Tomcat 全系又爆安全漏洞

14 Jul 2011

来自 Tomcat 邮件列表的消息，Tomcat 全系又爆安全漏洞。

CVE-2011-2526: Apache Tomcat Information disclosure and availabilityvulnerabilities<!-- more --> 安全级别：低

该漏洞影响目前所有的 Tomcat 版本，无一幸免。Tomcat 开发团队称将很快发布修复版本。

不过别着急，该漏洞只有在下面这几种情况下才存在：

• a) untrusted web applications are being used

• b) the SecurityManager is used to limit the untrusted web applications

• c) the HTTP NIO or HTTP APR connector is used

• d) sendfile is enabled for the connector (this is the default)

漏洞描述:

Tomcat provides support for sendfile with the HTTP NIO and HTTP APR connectors. sendfile is used automatically for content served via the DefaultServlet and deployed web applications may use

it directlyvia setting request attributes. These request attributes were not validated. When running under a security manager, this lack of validation allowed a malicious web application to do one or more of the following that would normally be prevented by a security manager: a) return files to users that the security manager should make inaccessible b) terminate (via a crash) the JVM