Any new info on this? We are still getting dinged with this even though its only querying the version. I'm not sure I will be able to get an exception this year with 3.0
Threat:
| Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation. Multiple vulnerabilities affecting Apache Tomcat have been reported: 1) It was possible to craft a malformed chunk size as part of a chucked request that enabled an unlimited amount of data to be streamed to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack (CVE-2014-0075). 2) The default servlet allows web applications to define (at multiple levels) an XSLT to be used to format a directory listing. When running under a security manager, the processing of these was not subject to the same constraints as the web application. This enabled a malicious web application to bypass the file access constraints imposed by the security manager via the use of external XML entities (CVE-2014-96). 3) The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header (CVE-2014-0099). 4) In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance (CVE-2014-0119). Affected Versions: Apache Tomcat versions prior to 6.0.41, 7.0.54, 8.0.8 |
Solution:
| Updated versions of Apache Tomcat are available that fix these vulnerabilities. Patch: Following are links for downloading patches to fix the vulnerabilities: Apache Tomcat 6.x (http://tomcat.apache.org/download-60.cgi) Apache Tomcat 7.x (http://tomcat.apache.org/download-70.cgi) Apache Tomcat 8.x (http://tomcat.apache.org/download-80.cgi) |
<title>Apache Tomcat/6.0.37 - Error report</title>#