Vigil@nce: Tomcat, valves access not restricted
October 2008 by Vigil@nce
When a valve is used, a forbidden attacker can access to a
restricted resource.
– Gravity: 1/4
– Consequences: data reading
– Provenance: internet client
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: medium (2/3)
– Creation date: 13/10/2008
IMPACTED PRODUCTS
– Apache Tomcat
DESCRIPTION
The org.apache.catalina.valves.RequestFilterValve class can be
used to restrict the access to a resource. For example:
When Tomcat receives two simultaneous queries, one from an allowed
client and the other from a forbidden client, a synchronization
error can grant the access to the forbidden client. It can be
noted that this is difficult to reproduce.
When a valve is used, a forbidden attacker can thus access in some
cases to a restricted resource.
CHARACTERISTICS
– Identifiers: 25835, BID-31698, CVE-2008-3271, VIGILANCE-VUL-8161
– Url: http://vigilance.aql.fr/vulnerability/8161