Tomcat 又爆安全漏洞

fmms 10年前
     CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST authentication    <br />    <br /> 严重性: 中等    <br />    <br /> 所影响的版本:    <br /> - - Tomcat 7.0.0 to 7.0.11    <br /> - - Tomcat 6.0.0 to 6.0.32    <br /> - - Tomcat 5.5.0 to 5.5.33    <br /> - - Earlier, unsupported versions may also be affected    <br />    <br /> 漏洞描述:    <br /> The implementation of HTTP DIGEST authentication was discovered to    <br /> have several weaknesses:    <br /> - - replay attacks were permitted    <br /> - - server nonces were not checked    <br /> - - client nonce counts were not checked    <br /> - - qop values were not checked    <br /> - - realm values were not checked    <br /> - - the server secret was hard-coded to a known string    <br /> The result of these weaknesses is that DIGEST authentication was only    <br /> as secure as BASIC authentication.    <br />    <br /> 解决方法:    <br /> Users of Tomcat 7.0.x should upgrade to 7.0.12 or later    <br /> Users of Tomcat 6.0.x should upgrade to 6.0.33 or later    <br /> Users of Tomcat 5.5.x should upgrade to 5.5.34 or later    <div id="p_fullcontent" class="detail">     <p><strong><img title="Tomcat" border="0" alt="Tomcat" src="http://tomcat.apache.org/images/tomcat.gif" /><br /> Tomcat</strong> 服务器是一个免费的开放源代码的Web 应用服务器。</p>     <p>Tomcat是Apache 软件基金会(Apache Software Foundation)的Jakarta 项目中的一个核心项目,由Apache、Sun 和其他一些公司及个人共同开发而成。由于有了Sun 的参与和支持,最新的Servlet 和JSP 规范总是能在Tomcat 中得到体现,Tomcat 5 支持最新的Servlet 2.4 和JSP 2.0 规范。因为Tomcat 技术先进、性能稳定,而且免费,因而深受Java 爱好者的喜爱并得到了部分软件开发商的认可,成为目前比较流行的Web 应用服务器。</p>     <p>Tomcat 很受广大程序员的喜欢,因为它运行时占用的系统资源小,扩展性好,支持负载平衡与邮件服务等开发应用系统常用的功能;而且它还在不断的改进和完善中,任何一个感兴趣的程序员都可以更改它或在其中加入新的功能。<br /> <br /> Tomcat 是一个小型的轻量级应用服务器,在中小型系统和并发访问用户不是很多的场合下被普遍使用,是开发和调试JSP 程序的首选。对于一个初学者来说,可以这样认为,当在一台机器上配置好Apache 服务器,可利用它响应对HTML 页面的访问请求。实际上Tomcat 部分是Apache 服务器的扩展,但它是独立运行的,所以当你运行tomcat 时,它实际上作为一个与Apache 独立的进程单独运行的。</p>     <p>这里的诀窍是,当配置正确时,Apache 为HTML页面服务,而Tomcat 实际上运行JSP 页面和Servlet。另外,Tomcat和IIS、Apache等Web服务器一样,具有处理HTML页面的功能,另外它还是一个Servlet和 JSP容器,独立的Servlet容器是Tomcat的默认模式。不过,Tomcat处理静态HTML的能力不如Apache服务器。<span style="font-family:arial,helvetica,sanserif;color:#ffffff;"> <a name="7.0.21"><strong>7.0.21</strong> </a></span></p>     <p></p>     <p><a name="7.0.21"><span style="font-weight:bold;">最新版7.0.21下载</span><br /> Please</a> see the <a href="/misc/goto?guid=4958191682531667467" rel="nofollow">README</a> file for packaging information. It explains what every distribution contains. </p>     <table class="ke-zeroborder" border="0" cellspacing="0" cellpadding="2" width="100%">      <tbody>       <tr>        <td bgcolor="#828da6"><span style="font-family:arial,helvetica,sanserif;color:#ffffff;"><a name="Binary Distributions"></a><a name="Binary_Distributions"><strong>Binary Distributions</strong> </a></span></td>       </tr>       <tr>        <td>         <blockquote>          <ul>           <li>Core:            <ul>             <li><a href="/misc/goto?guid=4958191683270659487" rel="nofollow">zip</a> (<a href="/misc/goto?guid=4958191684006915521">pgp</a>, <a href="/misc/goto?guid=4958191684751916451">md5</a>) </li>             <li><a href="/misc/goto?guid=4958191685482460943" rel="nofollow">tar.gz</a> (<a href="/misc/goto?guid=4958191686228791049">pgp</a>, <a href="/misc/goto?guid=4958191686964016146">md5</a>) </li>             <li><a href="/misc/goto?guid=4958191687710708390" rel="nofollow">32-bit Windows zip</a> (<a href="/misc/goto?guid=4958191688445759080">pgp</a>, <a href="/misc/goto?guid=4958191689187288812">md5</a>) </li>             <li><a href="/misc/goto?guid=4958191689936336950" rel="nofollow">64-bit Windows zip</a> (<a href="/misc/goto?guid=4958191690671689582">pgp</a>, <a href="/misc/goto?guid=4958191691401094126">md5</a>) </li>             <li><a href="/misc/goto?guid=4958191692151833333" rel="nofollow">64-bit Itanium Windows zip</a> (<a href="/misc/goto?guid=4958191692894654882">pgp</a>, <a href="/misc/goto?guid=4958191693635058503">md5</a>) </li>             <li><a href="/misc/goto?guid=4958191694370841177" rel="nofollow">32-bit/64-bit Windows Service Installer</a> (<a href="/misc/goto?guid=4958191695120372532">pgp</a>, <a href="/misc/goto?guid=4958191695852294440">md5</a>) </li>            </ul> </li>           <li>Full documentation:            <ul>             <li><a href="/misc/goto?guid=4958191696590133993" rel="nofollow">tar.gz</a> (<a href="/misc/goto?guid=4958191697334001507">pgp</a>, <a href="/misc/goto?guid=4958191698059771430">md5</a>) </li>            </ul> </li>           <li>Deployer:            <ul>             <li><a href="/misc/goto?guid=4958191698800407530" rel="nofollow">zip</a> (<a href="/misc/goto?guid=4958191699558275952">pgp</a>, <a href="/misc/goto?guid=4958191700292390841">md5</a>) </li>             <li><a href="/misc/goto?guid=4958191701028852480" rel="nofollow">tar.gz</a> (<a href="/misc/goto?guid=4958191701768045565">pgp</a>, <a href="/misc/goto?guid=4958191702503790699">md5</a>) </li>            </ul> </li>           <li>Extras:            <ul>             <li><a href="/misc/goto?guid=4958191703247463027" rel="nofollow">JMX Remote jar</a> (<a href="/misc/goto?guid=4958191703980029552">pgp</a>, <a href="/misc/goto?guid=4958191704719691054">md5</a>) </li>             <li><a href="/misc/goto?guid=4958191705454239089" rel="nofollow">Web services jar</a> (<a href="/misc/goto?guid=4958191706193754114">pgp</a>, <a href="/misc/goto?guid=4958191706931438828">md5</a>) </li>             <li><a href="/misc/goto?guid=4958191707658173386" rel="nofollow">JULI adapters jar</a> (<a href="/misc/goto?guid=4958191708397516556">pgp</a>, <a href="/misc/goto?guid=4958191709124049340">md5</a>) </li>             <li><a href="/misc/goto?guid=4958191709856853294" rel="nofollow">JULI log4j jar</a> (<a href="/misc/goto?guid=4958191710595043926">pgp</a>, <a href="/misc/goto?guid=4958191711340133395">md5</a>) </li>            </ul> </li>           <li>Embedded:            <ul>             <li><a href="/misc/goto?guid=4958191712066443763" rel="nofollow">tar.gz</a> (<a href="/misc/goto?guid=4958191712811877579">pgp</a>, <a href="/misc/goto?guid=4958191713549639034">md5</a>) </li>             <li><a href="/misc/goto?guid=4958191714279117146" rel="nofollow">zip</a> (<a href="/misc/goto?guid=4958191715006480176">pgp</a>, <a href="/misc/goto?guid=4958191715753967338">md5</a>) </li>            </ul> </li>          </ul>         </blockquote> </td>       </tr>       <tr>        <td><br /> </td>       </tr>      </tbody>     </table>     <table class="ke-zeroborder" border="0" cellspacing="0" cellpadding="2" width="100%">      <tbody>       <tr>        <td bgcolor="#828da6"><span style="font-family:arial,helvetica,sanserif;color:#ffffff;"><a name="Source Code Distributions"></a><a name="Source_Code_Distributions"><strong>Source Code Distributions</strong> </a></span></td>       </tr>       <tr>        <td>         <blockquote>          <ul>           <li><a href="/misc/goto?guid=4958191716485125913" rel="nofollow">tar.gz</a> (<a href="/misc/goto?guid=4958191717214217974">pgp</a>, <a href="/misc/goto?guid=4958191717942877611">md5</a>) </li>           <li><a href="/misc/goto?guid=4958191718683106590" rel="nofollow">zip</a> (<a href="/misc/goto?guid=4958191719411073420">pgp</a>, <a href="/misc/goto?guid=4958191720146393895">md5</a>) </li>          </ul>         </blockquote> </td>       </tr>      </tbody>     </table>    </div>