Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

[SECURITY] CVE-2011-1088 Apache Tomcat security constraint bypass
From: Mark Thomas <markt () apache org>
Date: Tue, 15 Mar 2011 08:45:26 +0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2011-1088 Apache Tomcat security constraint bypass

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.10
- - Earlier versions are not affected

Description:
When a web application was started, @ServletSecurity annotations were
ignored. This meant that some areas of the application may not have been
protected as expected.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Upgrade to a Tomcat version where this issue is fixed
- - Define security constraints via an alternative mechanism such as web.xml

Credit:
This issue was reported publicly on the Tomcat users mailing list.
The Apache Tomcat security requests that security vulnerability reports
are made privately to security () tomcat apache org in the first instance.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQIcBAEBAgAGBQJNfycmAAoJEBDAHFovYFnn3jgP/0aecIt4uUYHWbmzUPA0FNan
tzjVfPskwPYrSuNbHjHuxPknmxUPSFiCdO3V1LLtnCX2y5+cNancWRjLX7lDbt8H
sL+9AaoI8HDShG1wgYsnh/3fIKczhE28pTtyo0GtG4HpQVLcT/OH2Qhb6+mG3jwo
SCia1eSTJuhj5HM3n2fb5X33n/UEkX/cCALDrt1DRfKV69MaZbMiZh7XfpyVDpdN
LePYIeuOoxg9CVjkDYCVIaK5Bi0uzPD8yCc73dOU3YobgbDDaLSN7Awd1/RhO5TR
fpWVbl0gbmMlPnMy52B9qZL+H9HwcNnYPqbtpquE2a6ik29QT4LMTNo0mr25XxmP
K3Jb7VTcVb/P1pxFOsTyMWy25IFubMEBW4c3kafBZGUI3Q25QmNizBXZ5wvn1vex
kBzDZrnKmkzvhnCy6RnTKk9BYGRWEw9ImTqLOaLxmtXJw9bnWgoeusnje1k/24QI
3+pw/g5OjwG7hqtStrscFeo8tc/snXBojn1d21txsnLggQ0E6+9+vUVym5tBD16I
MfzN7FSd620AFSmVUo5mEfEpDe+RTkA8y/7BnYHoguBQ7WLlxejCgRpaf91vBns6
ZEQGntzx7EW7M+P2GNHy1mrVGTQ7Glk/5tnAFyqgMOHzYyN11Y3OWO1XBv+1um8q
kadENSXz4mY0vKtvaeuT
=i/HJ
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
  • [SECURITY] CVE-2011-1088 Apache Tomcat security constraint bypass Mark Thomas (Mar 15)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]