[Full-disclosure] [SECURITY] CVE-2011-1475 Apache Tomcat information disclosure



CVE-2011-1475 Apache Tomcat information disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.0 to 7.0.11
- Earlier versions are not affected

Description:
Changes introduced to the HTTP BIO connector to support Servlet 3.0
asynchronous requests did not fully account for HTTP pipelining. As a
result, when using HTTP pipelining a range of unexpected behaviours
occurred including the mixing up of responses between requests. While
the mix-up in responses was only observed between requests from the same
user, a mix-up of responses for requests from different users may also
be possible.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Upgrade to a Tomcat 7.0.12 or later
- Switch to the NIO or APR/native HTTP connectors that do not exhibit
this issue

Credit:
This issue was identified by Brad Piles and reported via the public ASF
Bugzilla issue tracking system.
The Apache Tomcat security team requests that security vulnerability
reports are made privately to security@xxxxxxxxxxxxxxxxx in the first
instance.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • [SECURITY] CVE-2011-1475 Apache Tomcat information disclosure
    ... Changes introduced to the HTTP BIO connector to support Servlet 3.0 ... asynchronous requests did not fully account for HTTP pipelining. ... occurred including the mixing up of responses between requests. ... The Apache Tomcat security team requests that security vulnerability ...
    (Bugtraq)
  • Re: TRACE used to increase the dangerous of XSS.
    ... > HttpOnly cookie feature in IE6SP1, ... HTTP protocol methods should be enabled on their sites. ... other than GET, POST, and HEAD requests. ... It's much easier for a concerned site admin to disable TRACE on servers ...
    (Bugtraq)
  • WebResponse multithreading
    ... through Http to get a lot of data. ... I've discovered multiple web requests sent by different threads are not ... I'd like to use sockets, but there's a problem with them, too: ... of transmission instead of returning 0 bytesCount. ...
    (microsoft.public.dotnet.distributed_apps)
  • Re: http requests doest work - virus?
    ... > either the http server is not responding, or the request is not sent. ... Just http requests are not working. ... ResQ and Data Recovery Utilities ...
    (microsoft.public.security.virus)
  • Re: Proxy vulnerability in TrendMicro InterScan-VirusWall V3.6 - and 3.7 Build 1190
    ... > has been known to be an issue with plain HTTP proxies like the Squid ... Allows tunneling only for dedicated hosts/nets, others may only use port ... But unfortunately, on not allowed requests, the return code was "400 Bad ... Automatic pattern update sends an e-mail on every run, ...
    (Bugtraq)