=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2010/VULN254
_____________________________________________________________________

DATE                      : 13/07/2010

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Apache Tomcat versions 3 up to and including 7.

======================================================================
http://mail-archives.apache.org/mod_mbox/tomcat-announce/201007.mbox/%3c4C374EC4.4030305@apache.org%3e
______________________________________________________________________

CVE-2010-2227: Apache Tomcat Remote Denial Of Service and Information
               Disclosure Vulnerability

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Tomcat 5.5.0 to 5.5.29
Tomcat 6.0.0 to 6.0.27
Tomcat 7.0.0

Note: 7.0.0 is still beta.
Note: The unsupported Tomcat 3.x, 4.x and 5.0.x versions may also be
affected.

Description:
Several flaws in the handling of the 'Transfer-Encoding' header were
found that prevented the recycling of a buffer. A remote attacker could
trigger this flaw which would cause subsequent requests to fail and/or
information to leak between requests.

Mitigation:
- - Tomcat 5.5.x users should upgrade to 5.5.30 or apply this patch:
  http://svn.apache.org/viewvc?view=revision&revision=959428
- - Tomcat 6.0.x users should upgrade to 6.0.28 or apply this patch:
  http://svn.apache.org/viewvc?view=revision&revision=958977
- - Tomcat 7.0.x users should upgrade to 7.0.1 when released or apply this
patch:
  http://svn.apache.org/viewvc?view=revision&revision=958911

- - All users may mitigate this flaw by running Tomcat behind a reverse
proxy (such as Apache httpd 2.2) that rejects invalid values for
Transfer-Encoding.

Credit:
This issue was discovered by Steve Jones

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html

The Apache Tomcat Security Team
======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================