漏洞起因
设计错误
危险等级
低
影响系统
Apache Software Foundation Tomcat 7.0.15
Apache Software Foundation Tomcat 7.0.14
Apache Software Foundation Tomcat 7.0.13
Apache Software Foundation Tomcat 7.0.12
Apache Software Foundation Tomcat 7.0.12
Apache Software Foundation Tomcat 7.0.9
Apache Software Foundation Tomcat 7.0.8
Apache Software Foundation Tomcat 7.0.8
Apache Software Foundation Tomcat 7.0.7
Apache Software Foundation Tomcat 7.0.6
Apache Software Foundation Tomcat 7.0.6
Apache Software Foundation Tomcat 7.0.4
Apache Software Foundation Tomcat 7.0.4
Apache Software Foundation Tomcat 7.0.3
Apache Software Foundation Tomcat 7.0.3
Apache Software Foundation Tomcat 7.0.2
Apache Software Foundation Tomcat 7.0.2
Apache Software Foundation Tomcat 7.0.1
Apache Software Foundation Tomcat 7.0.1
Apache Software Foundation Tomcat 7.0 beta
Apache Software Foundation Tomcat 7.0
Apache Software Foundation Tomcat 6.0.32
Apache Software Foundation Tomcat 6.0.29
Apache Software Foundation Tomcat 6.0.28
Apache Software Foundation Tomcat 6.0.28
Apache Software Foundation Tomcat 6.0.27
Apache Software Foundation Tomcat 6.0.27
Apache Software Foundation Tomcat 6.0.26
Apache Software Foundation Tomcat 6.0.25
Apache Software Foundation Tomcat 6.0.24
Apache Software Foundation Tomcat 6.0.20
Apache Software Foundation Tomcat 6.0.18
Apache Software Foundation Tomcat 6.0.17
Apache Software Foundation Tomcat 6.0.16
Apache Software Foundation Tomcat 6.0.15
Apache Software Foundation Tomcat 6.0.14
Apache Software Foundation Tomcat 6.0.13
Apache Software Foundation Tomcat 6.0.12
Apache Software Foundation Tomcat 6.0.11
Apache Software Foundation Tomcat 6.0.10
Apache Software Foundation Tomcat 6.0.9
Apache Software Foundation Tomcat 6.0.8
Apache Software Foundation Tomcat 6.0.7
Apache Software Foundation Tomcat 6.0.6
Apache Software Foundation Tomcat 6.0.5
Apache Software Foundation Tomcat 6.0.4
Apache Software Foundation Tomcat 6.0.3
Apache Software Foundation Tomcat 6.0.2
Apache Software Foundation Tomcat 6.0.1
Apache Software Foundation Tomcat 6.0
Apache Software Foundation Tomcat 5.5.32
Apache Software Foundation Tomcat 5.5.32
Apache Software Foundation Tomcat 5.5.30
Apache Software Foundation Tomcat 5.5.30
Apache Software Foundation Tomcat 5.5.29
Apache Software Foundation Tomcat 5.5.28
Apache Software Foundation Tomcat 5.5.27
Apache Software Foundation Tomcat 5.5.26
Apache Software Foundation Tomcat 5.5.25
Apache Software Foundation Tomcat 5.5.24
Apache Software Foundation Tomcat 5.5.23
Apache Software Foundation Tomcat 5.5.22
Apache Software Foundation Tomcat 5.5.21
Apache Software Foundation Tomcat 5.5.20
Apache Software Foundation Tomcat 5.5.19
Apache Software Foundation Tomcat 5.5.18
Apache Software Foundation Tomcat 5.5.17
Apache Software Foundation Tomcat 5.5.16
Apache Software Foundation Tomcat 5.5.15
Apache Software Foundation Tomcat 5.5.14
Apache Software Foundation Tomcat 5.5.13
Apache Software Foundation Tomcat 5.5.12
Apache Software Foundation Tomcat 5.5.11
Apache Software Foundation Tomcat 5.5.10
Apache Software Foundation Tomcat 5.5.9
Apache Software Foundation Tomcat 5.5.8
Apache Software Foundation Tomcat 5.5.7
Apache Software Foundation Tomcat 5.5.6
Apache Software Foundation Tomcat 5.5.5
Apache Software Foundation Tomcat 5.5.4
Apache Software Foundation Tomcat 5.5.3
Apache Software Foundation Tomcat 5.5.2
Apache Software Foundation Tomcat 5.5.1
Apache Software Foundation Tomcat 5.5
Apache Software Foundation Tomcat 7.0.5
Apache Software Foundation Tomcat 7.0.18
Apache Software Foundation Tomcat 7.0.17
Apache Software Foundation Tomcat 7.0.11
Apache Software Foundation Tomcat 7.0.10
Apache Software Foundation Tomcat 7.0
Apache Software Foundation Tomcat 6.0.32
Apache Software Foundation Tomcat 6.0.31
Apache Software Foundation Tomcat 6.0.30
Apache Software Foundation Tomcat 6.0.29
Apache Software Foundation Tomcat 6.0.19
Apache Software Foundation Tomcat 5.5.33
Apache Software Foundation Tomcat 5.5.33
Apache Software Foundation Tomcat 5.5.31
不受影响系统
Apache Software Foundation Tomcat 5.5.34
Apache Software Foundation Tomcat 7.0.19
Apache Software Foundation Tomcat 6.0.33
危害
远程攻击者可以利用漏洞获得敏感文件信息或使JVM崩溃。
攻击所需条件
攻击者必须访问Apache Tomcat。
漏洞信息
Apache Tomcat是一款开放源码的JSP应用服务器程序。
Tomcat提供使用HTTP NIO和HTTP APR连接器的sendfile。sendfile可通过DefaultServlet用于自动服务内容,并通过设置请求属性直接使用sendfile部署WEB应用程序。这些请求属性没有校验。当在安全管理器下运行时,缺少校验允许恶意WEB应用程序绕过安全管理器限制进行如下一个或多个操作:
-向用户返回安全管理器不允许访问的文件。
-使JVM崩溃。
另外,只有当如下条件存在时才能触发这些漏洞:
-使用不可信EWB应用程序。
-SecurityManager用于限制不可信WEB应用程序。
-使用了HTTP NIO和HTTP APR连接器。
-连接器启用了sendfile。
测试方法
厂商解决方案
Apache Software Foundation Tomcat 5.5.34,7.0.19和6.0.33已经修复此漏洞,建议用户下载使用:
http://tomcat.apache.org/
漏洞提供者
Apache
0 条评论。