Tomcat 又爆出两个重要漏洞

fmms 11年前
     <p>Tomcat 今天又爆出两个新的重要的漏洞,这两个漏洞分别是:</p>    <p><strong>CVE-2011-3375 Apache Tomcat Information disclosure</strong><br /> <br /> Severity: Important<br /> <br /> Vendor: The Apache Software Foundation<br /> <br /> Versions Affected:<br /> - Tomcat 7.0.0 to 7.0.21<br /> - Tomcat 6.0.30 to 6.0.33<br /> - Earlier versions are not affected<br /> <br /> Description:<br /> For performance reasons, information parsed from a request is often<br /> cached in two places: the internal request object and the internal<br /> processor object. These objects are not recycled at exactly the same time.<br /> When certain errors occur that needed to be added to the access log, the<br /> access logging process triggers the re-population of the request object<br /> after it has been recycled. However, the request object was not recycled<br /> before being used for the next request. That lead to information leakage<br /> (e.g. remote IP address, HTTP headers) from the previous request to the<br /> next request.<br /> The issue was resolved be ensuring that the request and response objects<br /> were recycled after being re-populated to generate the necessary access<br /> log entries.<br /> <br /> 解决的办法:<br /> - Tomcat 7.0.x 用户应该升级到 7.0.22 或者更新版本<br /> - Tomcat 6.0.x 应该升级到 6.0.35 或更新版本</p>    <p> </p>    <p><strong>CVE-2012-0022 Apache Tomcat Denial of Service</strong><br /> <br /> Severity: Important<br /> <br /> Vendor: The Apache Software Foundation<br /> <br /> Versions Affected:<br /> - Tomcat 7.0.0 to 7.0.22<br /> - Tomcat 6.0.0 to 6.0.33<br /> - Tomcat 5.5.0 to 5.5.34<br /> - Earlier, unsupported versions may also be affected<br /> <br /> Description:<br /> Analysis of the recent hash collision vulnerability identified unrelated<br /> inefficiencies with Apache Tomcat's handling of large numbers of<br /> parameters and parameter values. These inefficiencies could allow an<br /> attacker, via a specially crafted request, to cause large amounts of CPU<br /> to be used which in turn could create a denial of service.<br /> The issue was addressed by modifying the Tomcat parameter handling code<br /> to efficiently process large numbers of parameters and parameter values.<br /> <br /> Mitigation:<br /> Users of affected versions should apply one of the following mitigations:<br /> - Tomcat 7.0.x users should upgrade to 7.0.23 or later<br /> - Tomcat 6.0.x users should upgrade to 6.0.35 or later<br /> - Tomcat 5.5.x users should upgrade to 5.5.35 or later</p>