=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2002/VULN335
_____________________________________________________________________

DATE                      : 11/12/2002

HARDWARE PLATFORM(S)      : HP9000 Servers

OPERATING SYSTEM(S)       : systems running Tomcat 4.0.X versions prior
                                to version 4.0.6.
                             VVOS release 11.04 with only the Virtualvault
                                A.04.60 product installed

======================================================================

  -----------------------------------------------------------------
  Source: HEWLETT-PACKARD COMPANY
  SECURITY BULLETIN: HPSBUX0212-229
  Originally issued: 09 Dec 2002
  SSRT2430 Security Vulnerability in Tomcat 4.0.X
  -----------------------------------------------------------------

NOTICE: There are no restrictions for distribution of this Bulletin
provided that it remains complete and intact.

The information in the following Security Bulletin should be
acted upon as soon as possible.  Hewlett-Packard Company will
not be liable for any consequences to any customer resulting
from customer's failure to fully implement instructions in this
Security Bulletin as soon as possible.

  ------------------------------------------------------------------
PROBLEM: Security vulnerability in Tomcat 4.0.X versions prior
          to version 4.0.6.

IMPACT:  Potential unauthorized source code listing.

PLATFORM:  HP9000 Servers running VVOS release 11.04 with only
            the Virtualvault A.04.60 product installed.

SOLUTION:  Upgrade to Tomcat 4.0.6 or later Tomcat 4.0.X version,
            or disable the affected resource manually (see below).

MANUAL ACTIONS:  Yes - NonUpgrade
                  On VVOS 11.04 only, if one of the Tomcat
                  4.0.X versions prior to 4.0.6 is integrated
                  with Apache web server, comment the lines
                  in configuration files as specified below.

AVAILABILITY: n/a

  ------------------------------------------------------------------

  A. Background
     This is only applicable for customers who have downloaded
     and integrated Tomcat 4.0.X with their Virtualvault platform.

     Virtualvault A.04.60 has been released with the support for
     the integration of Tomcat 4.0.X versions with the Apache web
     server.  The default servlet
     (org.apache.catalina.servlets.DefaultServlet) in Tomcat
     versions prior to 4.0.6 exposes the source code of server
     files via a direct request to the servlet.

  B. Recommended solution

     Hewlett-Packard recommends the customers who have installed
     Virtualvault A.04.60 and integrated Tomcat 4.0.X versions prior
     to 4.0.6 with Apache web server, to follow either of the
     instructions given below.

     1. Upgrade Tomcat to version 4.0.6 or later Tomcat 4.0.X
        version. (This is the preferred solution). Tomcat 4.0.6
        can be found at:
  http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.6/bin/

     2. Customers who cannot upgrade Tomcat as recommended above
        should implement either of the following manual workaround
        solutions to prohibit users from exploiting this
        vulnerability:

      2.1. Configure Tomcat to deny access to the
           "/servlet/org.apache.catalina.servlets.DefaultServlet/*"
           resource.

        or

      2.2 Comment the following lines in the applications'
          configuration files by prefixing a '#':
            #
            #   invoker
            #   /servlet/*
            #


  C. To subscribe to automatically receive future NEW HP Security
     Bulletins from the HP IT Resource Center via electronic
     mail, do the following:

     Use your browser to get to the HP IT Resource Center page
     at:

        http://itrc.hp.com

     Use the 'Login' tab at the left side of the screen to login
     using your ID and password.  Use your existing login or the
     "Register" button at the left to create a login, in order to
     gain access to many areas of the ITRC.  Remember to save the
     User ID assigned to you, and your password.

     In the left most frame select "Maintenance and Support".

     Under the "Notifications" section (near the bottom of
     the page), select "Support Information Digests".

     To -subscribe- to future HP Security Bulletins or other
     Technical Digests, click the check box (in the left column)
     for the appropriate digest and then click the "Update
     Subscriptions" button at the bottom of the page.

     or

     To -review- bulletins already released, select the link
     (in the middle column) for the appropriate digest.

     To -gain access- to the Security Patch Matrix, select
     the link for "The Security Bulletins Archive".  (near the
     bottom of the page)  Once in the archive the third link is
     to the current Security Patch Matrix. Updated daily, this
     matrix categorizes security patches by platform/OS release,
     and by bulletin topic.  Security Patch Check completely
     automates the process of reviewing the patch matrix for
     11.XX systems.

     For information on the Security Patch Check tool, see:
     http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/
     displayProductInfo.pl?productNumber=B6834AA

     The security patch matrix is also available via anonymous
     ftp:

     ftp://ftp.itrc.hp.com/export/patches/hp-ux_patch_matrix/

     On the "Support Information Digest Main" page:
     click on the "HP Security Bulletin Archive".

  D. To report new security vulnerabilities, send email to

     security-alert@hp.com

     Please encrypt any exploit information using the
     security-alert PGP key, available from your local key
     server, or by sending a message with a -subject- (not body)
     of 'get key' (no quotes) to security-alert@hp.com.

  ------------------------------------------------------------------

  (c) Copyright 2002 Hewlett-Packard Company
   Hewlett-Packard Company shall not be liable for technical or
   editorial errors or omissions contained herein. The information
   in this document is subject to change without notice.
   Hewlett-Packard Company and the names of HP products referenced
   herein are trademarks and/or service marks of Hewlett-Packard
   Company.  Other product and company names mentioned herein may be
   trademarks and/or service marks of their respective owners.

___________________________________________________________________
--
-----End of Document ID:  HPSBUX0212-229--------------------------------------

======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
	=========================================================
	+ CERT-RENATER		| tel : 01-53-94-20-44		+
	+ 151 bd de l'Hopital	| fax : 01-53-94-20-41		+
	+ 75013 Paris		| email: certsvp@renater.fr	+
	=========================================================