Home page logo
/

bugtraq logo Bugtraq mailing list archives

CVE-2013-2071 Request mix-up if AsyncListener method throws RuntimeException
From: Mark Thomas <markt () apache org>
Date: Fri, 10 May 2013 09:37:32 +0100

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2013-2071 Request mix-up if AsyncListener method throws
              RuntimeException

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.39

Description:
Bug 54178 described a scenario where elements of a previous request may
be exposed to a current request. This was very difficult to exploit
deliberately but fairly likely to happen unexpectedly if an application
used AsyncListeners that threw RuntimeExceptions. The issue was fixed by
catching the RuntimeExceptions.

Mitigation:
Users of affected versions should apply the following mitigation:
- - Tomcat 7.0.x users should upgrade to 7.0.40 or later

Credit:
The security implications of this issue were identified by the Apache
Tomcat Security Team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=54178
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJRjLHMAAoJEBDAHFovYFnnOIAP/A9HXwQgnJKYl+gXwqFkjXaq
blo70uMMUpKPJ61l/keEguxZ/iGdQC4H2osjQiG7lhoOPvrMKtewCMXDAk/j9Skd
HXuQVSge22Na16M6GUNXARziyDk/44k8RHy3cibrPZPhUNVD743N50toPK8Q6UKR
PmAANa/kB9vvD589PCQLx/i6oiS5jaAwjoSdbwshtJytXrxoHgUrRLl3P5/sPBiq
57H/pAELR4aorfSj+tJL63ySX9v4NRiB55u3hNDgZOnPz3D9sjMsmq5vSzhfyiHh
NnkYGa7+ZfnBL6DJ4eiV5z7lbMFIBa7ZzcyYEhVFCIsbnSwTL2l0a3NSkuQ0xiXS
0jQDenOuCujL1Zw5YYHhRDy2rGbFG8q/Z+ZSQ3NP0vnmQCpCfsY3mBIFCWzhmK+h
TnFKdtxA+Ev/HSGPlSK1hADiYwL/iLb6YMoyintgj2mDIxrdHhcfMq8h6GYD1rbF
vlbWSpmgN81xdU8JxEbnq6PC60OeZH5x08Sj9B3YQlB8E4Pq9B/EaEFYF9oZdYcP
+DQWcd78SBNevg+fgKdKK8CjU5JQhMWetxv6HUomS7j3LgoJQPwVrNcg0yjV1v/g
qgddQ1DOamD+KuQxh08NHfMZP08g5a+CrQ6qpe3/pr/OI0PlTN23aCXvCEGl2KlZ
Cn4w/1eoL4agb5oREL2U
=vQbB
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
  • CVE-2013-2071 Request mix-up if AsyncListener method throws RuntimeException Mark Thomas (May 10)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault