rhsa-2009_1454
Vulnerability from csaf_redhat
Published
2009-09-21 15:51
Modified
2024-11-22 03:25
Summary
Red Hat Security Advisory: tomcat5 security update
Notes
Topic
Updated tomcat5 packages that fix several security issues are now available
for JBoss Enterprise Web Server 1.0.0 for Red Hat Enterprise Linux 4 and 5.
This update has been rated as having important security impact by the Red
Hat Security Response Team.
[Updated 23 September 2009]
This erratum has been updated to include replacement packages for JBoss
Enterprise Web Server 1.0.0 for Red Hat Enterprise Linux 4. The original
packages did not contain a fix for the low security impact issue
CVE-2009-0783. The packages for JBoss Enterprise Web Server 1.0.0 for Red
Hat Enterprise Linux 5 are unchanged as they included the fix for
CVE-2009-0783.
Details
Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.
It was discovered that Tomcat does not properly handle a certain character
and character sequence in cookie values. A remote attacker could use this
flaw to obtain sensitive information, such as session IDs, and then use
this information for session hijacking attacks. (CVE-2007-5333)
Note: The fix for the CVE-2007-5333 flaw changes the default cookie
processing behavior: With this update, version 0 cookies that contain
values that must be quoted to be valid are automatically changed to version
1 cookies. To reactivate the previous, but insecure behavior, add the
following entry to the "/etc/tomcat5/catalina.properties" file:
org.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH=false
It was discovered that request dispatchers did not properly normalize user
requests that have trailing query strings, allowing remote attackers to
send specially-crafted requests that would cause an information leak.
(CVE-2008-5515)
A flaw was found in the way the Tomcat AJP (Apache JServ Protocol)
connector processes AJP connections. An attacker could use this flaw to
send specially-crafted requests that would cause a temporary denial of
service. (CVE-2009-0033)
It was discovered that the error checking methods of certain authentication
classes did not have sufficient error checking, allowing remote attackers
to enumerate (via brute force methods) usernames registered with
applications running on Tomcat when FORM-based authentication was used.
(CVE-2009-0580)
It was discovered that web applications containing their own XML parsers
could replace the XML parser Tomcat uses to parse configuration files. A
malicious web application running on a Tomcat instance could read or,
potentially, modify the configuration and XML-based data of other web
applications deployed on the same Tomcat instance. (CVE-2009-0783)
Users of Tomcat should upgrade to these updated packages, which contain
backported patches to resolve these issues. Tomcat must be restarted for
this update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Important" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated tomcat5 packages that fix several security issues are now available\nfor JBoss Enterprise Web Server 1.0.0 for Red Hat Enterprise Linux 4 and 5.\n\nThis update has been rated as having important security impact by the Red\nHat Security Response Team.\n\n[Updated 23 September 2009]\nThis erratum has been updated to include replacement packages for JBoss\nEnterprise Web Server 1.0.0 for Red Hat Enterprise Linux 4. The original\npackages did not contain a fix for the low security impact issue\nCVE-2009-0783. The packages for JBoss Enterprise Web Server 1.0.0 for Red\nHat Enterprise Linux 5 are unchanged as they included the fix for\nCVE-2009-0783.", "title": "Topic" }, { "category": "general", "text": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nIt was discovered that Tomcat does not properly handle a certain character\nand character sequence in cookie values. A remote attacker could use this\nflaw to obtain sensitive information, such as session IDs, and then use\nthis information for session hijacking attacks. (CVE-2007-5333)\n\nNote: The fix for the CVE-2007-5333 flaw changes the default cookie\nprocessing behavior: With this update, version 0 cookies that contain\nvalues that must be quoted to be valid are automatically changed to version\n1 cookies. To reactivate the previous, but insecure behavior, add the\nfollowing entry to the \"/etc/tomcat5/catalina.properties\" file:\n\norg.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH=false\n\nIt was discovered that request dispatchers did not properly normalize user\nrequests that have trailing query strings, allowing remote attackers to\nsend specially-crafted requests that would cause an information leak.\n(CVE-2008-5515)\n\nA flaw was found in the way the Tomcat AJP (Apache JServ Protocol)\nconnector processes AJP connections. An attacker could use this flaw to\nsend specially-crafted requests that would cause a temporary denial of\nservice. (CVE-2009-0033)\n\nIt was discovered that the error checking methods of certain authentication\nclasses did not have sufficient error checking, allowing remote attackers\nto enumerate (via brute force methods) usernames registered with\napplications running on Tomcat when FORM-based authentication was used.\n(CVE-2009-0580)\n\nIt was discovered that web applications containing their own XML parsers\ncould replace the XML parser Tomcat uses to parse configuration files. A\nmalicious web application running on a Tomcat instance could read or,\npotentially, modify the configuration and XML-based data of other web\napplications deployed on the same Tomcat instance. (CVE-2009-0783)\n\nUsers of Tomcat should upgrade to these updated packages, which contain\nbackported patches to resolve these issues. Tomcat must be restarted for\nthis update to take effect.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2009:1454", "url": "https://access.redhat.com/errata/RHSA-2009:1454" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#important", "url": "https://access.redhat.com/security/updates/classification/#important" }, { "category": "external", "summary": "http://tomcat.apache.org/security-5.html", "url": "http://tomcat.apache.org/security-5.html" }, { "category": "external", "summary": "427766", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=427766" }, { "category": "external", "summary": "493381", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=493381" }, { "category": "external", "summary": "503978", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=503978" }, { "category": "external", "summary": "504153", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=504153" }, { "category": "external", "summary": "504753", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=504753" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2009/rhsa-2009_1454.json" } ], "title": "Red Hat Security Advisory: tomcat5 security update", "tracking": { "current_release_date": "2024-11-22T03:25:53+00:00", "generator": { "date": "2024-11-22T03:25:53+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.2.1" } }, "id": "RHSA-2009:1454", "initial_release_date": "2009-09-21T15:51:00+00:00", "revision_history": [ { "date": "2009-09-21T15:51:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2009-09-23T11:15:12+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-22T03:25:53+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server", "product": { "name": "Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server", "product_id": "5Server-JBEWS-5.0.0", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1::el5" } } }, { "category": "product_name", "name": "Red Hat JBoss Web Server 1.0 for RHEL 4 AS", "product": { "name": "Red Hat JBoss Web Server 1.0 for RHEL 4 AS", "product_id": "4AS-JBEWS-5.0.0", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1::el4" } } }, { "category": "product_name", "name": "Red Hat JBoss Web Server 1.0 for RHEL 4 ES", "product": { "name": "Red Hat JBoss Web Server 1.0 for RHEL 4 ES", "product_id": "4ES-JBEWS-5.0.0", "product_identification_helper": { "cpe": "cpe:/a:redhat:jboss_enterprise_web_server:1::el4" } } } ], "category": "product_family", "name": "Red Hat JBoss Web Server" }, { "branches": [ { "category": "product_version", "name": "tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product": { "name": "tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_id": "tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-webapps@5.5.23-0jpp.9.6.ep5.el5?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product": { "name": "tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_id": "tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5@5.5.23-0jpp.9.6.ep5.el5?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product": { "name": "tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_id": "tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-jasper@5.5.23-0jpp.9.6.ep5.el5?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product": { "name": "tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_id": "tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-server-lib@5.5.23-0jpp.9.6.ep5.el5?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product": { "name": "tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_id": "tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-jsp-2.0-api@5.5.23-0jpp.9.6.ep5.el5?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product": { "name": "tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_id": "tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-servlet-2.4-api-javadoc@5.5.23-0jpp.9.6.ep5.el5?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product": { "name": "tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_id": "tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-servlet-2.4-api@5.5.23-0jpp.9.6.ep5.el5?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product": { "name": "tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_id": "tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-admin-webapps@5.5.23-0jpp.9.6.ep5.el5?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product": { "name": "tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_id": "tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-jasper-javadoc@5.5.23-0jpp.9.6.ep5.el5?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product": { "name": "tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_id": "tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-jsp-2.0-api-javadoc@5.5.23-0jpp.9.6.ep5.el5?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product": { "name": "tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_id": "tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-common-lib@5.5.23-0jpp.9.6.ep5.el5?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product": { "name": "tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_id": "tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-jasper-javadoc@5.5.23-1.patch07.19.ep5.el4?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product": { "name": "tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_id": "tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-jsp-2.0-api@5.5.23-1.patch07.19.ep5.el4?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product": { "name": "tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_id": "tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-common-lib@5.5.23-1.patch07.19.ep5.el4?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product": { "name": "tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_id": "tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5@5.5.23-1.patch07.19.ep5.el4?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product": { "name": "tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_id": "tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-servlet-2.4-api-javadoc@5.5.23-1.patch07.19.ep5.el4?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product": { "name": "tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_id": "tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-jsp-2.0-api-javadoc@5.5.23-1.patch07.19.ep5.el4?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product": { "name": "tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_id": "tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-admin-webapps@5.5.23-1.patch07.19.ep5.el4?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product": { "name": "tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_id": "tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-servlet-2.4-api@5.5.23-1.patch07.19.ep5.el4?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product": { "name": "tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_id": "tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-server-lib@5.5.23-1.patch07.19.ep5.el4?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product": { "name": "tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_id": "tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-webapps@5.5.23-1.patch07.19.ep5.el4?arch=noarch" } } }, { "category": "product_version", "name": "tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product": { "name": "tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_id": "tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5-jasper@5.5.23-1.patch07.19.ep5.el4?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "product": { "name": "tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "product_id": "tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5@5.5.23-0jpp.9.6.ep5.el5?arch=src" } } }, { "category": "product_version", "name": "tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "product": { "name": "tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "product_id": "tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat5@5.5.23-1.patch07.19.ep5.el4?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 AS", "product_id": "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4AS-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 AS", "product_id": "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src" }, "product_reference": "tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "relates_to_product_reference": "4AS-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 AS", "product_id": "4AS-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4AS-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 AS", "product_id": "4AS-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4AS-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 AS", "product_id": "4AS-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4AS-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 AS", "product_id": "4AS-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4AS-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 AS", "product_id": "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4AS-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 AS", "product_id": "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4AS-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 AS", "product_id": "4AS-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4AS-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 AS", "product_id": "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4AS-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 AS", "product_id": "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4AS-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 AS", "product_id": "4AS-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4AS-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 ES", "product_id": "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4ES-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 ES", "product_id": "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src" }, "product_reference": "tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "relates_to_product_reference": "4ES-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 ES", "product_id": "4ES-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4ES-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 ES", "product_id": "4ES-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4ES-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 ES", "product_id": "4ES-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4ES-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 ES", "product_id": "4ES-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4ES-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 ES", "product_id": "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4ES-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 ES", "product_id": "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4ES-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 ES", "product_id": "4ES-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4ES-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 ES", "product_id": "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4ES-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 ES", "product_id": "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4ES-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch as a component of Red Hat JBoss Web Server 1.0 for RHEL 4 ES", "product_id": "4ES-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch" }, "product_reference": "tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "relates_to_product_reference": "4ES-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server", "product_id": "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch" }, "product_reference": "tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "relates_to_product_reference": "5Server-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src as a component of Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server", "product_id": "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src" }, "product_reference": "tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "relates_to_product_reference": "5Server-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server", "product_id": "5Server-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch" }, "product_reference": "tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "relates_to_product_reference": "5Server-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server", "product_id": "5Server-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch" }, "product_reference": "tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "relates_to_product_reference": "5Server-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server", "product_id": "5Server-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch" }, "product_reference": "tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "relates_to_product_reference": "5Server-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server", "product_id": "5Server-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch" }, "product_reference": "tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "relates_to_product_reference": "5Server-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server", "product_id": "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch" }, "product_reference": "tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "relates_to_product_reference": "5Server-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server", "product_id": "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch" }, "product_reference": "tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "relates_to_product_reference": "5Server-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server", "product_id": "5Server-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch" }, "product_reference": "tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "relates_to_product_reference": "5Server-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server", "product_id": "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch" }, "product_reference": "tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "relates_to_product_reference": "5Server-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server", "product_id": "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch" }, "product_reference": "tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "relates_to_product_reference": "5Server-JBEWS-5.0.0" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch as a component of Red Hat JBoss Enterprise Web Server 1 for RHEL 5 Server", "product_id": "5Server-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch" }, "product_reference": "tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "relates_to_product_reference": "5Server-JBEWS-5.0.0" } ] }, "vulnerabilities": [ { "cve": "CVE-2007-5333", "discovery_date": "2008-01-07T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "427766" } ], "notes": [ { "category": "description", "text": "Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (\") characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE: this issue exists because of an incomplete fix for CVE-2007-3385.", "title": "Vulnerability description" }, { "category": "summary", "text": "Improve cookie parsing for tomcat5", "title": "Vulnerability summary" }, { "category": "other", "text": "Red Hat is aware of this issue and is tracking it via the following bug: https://bugzilla.redhat.com/bugzilla/show_bug.cgi?id=CVE-2007-5333\n\nThe Red Hat Product Security has rated this issue as having low security impact, a future update may address this flaw.", "title": "Statement" } ], "product_status": { "fixed": [ "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4AS-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4ES-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "5Server-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2007-5333" }, { "category": "external", "summary": "RHBZ#427766", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=427766" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2007-5333", "url": "https://www.cve.org/CVERecord?id=CVE-2007-5333" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2007-5333", "url": "https://nvd.nist.gov/vuln/detail/CVE-2007-5333" } ], "release_date": "2008-02-11T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2009-09-21T15:51:00+00:00", "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259", "product_ids": [ "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4AS-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4ES-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "5Server-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2009:1454" } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "Improve cookie parsing for tomcat5" }, { "cve": "CVE-2008-5515", "discovery_date": "2009-06-08T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "504753" } ], "notes": [ { "category": "description", "text": "Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat request dispatcher information disclosure vulnerability", "title": "Vulnerability summary" } ], "product_status": { "fixed": [ "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4AS-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4ES-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "5Server-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2008-5515" }, { "category": "external", "summary": "RHBZ#504753", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=504753" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2008-5515", "url": "https://www.cve.org/CVERecord?id=CVE-2008-5515" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2008-5515", "url": "https://nvd.nist.gov/vuln/detail/CVE-2008-5515" } ], "release_date": "2009-06-08T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2009-09-21T15:51:00+00:00", "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259", "product_ids": [ "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4AS-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4ES-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "5Server-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2009:1454" } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat request dispatcher information disclosure vulnerability" }, { "cve": "CVE-2009-0033", "discovery_date": "2009-01-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "493381" } ], "notes": [ { "category": "description", "text": "Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat6 Denial-Of-Service with AJP connection", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4AS-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4ES-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "5Server-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2009-0033" }, { "category": "external", "summary": "RHBZ#493381", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=493381" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2009-0033", "url": "https://www.cve.org/CVERecord?id=CVE-2009-0033" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2009-0033", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0033" } ], "release_date": "2009-06-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2009-09-21T15:51:00+00:00", "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259", "product_ids": [ "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4AS-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4ES-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "5Server-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2009:1454" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 5.0, "confidentialityImpact": "NONE", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:N/I:N/A:P", "version": "2.0" }, "products": [ "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4AS-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4ES-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "5Server-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch" ] } ], "threats": [ { "category": "impact", "details": "Important" } ], "title": "tomcat6 Denial-Of-Service with AJP connection" }, { "cve": "CVE-2009-0580", "discovery_date": "2009-06-03T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "503978" } ], "notes": [ { "category": "description", "text": "Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat6 Information disclosure in authentication classes", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4AS-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4ES-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "5Server-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2009-0580" }, { "category": "external", "summary": "RHBZ#503978", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=503978" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2009-0580", "url": "https://www.cve.org/CVERecord?id=CVE-2009-0580" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2009-0580", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0580" } ], "release_date": "2009-06-03T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2009-09-21T15:51:00+00:00", "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259", "product_ids": [ "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4AS-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4ES-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "5Server-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2009:1454" } ], "scores": [ { "cvss_v2": { "accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.0, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N", "version": "2.0" }, "products": [ "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4AS-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4ES-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "5Server-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "tomcat6 Information disclosure in authentication classes" }, { "cve": "CVE-2009-0783", "discovery_date": "2009-06-04T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "504153" } ], "notes": [ { "category": "description", "text": "Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat XML parser information disclosure", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4AS-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4ES-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "5Server-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2009-0783" }, { "category": "external", "summary": "RHBZ#504153", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=504153" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2009-0783", "url": "https://www.cve.org/CVERecord?id=CVE-2009-0783" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2009-0783", "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0783" } ], "release_date": "2009-06-04T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2009-09-21T15:51:00+00:00", "details": "Before applying this update, make sure that all previously-released\nerrata relevant to your system have been applied.\n\nThis update is available via Red Hat Network. Details on how to use\nthe Red Hat Network to apply this update are available at\nhttp://kbase.redhat.com/faq/docs/DOC-11259", "product_ids": [ "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4AS-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4ES-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "5Server-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2009:1454" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "LOCAL", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 1.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:M/Au:S/C:P/I:N/A:N", "version": "2.0" }, "products": [ "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4AS-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4AS-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-0:5.5.23-1.patch07.19.ep5.el4.src", "4ES-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-1.patch07.19.ep5.el4.noarch", "4ES-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-1.patch07.19.ep5.el4.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-0:5.5.23-0jpp.9.6.ep5.el5.src", "5Server-JBEWS-5.0.0:tomcat5-admin-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-common-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jasper-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-jsp-2.0-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-server-lib-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-servlet-2.4-api-javadoc-0:5.5.23-0jpp.9.6.ep5.el5.noarch", "5Server-JBEWS-5.0.0:tomcat5-webapps-0:5.5.23-0jpp.9.6.ep5.el5.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "tomcat XML parser information disclosure" } ] }
Loading…
Loading…
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.