4308 and titled Tomcat Information Software Vulnerability. In the preceeding notes following the advisory, Apache Foundation said that the security threat was discovered and reported in October 2008 to the Apache Tomcat Security Team. It said that Apache had to forego publication of the vulnerability until now because the reporter, Fujitsu, requested its postponement. “Bug 40771 may result in the disclosure of Posted content from a previous request. For a vulnerability to exist the content read from the input stream must be disclosed,” the advisory said. According to the advisory, the following versions of Tomcat are affected: Tomcat 4.1.32 to 4.1.34; Tomcat 5.5.10 to 5.5.20. The latest version of Tomcat, version 6.0 is no longer affected. Apache is still checking if the unsupported Tomcat 3.x, 4.0x and 5.0x version are also affected. It also noted that users must upgrade to higher versions of Tomcat like 4.1.35, 5.5.21 or 6.0.0 or later to fix the vulnerability.
|