HP Security Bulletin HPSBST02955 2 - Potential security vulnerabilities have been identified in 3rd party software used in HP XP P9000 Performance Advisor running Oracle and Apache Tomcat Software. HP has updated the Apache Tomcat and Oracle database software to address vulnerabilities affecting confidentiality, availability, and integrity. Revision 2 of this advisory.
89e81c1ac8b82e8cd63e41150737cbd9
HP Security Bulletin HPSBST02955 - Potential security vulnerabilities have been identified in 3rd party software used in HP XP P9000 Performance Advisor running Oracle and Apache Tomcat Software. HP has updated the Apache Tomcat and Oracle database software to address vulnerabilities affecting confidentiality, availability, and integrity. Revision 1 of this advisory.
2c9338f86cc4928d8dbc40a966e7becf
HP Security Bulletin HPSBUX02860 SSRT101146 - Potential security vulnerabilities have been identified with HP-UX Apache running Tomcat Servlet Engine. These vulnerabilities could be exploited remotely to create a Denial of Service (DoS) or to perform an access restriction bypass, unauthorized modification, and other vulnerabilities. Revision 1 of this advisory.
de5adbf8e77d688a211ab5701c07611d
Gentoo Linux Security Advisory 201206-24 - Multiple vulnerabilities were found in Apache Tomcat, the worst of which allowing to read, modify and overwrite arbitrary files. Versions 5.5.34 are affected.
bbfac7a6ad2ab503ae26538e4d3ecc94
Red Hat Security Advisory 2012-0681-01 - Apache Tomcat is a servlet container. JBoss Enterprise Web Server includes the Tomcat Native library, providing Apache Portable Runtime support for Tomcat. This update fixes the JBPAPP-4873, JBPAPP-6133, and JBPAPP-6852 bugs. It also resolves multiple flaws that weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks.
29b2cdf894331bd174765b26881055a4
Red Hat Security Advisory 2012-0679-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. JBoss Enterprise Web Server includes the Tomcat Native library, providing Apache Portable Runtime support for Tomcat. This update includes bug fixes as documented in JBPAPP-4873 and JBPAPP-6133.
c22e91cd15dc6f6704f39bd8a7b86707
Red Hat Security Advisory 2012-0682-01 - Apache Tomcat is a servlet container. JBoss Enterprise Web Server includes the Tomcat Native library, providing Apache Portable Runtime support for Tomcat. This update fixes the JBPAPP-4873, JBPAPP-6133, and JBPAPP-6852 bugs. It also addresses multiple flaws that weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks.
c92823d601c7394a37351bbc1fdf71a9
Red Hat Security Advisory 2012-0680-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. JBoss Enterprise Web Server includes the Tomcat Native library, providing Apache Portable Runtime support for Tomcat. This update includes bug fixes as documented in JBPAPP-4873 and JBPAPP-6133.
d18a2fa772b5bfebd2156c7deeff6f9f
HP Security Bulletin HPSBOV02762 SSRT100825 - Potential vulnerabilities have been identified with HP Secure Web Server (SWS) for OpenVMS running CSWS_JAVA. The vulnerabilities could be remotely exploited to create a Denial of Service (DoS), unauthorized access, privilege escalation, unauthorized disclosure of information, or unauthorized modifications. Revision 1 of this advisory.
92bbc76cd42571f4ab7d96f0c2e36a15
Apple Security Advisory 2012-02-01-1 - Apple has addressed 48 security vulnerabilities. These issues existed in packages such as Address Book, Apache, CFNetwork, ColorSync, CoreAudio, CoreMedia, CoreText, curl and much more.
8fe868bea54053b8adeccaecf10eb251
Debian Linux Security Advisory 2401-1 - Several vulnerabilities have been found in Tomcat, a servlet and JSP engine.
548b00ffd85a415d5bd9c9a2e3958d7e
Red Hat Security Advisory 2011-1845-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. It was found that web applications could modify the location of the Tomcat host's work directory. As web applications deployed on Tomcat have read and write access to this directory, a malicious web application could use this flaw to trick Tomcat into giving it read and write access to an arbitrary directory on the file system. A cross-site scripting flaw was found in the Manager application, used for managing web applications on Apache Tomcat. A malicious web application could use this flaw to conduct an XSS attack, leading to arbitrary web script execution with the privileges of victims who are logged into and viewing Manager application web pages.
d3bdbb469fb92d7a0825d2bbcfdcf802
Red Hat Security Advisory 2011-1780-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. APR as mentioned in the CVE-2011-3190 and CVE-2011-2526 descriptions does not refer to APR provided by the apr packages. It refers to the implementation of APR provided by the Tomcat Native library, which provides support for using APR with Tomcat. This library is not shipped with Red Hat Enterprise Linux 6. This update includes fixes for users who have elected to use APR with Tomcat by taking the Tomcat Native library from a different product. Such a configuration is not supported by Red Hat, however.
28f93522c3196627e85154bdeb5932c6
HP Security Bulletin HPSBUX02725 SSRT100627 - Potential security vulnerabilities have been identified with HP-UX Apache Running Tomcat Servlet Engine. These vulnerabilities could be exploited remotely to disclose information, allow authentication bypass, allow cross-site scripting (XSS), gain unauthorized access, or create a Denial of Service (DoS). The Tomcat-based Servlet Engine is contained in the HP-UX Apache Web Server Suite. Revision 1 of this advisory.
78b8c944a8723e2c2c2dfb9ecab0640d
Ubuntu Security Notice 1252-1 - It was discovered that Tomcat incorrectly implemented HTTP DIGEST authentication. An attacker could use this flaw to perform a variety of authentication attacks. Polina Genova discovered that Tomcat incorrectly created log entries with passwords when encountering errors during JMX user creation. A local attacker could possibly use this flaw to obtain sensitive information. This issue only affected Ubuntu 10.04 LTS, 10.10 and 11.04. Various other issues were also addressed.
a97431efec12df324fe751f346a1f436
Mandriva Linux Security Advisory 2011-156 - Multiple vulnerabilities has been discovered and corrected in tomcat 5.5.x. The implementation of HTTP DIGEST authentication in tomcat was discovered to have several weaknesses. Apache Tomcat, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file. Apache Tomcat, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service by leveraging an untrusted web application. Certain AJP protocol connector implementations in Apache Tomcat allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request. The updated packages have been patched to correct these issues.
5acb136fe11782bae8cfffc4eea36e81
Tomcat versions 7.0.0 through 7.0.16, 6.0.0 through 6.0.32, and 5.5.0 through 5.5.33 suffer from an information disclosure vulnerability. When using the MemoryUserDatabase (based on tomcat-users.xml) and creating users via JMX, an exception during the user creation process may trigger an error message in the JMX client that includes the user's password. This error message is also written to the Tomcat logs. User passwords are visible to administrators with JMX access and/or administrators with read access to the tomcat-users.xml file. Users that do not have these permissions but are able to read log files may be able to discover a user's password.
49d91e02ee8dc19d984eae0669deeb5f