该死,Tomcat 全系又爆安全漏洞

释放双眼,带上耳机,听听看~!

文章转载开源中国

来自 Tomcat 邮件列表的消息,Tomcat 全系又爆安全漏洞。

CVE-2011-2526: Apache Tomcat Information disclosure and availability vulnerabilities
 
安全级别:低

该漏洞影响目前所有的 Tomcat 版本,无一幸免。Tomcat 开发团队称将很快发布修复版本。

不过别着急,该漏洞只有在下面这几种情况下才存在:

a) untrusted web applications are being used
b) the SecurityManager is used to limit the untrusted web applications
c) the HTTP NIO or HTTP APR connector is used
d) sendfile is enabled for the connector (this is the default)

漏洞描述:

Tomcat provides support for sendfile with the HTTP NIO and HTTP APR connectors. sendfile is used automatically for content served via the DefaultServlet and deployed web applications may use
it directly via setting request attributes. These request attributes were not validated. When running under a security manager, this lack of validation allowed a malicious web application to do one or more of the following that would normally be prevented by a security manager: a) return files to users that the security manager should make inaccessible b) terminate (via a crash) the JVM

给TA打赏
共{{data.count}}人
人已打赏
安全经验

Skipfish 2.01b 发布,Web 安全检测工具

2011-7-5 11:12:22

安全经验

ArpON 2.7 发布,ARP安全控制进程

2011-7-29 11:12:22

个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索