-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2008-2938: Apache Tomcat information disclosure vulnerability - Updated

Severity: Important (was moderate)

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 4.1.0 to 4.1.37
Tomcat 5.5.0 to 5.5.26
Tomcat 6.0.0 to 6.0.16
The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected

Description (new information):
Further investigation of CVE-2008-2938 has shown that the vulnerability
also exists only with URIEncoding="UTF-8" set on the connector. In these
configurations arbitrary files in the docBase for an application,
including files such as web.xml, may be disclosed.
Users should also be aware that this vulnerability will apply when
processing requests with UTF-8 body encoding and
useBodyEncodingForURI="true"

Mitigation:
6.0.x users should upgrade to 6.0.18
5.5.x users should upgrade to 5.5.27
4.1.x users should obtain the latest source from svn or apply this patch:
http://svn.apache.org/viewvc?view=rev&revision=681065

Example:
http://www.target.com/contextpath/%c0%ae%c0%ae/WEB-INF/web.xml

Credit:
This additional information was discovered by the Apache Tomcat security
team.

References:
http://tomcat.apache.org/security.html

Mark Thomas


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAkjHnCMACgkQb7IeiTPGAkMoLQCg2PxS09CpZGI9t+QcdifSfMh8
CHcAoOSRAPOzAFH5hx1w8jxOBthrAKEJ
=Fi0E
-----END PGP SIGNATURE-----