漏洞信息详情
Apache Tomcat调用Servlet文件泄露漏洞
- CNNVD编号:CNNVD-200301-017
- 危害等级: 高危
- CVE编号: CVE-2002-1394
- 漏洞类型: 其他
- 发布时间: 2003-01-17
- 威胁类型: 远程
- 更新时间: 2019-04-03
- 厂 商: apache
- 漏洞来源: Tomcat development...
漏洞简介
Apache Apache Tomcat是美国阿帕奇(Apache)软件基金会下属的Jakarta项目的一款轻量级Web应用服务器,它主要用于开发和调试jsP程序,适用于中小型系统。可运行在Unix、Linux和Windows操作系统下。Apache Tomcat不正确处理用户提交的恶意Servlet请求,远程攻击者可以利用这个漏洞获得jsP源代码或其他受保护资源信息。此漏洞允许攻击者提交恶意构建的URL,使Apache Tomcat返回未被处理的jsP页面代码,在某些特殊情况下,可以未授权获得受安全保护的页面信息。
漏洞公告
临时解决方法:
如果您不能立刻安装补丁或者升级,CNNVD建议您采取以下措施以降低威胁:
* 通过从Tomcat配置文件$CATALINA_HOME/conf/web.xml中删除如下行暂时修补此漏洞:
厂商补丁:
Debian
------
http://www.debian.org/security/2003/dsa-225" target="_blank">
http://www.debian.org/security/2003/dsa-225
Apache
------
目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载:
Apache Software Foundation Tomcat 4.0:
Apache Software Foundation Hotfix 13365.zip
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip" target="_blank">
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip
Apache Software Foundation Tomcat 4.0.1:
Apache Software Foundation Hotfix 13365.zip
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip" target="_blank">
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip
Apache Software Foundation Tomcat 4.0.2:
Apache Software Foundation Hotfix 13365.zip
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip" target="_blank">
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip
Apache Software Foundation Tomcat 4.0.3:
Apache Software Foundation Hotfix 13365.zip
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip" target="_blank">
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.0.5/bin/hotfix/13365.zip
Apache Software Foundation Tomcat 4.1:
Apache Software Foundation Upgrade Jakarta Tomcat 4.1.12
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/" target="_blank">
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/
Apache Software Foundation Tomcat 4.1.3 beta:
Apache Software Foundation Upgrade Jakarta Tomcat 4.1.12
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/" target="_blank">
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/
Apache Software Foundation Tomcat 4.1.9 beta:
Apache Software Foundation Upgrade Jakarta Tomcat 4.1.12
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/" target="_blank">
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/
Apache Software Foundation Tomcat 4.1.10:
Apache Software Foundation Upgrade Jakarta Tomcat 4.1.12
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/" target="_blank">
http://jakarta.apache.org/builds/jakarta-tomcat-4.0/release/v4.1.12/
参考网址
来源:MLIST
链接:https://lists.apache.org/thread.HTML/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
来源:MLIST
链接:https://lists.apache.org/thread.HTML/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
来源:CONFIRM
链接:http://marc.info/?l=tomcat-dev&m=103417249325526&w=2
来源:REDHAT
链接:http://www.redhat.com/support/errata/RHSA-2003-082.HTML
来源:REDHAT
链接:http://www.redhat.com/support/errata/RHSA-2003-075.HTML
来源:GENTOO
链接:http://marc.info/?l=bugtraq&m=103470282514938&w=2
来源:DEBIAN
链接:http://www.debian.org/security/2003/dsa-225
来源:XF
链接:https://exchange.xforce.ibmcloud.com/vulnerabilities/10376
来源:BID
链接:http://www.securityfocus.com/bid/6562
来源:CONFIRM
链接:http://issues.apache.org/bugzilla/show_bug.cgi?id=13365
受影响实体
- Apache Tomcat:4.1.10
- Apache Tomcat:4.1.9:Beta
- Apache Tomcat:4.1.3:Beta
- Apache Tomcat:4.1.0
- Apache Tomcat:4.0.5
补丁
暂无
![weinxin](http://zone.ci/zone_ci_images/zone.ci.png)
评论