ID

VAR-200906-0603

CVE

CVE-2008-5515

TITLE

Apache Tomcat information disclosure vulnerability

DESCRIPTION

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request. Apache Tomcat from The Apache Software Foundation contains an information disclosure vulnerability. Apache Tomcat from the Apache Software Foundation is an implementation of the Java Servlet and JavaServer Page (JSP) technologies. Apache Tomcat contains a vulnerability which may allow information disclosure or access to the contents contained in the WEB-INF directory. According to the developer, unsupported Apache Tomcat 3.x, 4.0.x, and 5.0.x may also be affected. For more information, refer to the developer's website. Minehiko Iida and Yuichiro Suzuki of Development Dept. II Application Management Middleware Div. FUJITSU LIMITED reported this vulnerability to IPA. JPCERT/CC coordinated with The Apache Software Foundation and the vendors under Information Security Early Warning Partnership.A remote attacker could possibly obtain information such as configuration or user credentials contained in the application which resides under the WEB-INF directory. Attackers can exploit this issue to obtain sensitive information that may lead to further attacks. For other issues about the content of this Security Bulletin, send e-mail to security-alert@hp.com. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 - ----------------------------------------------------------------------- VMware Security Advisory Advisory ID: VMSA-2009-0016 Synopsis: VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components Issue date: 2009-11-20 Updated on: 2009-11-20 (initial release of advisory) CVE numbers: --- JRE --- CVE-2009-1093 CVE-2009-1094 CVE-2009-1095 CVE-2009-1096 CVE-2009-1097 CVE-2009-1098 CVE-2009-1099 CVE-2009-1100 CVE-2009-1101 CVE-2009-1102 CVE-2009-1103 CVE-2009-1104 CVE-2009-1105 CVE-2009-1106 CVE-2009-1107 CVE-2009-2625 CVE-2009-2670 CVE-2009-2671 CVE-2009-2672 CVE-2009-2673 CVE-2009-2675 CVE-2009-2676 CVE-2009-2716 CVE-2009-2718 CVE-2009-2719 CVE-2009-2720 CVE-2009-2721 CVE-2009-2722 CVE-2009-2723 CVE-2009-2724 --- Tomcat --- CVE-2008-5515 CVE-2009-0033 CVE-2009-0580 CVE-2009-0781 CVE-2009-0783 CVE-2008-1232 CVE-2008-1947 CVE-2008-2370 CVE-2007-5333 CVE-2007-5342 CVE-2007-5461 CVE-2007-6286 CVE-2008-0002 --- ntp --- CVE-2009-1252 CVE-2009-0159 --- kernel --- CVE-2008-3528 CVE-2008-5700 CVE-2009-0028 CVE-2009-0269 CVE-2009-0322 CVE-2009-0675 CVE-2009-0676 CVE-2009-0778 CVE-2008-4307 CVE-2009-0834 CVE-2009-1337 CVE-2009-0787 CVE-2009-1336 CVE-2009-1439 CVE-2009-1633 CVE-2009-1072 CVE-2009-1630 CVE-2009-1192 CVE-2007-5966 CVE-2009-1385 CVE-2009-1388 CVE-2009-1389 CVE-2009-1895 CVE-2009-2406 CVE-2009-2407 CVE-2009-2692 CVE-2009-2698 CVE-2009-0745 CVE-2009-0746 CVE-2009-0747 CVE-2009-0748 CVE-2009-2847 CVE-2009-2848 --- python --- CVE-2007-2052 CVE-2007-4965 CVE-2008-1721 CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 --- bind --- CVE-2009-0696 --- libxml and libxml2 --- CVE-2009-2414 CVE-2009-2416 --- curl -- CVE-2009-2417 --- gnutil --- CVE-2007-2052 - ----------------------------------------------------------------------- 1. Summary Updated Java JRE packages and Tomcat packages address several security issues. Updates for the ESX Service Console and vMA include kernel, ntp, Python, bind libxml, libxml2, curl and gnutil packages. ntp is also updated for ESXi userworlds. 2. Relevant releases vCenter Server 4.0 before Update 1 ESXi 4.0 without patch ESXi400-200911201-UG ESX 4.0 without patches ESX400-200911201-UG, ESX400-200911223-UG, ESX400-200911232-SG, ESX400-200911233-SG, ESX400-200911234-SG, ESX400-200911235-SG, ESX400-200911237-SG, ESX400-200911238-SG vMA 4.0 before patch 02 3. Problem Description a. JRE Security Update JRE update to version 1.5.0_20, which addresses multiple security issues that existed in earlier releases of JRE. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095, CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099, CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103, CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676, CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720, CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter 4.0 Windows Update 1 VirtualCenter 2.5 Windows affected, patch pending VirtualCenter 2.0.2 Windows affected, patch pending Workstation any any not affected Player any any not affected Server 2.0 any affected, patch pending Server 1.0 any not affected ACE any any not affected Fusion any any not affected ESXi any ESXi not affected ESX 4.0 ESX ESX400-200911223-UG ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX affected, patch pending ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 Patch 2 * * vMA JRE is updated to version JRE 1.5.0_21 Notes: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network. Security best practices provided by VMware recommend that the Service Console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. The currently installed version of JRE depends on your patch deployment history. b. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.20: CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.18: CVE-2008-1232, CVE-2008-1947, CVE-2008-2370. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the following names to the security issues fixed in Apache Tomcat 6.0.16: CVE-2007-5333, CVE-2007-5342, CVE-2007-5461, CVE-2007-6286, CVE-2008-0002. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ======== ======== ======= ======================= vCenter 4.0 Windows Update 1 VirtualCenter 2.5 Windows affected, patch pending VirtualCenter 2.0.2 Windows affected, patch pending Workstation any any not affected Player any any not affected ACE any Windows not affected Server 2.x any affected, patch pending Server 1.x any not affected Fusion any Mac OS/X not affected ESXi any ESXi not affected ESX 4.0 ESX ESX400-200911223-UG ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX affected, patch pending ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 not affected Notes: These vulnerabilities can be exploited remotely only if the attacker has access to the Service Console network. Security best practices provided by VMware recommend that the Service Console be isolated from the VM network. Please see http://www.vmware.com/resources/techresources/726 for more information on VMware security best practices. The currently installed version of Tomcat depends on your patch deployment history. c. Third party library update for ntp. The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the following security issue. Note that the same security issue is present in the ESX Service Console as described in section d. of this advisory. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially-crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the "ntp" user. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1252 to this issue. The NTP security issue identified by CVE-2009-0159 is not relevant for ESXi 3.5 and ESXi 4.0. The following table lists what action remediates the vulnerability in this component (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi 4.0 ESXi ESXi400-200911201-UG ESXi 3.5 ESXi affected, patch pending ESX 4.0 ESX not affected ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 not affected * hosted products are VMware Workstation, Player, ACE, Server, Fusion. d. Service Console update for ntp Service Console package ntp updated to version ntp-4.2.2pl-9.el5_3.2 The Network Time Protocol (NTP) is used to synchronize a computer's time with a referenced time source. The Service Console present in ESX is affected by the following security issues. A buffer overflow flaw was discovered in the ntpd daemon's NTPv4 authentication code. If ntpd was configured to use public key cryptography for NTP packet authentication, a remote attacker could use this flaw to send a specially-crafted request packet that could crash ntpd or, potentially, execute arbitrary code with the privileges of the "ntp" user. NTP authentication is not enabled by default on the Service Console. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-1252 to this issue. A buffer overflow flaw was found in the ntpq diagnostic command. A malicious, remote server could send a specially-crafted reply to an ntpq request that could crash ntpq or, potentially, execute arbitrary code with the privileges of the user running the ntpq command. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0159 to this issue. The following table lists what action remediates the vulnerability in the Service Console (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not affected hosted * any any not affected ESXi any ESXi not affected ESX 4.0 ESX ESX400-200911238-SG ESX 3.5 ESX affected, patch pending ** ESX 3.0.3 ESX affected, patch pending ** ESX 2.5.5 ESX affected, patch pending ** vMA 4.0 RHEL5 Patch 2 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. ** The service consoles of ESX 2.5.5, ESX 3.0.3 and ESX 3.5 are not affected by CVE-2009-1252. The security issue identified by CVE-2009-0159 has a low impact on the service console of ESX 2.5.5, ESX 3.0.3 and ESX 3.5. e. Updated Service Console package kernel Updated Service Console package kernel addresses the security issues below. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-3528, CVE-2008-5700, CVE-2009-0028, CVE-2009-0269, CVE-2009-0322, CVE-2009-0675, CVE-2009-0676, CVE-2009-0778 to the security issues fixed in kernel 2.6.18-128.1.6. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2008-4307, CVE-2009-0834, CVE-2009-1337, CVE-2009-0787, CVE-2009-1336 to the security issues fixed in kernel 2.6.18-128.1.10. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-1439, CVE-2009-1633, CVE-2009-1072, CVE-2009-1630, CVE-2009-1192 to the security issues fixed in kernel 2.6.18-128.1.14. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-5966, CVE-2009-1385, CVE-2009-1388, CVE-2009-1389, CVE-2009-1895, CVE-2009-2406, CVE-2009-2407 to the security issues fixed in kernel 2.6.18-128.4.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2692, CVE-2009-2698 to the security issues fixed in kernel 2.6.18-128.7.1. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-0745, CVE-2009-0746, CVE-2009-0747, CVE-2009-0748, CVE-2009-2847, CVE-2009-2848 to the security issues fixed in kernel 2.6.18-164. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not applicable hosted * any any not applicable ESXi any ESXi not applicable ESX 4.0 ESX ESX400-200911201-UG ESX 3.5 ESX not applicable ESX 3.0.3 ESX not applicable ESX 2.5.5 ESX not applicable vMA 4.0 RHEL5 Patch 2 ** * hosted products are VMware Workstation, Player, ACE, Server, Fusion. ** vMA is updated to kernel version 2.6.18-164. f. Updated Service Console package python Service Console package Python update to version 2.4.3-24.el5. When the assert() system call was disabled, an input sanitization flaw was revealed in the Python string object implementation that led to a buffer overflow. The missing check for negative size values meant the Python memory allocator could allocate less memory than expected. This could result in arbitrary code execution with the Python interpreter's privileges. Multiple buffer and integer overflow flaws were found in the Python Unicode string processing and in the Python Unicode and string object implementations. An attacker could use these flaws to cause a denial of service. Multiple integer overflow flaws were found in the Python imageop module. If a Python application used the imageop module to process untrusted images, it could cause the application to disclose sensitive information, crash or, potentially, execute arbitrary code with the Python interpreter's privileges. Multiple integer underflow and overflow flaws were found in the Python snprintf() wrapper implementation. An attacker could use these flaws to cause a denial of service (memory corruption). Multiple integer overflow flaws were found in various Python modules. An attacker could use these flaws to cause a denial of service. An integer signedness error, leading to a buffer overflow, was found in the Python zlib extension module. If a Python application requested the negative byte count be flushed for a decompression stream, it could cause the application to crash or, potentially, execute arbitrary code with the Python interpreter's privileges. A flaw was discovered in the strxfrm() function of the Python locale module. Strings generated by this function were not properly NULL-terminated, which could possibly cause disclosure of data stored in the memory of a Python application using this function. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2007-2052 CVE-2007-4965 CVE-2008-1721 CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143 CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 to these issues. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not applicable hosted * any any not applicable ESXi any ESXi not applicable ESX 4.0 ESX ESX400-200911235-SG ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX affected, patch pending ESX 2.5.5 ESX affected, patch pending vMA 4.0 RHEL5 Patch 2 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. g. Updated Service Console package bind Service Console package bind updated to version 9.3.6-4.P1.el5 The Berkeley Internet Name Domain (BIND) is an implementation of the Domain Name System (DNS) protocols. BIND includes a DNS server (named); a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating correctly. A flaw was found in the way BIND handles dynamic update message packets containing the "ANY" record type. A remote attacker could use this flaw to send a specially-crafted dynamic update packet that could cause named to exit with an assertion failure. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-0696 to this issue. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not applicable hosted * any any not applicable ESXi any ESXi not applicable ESX 4.0 ESX ESX400-200911237-SG ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX affected, patch pending ESX 2.5.5 ESX affected, patch pending vMA 4.0 RHEL5 Patch 2 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. h. Updated Service Console package libxml2 Service Console package libxml2 updated to version 2.6.26-2.1.2.8. libxml is a library for parsing and manipulating XML files. A Document Type Definition (DTD) defines the legal syntax (and also which elements can be used) for certain types of files, such as XML files. A stack overflow flaw was found in the way libxml processes the root XML document element definition in a DTD. A remote attacker could provide a specially-crafted XML file, which once opened by a local, unsuspecting user, would lead to denial of service. Multiple use-after-free flaws were found in the way libxml parses the Notation and Enumeration attribute types. A remote attacker could provide a specially-crafted XML file, which once opened by a local, unsuspecting user, would lead to denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-2414 and CVE-2009-2416 to these issues. The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not applicable hosted * any any not applicable ESXi any ESXi not applicable ESX 4.0 ESX ESX400-200911234-SG ESX 3.5 ESX affected, patch pending ESX 3.0.3 ESX affected, patch pending ESX 2.5.5 ESX affected, patch pending vMA 4.0 RHEL5 Patch 2 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. i. Updated Service Console package curl Service Console package curl updated to version 7.15.5-2.1.el5_3.5 A cURL is affected by the previously published "null prefix attack", caused by incorrect handling of NULL characters in X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a trusted Certificate Authority, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse cURL into accepting it by mistake. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2417 to this issue The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not applicable hosted * any any not applicable ESXi any ESXi not applicable ESX 4.0 ESX ESX400-200911232-SG ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 Patch 2 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. j. Updated Service Console package gnutls Service Console package gnutil updated to version 1.4.1-3.el5_3.5 A flaw was discovered in the way GnuTLS handles NULL characters in certain fields of X.509 certificates. If an attacker is able to get a carefully-crafted certificate signed by a Certificate Authority trusted by an application using GnuTLS, the attacker could use the certificate during a man-in-the-middle attack and potentially confuse the application into accepting it by mistake. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-2730 to this issue The following table lists what action remediates the vulnerability (column 4) if a solution is available. VMware Product Running Replace with/ Product Version on Apply Patch ============= ======== ======= ================= vCenter any Windows not applicable hosted * any any not applicable ESXi any ESXi not applicable ESX 4.0 ESX ESX400-200911233-SG ESX 3.5 ESX not affected ESX 3.0.3 ESX not affected ESX 2.5.5 ESX not affected vMA 4.0 RHEL5 Patch 2 * hosted products are VMware Workstation, Player, ACE, Server, Fusion. 4. Solution Please review the patch/release notes for your product and version and verify the md5sum of your downloaded file. VMware vCenter Server 4 Update 1 -------------------------------- Version 4.0 Update 1 Build Number 208156 Release Date 2009/11/19 Type Product Binaries http://downloads.vmware.com/download/download.do?downloadGroup=VC40U1 VMware vCenter Server 4 and modules File size: 1.8 GB File type: .iso MD5SUM: 057d55b32eb27fe5f3e01bc8d3df3bc5 SHA1SUM: c90134418c2e4d3d6637d8bee44261300ad95ec1 VMware vCenter Server 4 and modules File size: 1.5 GB File type: .zip MD5SUM: f843d9c19795eb3bc5a77f5c545468a8 SHA1SUM: 9a7abd8e70bd983151e2ee40e1b3931525c4480c VMware vSphere Client and Host Update Utility File size: 113.8 MB File type: .exe MD5SUM: 6cc6b2c958e7e9529c284e48dfae22a9 SHA1SUM: f4c19c63a75d93cffc57b170066358160788c959 VMware vCenter Converter BootCD File size: 98.8 MB File type: .zip MD5SUM: 3df94eb0e93de76b0389132ada2a3799 SHA1SUM: 5d7c04e4f9f8ae25adc8de5963fefd8a4c92464c VMware vCenter Converter CLI (Linux) File size: 36.9 MB File type: .tar.gz MD5SUM: 3766097563936ba5e03e87e898f6bd48 SHA1SUM: 36d485bdb5eb279296ce8c8523df04bfb12a2cb4 ESXi 4.0 Update 1 ----------------- ESXi400-200911201-UG https://hostupdate.vmware.com/software/VUM/OFFLINE/release-155-20091116-013169/ESXi-4.0.0-update01.zip md5sum:c6fdd6722d9e5cacb280bdcc2cca0627 sha1sum:de9d4875f86b6493f9da991a8cff37784215db2e http://kb.vmware.com/kb/1014886 NOTE: The three ESXi patches for Firmware, VMware Tools, and the VI Client "C" are contained in a single download file. ESX 4.0 Update 1 ---------------- https://hostupdate.vmware.com/software/VUM/OFFLINE/release-158-20091118-187517/ESX-4.0.0-update01.zip md5sum: 68934321105c34dcda4cbeeab36a2b8f sha1sum: 0d8ae58cf9143d5c7113af9692dea11ed2dd864b http://kb.vmware.com/kb/1014842 To install an individual bulletin use esxupdate with the -b option. esxupdate --bundle=ESX-4.0.0-update01.zip -b ESX400-200911223-UG -b ESX400-200911238-SG -b ESX400-200911201-UG -b ESX400-200911235-SG -b ESX400-200911237-SG -b ESX400-200911234-SG -b ESX400-200911232-SG -b ESX400-200911233-SG update 5. References CVE numbers --- JRE --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1094 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1095 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1096 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1097 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1098 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1099 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1100 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1101 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1102 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1103 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1104 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1105 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1106 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1107 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2670 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2671 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2672 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2673 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2676 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2716 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2718 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2719 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2720 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2722 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2723 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2724 --- Tomcat --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1232 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1947 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2370 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5461 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-6286 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0002 --- ntp --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1252 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0159 --- kernel --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3528 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5700 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0028 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0269 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0322 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0675 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0676 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0778 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4307 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0834 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1337 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0787 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1336 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1439 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1633 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1072 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1630 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1192 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5966 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1388 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1389 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1895 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2406 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2407 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2692 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2698 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0745 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0746 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0747 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0748 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2847 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2848 --- python --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2052 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4965 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1721 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-1887 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2315 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3142 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3143 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3144 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4864 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5031 --- bind --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0696 --- libxml and libxml2 --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2414 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2416 --- curl -- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2417 --- gnutil --- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2052 - ------------------------------------------------------------------------ 6. Change log 2009-11-20 VMSA-2009-0016 Initial security advisory after release of vCenter 4.0 Update 1 and ESX 4.0 Update 1 on 2009-11-19 and release of vMA Patch 2 on 2009-11-23. - ----------------------------------------------------------------------- 7. Contact E-mail list for product security notifications and announcements: http://lists.vmware.com/cgi-bin/mailman/listinfo/security-announce This Security Advisory is posted to the following lists: * security-announce at lists.vmware.com * bugtraq at securityfocus.com * full-disclosure at lists.grok.org.uk E-mail: security at vmware.com PGP key at: http://kb.vmware.com/kb/1055 VMware Security Center http://www.vmware.com/security VMware security response policy http://www.vmware.com/support/policies/security_response.html General support life cycle policy http://www.vmware.com/support/policies/eos.html VMware Infrastructure support life cycle policy http://www.vmware.com/support/policies/lifecycle/ Copyright 2009 VMware Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAksHAooACgkQS2KysvBH1xmQMACfTEcnuPanvucXPmgJCTT054o+ dtoAniXz+9xLskrkPr3oUzAcDeV729WG =wSRz -----END PGP SIGNATURE----- . For the oldstable distribution (lenny), this problem has been fixed in version 5.5.26-5lenny2. The stable distribution (squeeze) no longer contains tomcat5.5. tomcat6 is already fixed. The unstable distribution (sid) no longer contains tomcat5.5. tomcat6 is already fixed. We recommend that you upgrade your tomcat5.5 packages. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ . =========================================================== Ubuntu Security Notice USN-788-1 June 15, 2009 tomcat6 vulnerabilities CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783 =========================================================== A security issue affects the following Ubuntu releases: Ubuntu 8.10 Ubuntu 9.04 This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu. The problem can be corrected by upgrading your system to the following package versions: Ubuntu 8.10: libtomcat6-java 6.0.18-0ubuntu3.2 tomcat6-examples 6.0.18-0ubuntu3.2 Ubuntu 9.04: libtomcat6-java 6.0.18-0ubuntu6.1 tomcat6-examples 6.0.18-0ubuntu6.1 In general, a standard system upgrade is sufficient to effect the necessary changes. Details follow: Iida Minehiko discovered that Tomcat did not properly normalise paths. A remote attacker could send specially crafted requests to the server and bypass security restrictions, gaining access to sensitive content. (CVE-2008-5515) Yoshihito Fukuyama discovered that Tomcat did not properly handle errors when the Java AJP connector and mod_jk load balancing are used. Hackner discovered that Tomcat did not properly handle malformed URL encoding of passwords when FORM authentication is used. A remote attacker could exploit this in order to enumerate valid usernames. (CVE-2009-0580) Deniz Cevik discovered that Tomcat did not properly escape certain parameters in the example calendar application which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. (CVE-2009-0781) Philippe Prados discovered that Tomcat allowed web applications to replace the XML parser used by other web applications. Local users could exploit this to bypass security restrictions and gain access to certain sensitive files. (CVE-2009-0783) Updated packages for Ubuntu 8.10: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18-0ubuntu3.2.diff.gz Size/MD5: 22010 87c6105cd78ea5a8dbf62054fc4ba0aa http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18-0ubuntu3.2.dsc Size/MD5: 1378 823c008ffc927c0f3f5686fc6f5188d0 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18.orig.tar.gz Size/MD5: 3484249 9bdbb1c1d79302c80057a70b18fe6721 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libservlet2.5-java_6.0.18-0ubuntu3.2_all.deb Size/MD5: 174164 dd24331b2709bd6641b4055d0b052eae http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libtomcat6-java_6.0.18-0ubuntu3.2_all.deb Size/MD5: 2961944 63c8c3e0300ed70a240b79ddd3299efb http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-admin_6.0.18-0ubuntu3.2_all.deb Size/MD5: 37370 b9b1bd6dc9cfb52107811295401c09e4 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-common_6.0.18-0ubuntu3.2_all.deb Size/MD5: 53488 5006e5c394ec815f6d36c335d9f0abaf http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-docs_6.0.18-0ubuntu3.2_all.deb Size/MD5: 714516 768cacbb74453b1a2a49e55d61b7bedd http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-examples_6.0.18-0ubuntu3.2_all.deb Size/MD5: 419180 0663de0611fb9792d44aebad8aa24cc4 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-user_6.0.18-0ubuntu3.2_all.deb Size/MD5: 18612 95544319007f1f90321469c5d314c72e http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18-0ubuntu3.2_all.deb Size/MD5: 24156 9f4d7a0671e9330ff2fa1a1c13a20c58 Updated packages for Ubuntu 9.04: Source archives: http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18-0ubuntu6.1.diff.gz Size/MD5: 24779 221e0f51259495fd01da2a6b67358b17 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18-0ubuntu6.1.dsc Size/MD5: 1411 e3bac3c39b2e6db3267699a533b17add http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18.orig.tar.gz Size/MD5: 3484249 9bdbb1c1d79302c80057a70b18fe6721 Architecture independent packages: http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libservlet2.5-java-doc_6.0.18-0ubuntu6.1_all.deb Size/MD5: 246196 54e990e7893923b8b6df4bcce9f3ba22 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libservlet2.5-java_6.0.18-0ubuntu6.1_all.deb Size/MD5: 172500 abf989790a45def65d5de9a7f9b010df http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/libtomcat6-java_6.0.18-0ubuntu6.1_all.deb Size/MD5: 2846254 c1c0180751500ce58c51b97de9f2d6d9 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-admin_6.0.18-0ubuntu6.1_all.deb Size/MD5: 37874 e7d401faba215af22ecff31b4a675fad http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-common_6.0.18-0ubuntu6.1_all.deb Size/MD5: 53184 194153ab21adac9a47baaf92ea8d2acb http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-docs_6.0.18-0ubuntu6.1_all.deb Size/MD5: 714212 d52e9abc75108a8f059346e09d47b511 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-examples_6.0.18-0ubuntu6.1_all.deb Size/MD5: 418316 3a7110c9da4bd72a7019cbb75651da73 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6-user_6.0.18-0ubuntu6.1_all.deb Size/MD5: 20520 ea5e54c91e7055e281d61e63f0e140f2 http://security.ubuntu.com/ubuntu/pool/main/t/tomcat6/tomcat6_6.0.18-0ubuntu6.1_all.deb Size/MD5: 24952 ec80f910d6c8e606c090ba8dd737bc4c . -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: c01908935 Version: 1 HPSBUX02466 SSRT090192 rev.1 - HP-UX Running Tomcat Servlet Engine, Remote Denial of Service (DoS), Unauthorized Access NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2009-10-21 Last Updated: 2009-10-21 Potential Security Impact: Remote Denial of Service (DoS), unauthorized access Source: Hewlett-Packard Company, HP Software Security Response Team VULNERABILITY SUMMARY Potential security vulnerabilities have been identified with HP-UX running Tomcat-based Servlet Engine. Tomcat-based Servlet Engine is contained in the Apache Web Server Suite. References: CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783. SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. HP-UX B.11.11, B.11.23 and B.11.31 running Tomcat-based Servlet Engine v5.5.27.02 or earlier BACKGROUND CVSS 2.0 Base Metrics =========================================================== Reference Base Vector Base Score CVE-2008-5515 (AV:N/AC:L/Au:N/C:P/I:N/A:N) 5.0 CVE-2009-0033 (AV:N/AC:L/Au:N/C:N/I:N/A:P) 5.0 CVE-2009-0580 (AV:N/AC:M/Au:N/C:P/I:N/A:N) 4.3 CVE-2009-0781 (AV:N/AC:M/Au:N/C:N/I:P/A:N) 4.3 CVE-2009-0783 (AV:L/AC:L/Au:N/C:P/I:P/A:N) 3.6 =========================================================== Information on CVSS is documented in HP Customer Notice: HPSN-2008-002 RESOLUTION HP has provided the following upgrades to resolve these vulnerabilities. The upgrades are available from the following location: URL http://software.hp.com Note: Both HP-UX Web Server Suite v3.06 and v2.27 contain HP-UX Tomcat-based Servlet Engine v5.5.27.03 Web Server Suite HP-UX Release Apache Depot name Tomcat-based Servlet Engine v5.5.27.03 B.11.23 and B.11.31 PA-32 HPUX22SATW-1123-32.depot B.11.23 and B.11.31 IA-64 HPUX22SATW-1123-64.depot B.11.11 PA-32 HPUXSATW-1111-64-32.depot B.11.23 PA-32 and IA-64 HPUXWSATW-1123-64-bit.depot B.11.31 IA-32 and IA-64 HPUXSATW-1131-64.depot MANUAL ACTIONS: Yes - Update Install Tomcat-based Servlet Engine from the Apache Web Server Suite v5.5.27.03 or subsequent PRODUCT SPECIFIC INFORMATION HP-UX Software Assistant: HP-UX Software Assistant is an enhanced application that replaces HP-UX Security Patch Check. It analyzes all Security Bulletins issued by HP and lists recommended actions that may apply to a specific HP-UX system. It can also download patches and create a depot automatically. For more information see: https://www.hp.com/go/swa The following text is for use by the HP-UX Software Assistant. AFFECTED VERSIONS HP-UX B.11.11 ================== hpuxwsTOMCAT.TOMCAT action: install revision B.5.5.27.03 or subsequent HP-UX B.11.23 ================== hpuxws22TOMCAT.TOMCAT action: install revision B.5.5.27.03 or subsequent HP-UX B.11.31 ================== hpuxws22TOMCAT.TOMCAT action: install revision B.5.5.27.03 or subsequent END AFFECTED VERSIONS HISTORY Version:1 (rev.1) 21 October 2009 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy. Support: For further information, contact normal HP Services support channel. Report: To report a potential security vulnerability with any HP supported product, send Email to: security-alert@hp.com It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information. To get the security-alert PGP key, please send an e-mail message as follows: To: security-alert@hp.com Subject: get key Subscribe: To initiate a subscription to receive future HP Security Bulletins via Email: http://h30046.www3.hp.com/driverAlertProfile.php?regioncode=NA&langcode=USENG&jumpid=in_SC-GEN__driverITRC&topiccode=ITRC On the web page: ITRC security bulletins and patch sign-up Under Step1: your ITRC security bulletins and patches -check ALL categories for which alerts are required and continue. Under Step2: your ITRC operating systems -verify your operating system selections are checked and save. To update an existing subscription: http://h30046.www3.hp.com/subSignIn.php Log in on the web page: Subscriber's choice for Business: sign-in. On the web page: Subscriber's Choice: your profile summary - use Edit Profile to update appropriate sections. To review previously published Security Bulletins visit: http://www.itrc.hp.com/service/cki/secBullArchive.do * The Software Product Category that this Security Bulletin relates to is represented by the 5th and 6th characters of the Bulletin number in the title: GN = HP General SW MA = HP Management Agents MI = Misc. 3rd Party SW MP = HP MPE/iX NS = HP NonStop Servers OV = HP OpenVMS PI = HP Printing & Imaging ST = HP Storage SW TL = HP Trusted Linux TU = HP Tru64 UNIX UX = HP-UX VV = HP VirtualVault System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright 2009 Hewlett-Packard Development Company, L.P. Hewlett-Packard Company shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP or its affiliates, subcontractors or suppliers will be liable for incidental,special or consequential damages including downtime cost; lost profits;damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Hewlett-Packard Company and the names of Hewlett-Packard products referenced herein are trademarks of Hewlett-Packard Company in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

path traversal

CONFIGURATIONS

PATCH

EXTERNAL IDS

REFERENCES