Apache Tomcat is an implementation of the Java Server Pages 1.2 and Java Servlet 2.3 specifications. Apache Tomcat powers numerous large-scale, mission-critical web applications across a diverse range of industries and organizations.
The Apache Tomcat team is proud to announce the immediate availability of Tomcat 4.1.39 stable. This build contains a small number of bug fixes as well as the security fixes outlined below.
Moderate: Session hi-jacking CVE-2008-0128
When using the SingleSignOn Valve via https the Cookie JSESSIONIDSSO is transmitted without the “secure” attribute, resulting in it being transmitted to any content that is – by purpose or error – requested via http from the same server.
This was fixed in revision 684900. Affects: 4.1.0-4.1.37
Low: Cross-site scripting CVE-2008-1232
The message argument of
call is not only displayed on the error page, but is also used for the reason-phrase of HTTP response. This may include characters that are illegal in HTTP headers. It is possible for a specially crafted message to result in arbitrary content being injected into the HTTP response. For a successful XSS attack, unfiltered user supplied data must be included in the message argument.
This was fixed in revision 680947. Affects: 4.1.0-4.1.37
Important: Information disclosure CVE-2008-2370
When using a RequestDispatcher the target path was normalized before the query string was removed. A request that included a specially crafted request parameter could be used to access content that would otherwise be protected by a security constraint or by locating it in under the WEB-INF directory.
This was fixed in revision 680950. Affects: 4.1.0-4.1.37
Important: Directory traversal CVE-2008-2938
If a context is configured with
and the connector is configured with
then a malformed request may be used to access arbitrary files on the server. If the connector is configured with
then a malformed request may be used to access arbitrary files within the docBase of a context such as web.xml. It should also be noted that setting
has the same effect as setting
when processing requests with bodies encoded with UTF-8.
This was fixed in revision 681065. Affects: 4.1.0-4.1.37