Tomcat 又爆出兩個重要漏洞

    Tomcat 又爆出兩個新的重要的漏洞這兩個漏洞分別是
   
    CVE Apache Tomcat Information disclosure
   
    Severity: Important
   
    Vendor: The Apache Software Foundation
   
    Versions Affected:
   
    ◆ Tomcat to
   
    ◆ Tomcat to
   
    ◆ Earlier versions are not affected
   
    Description:
   
    For performance reasons information parsed from a request is often
   
    cached in two places: the internal request object and the internal
   
    processor object These objects are not recycled at exactly the same time
   
    When certain errors occur that needed to be added to the access log the
   
    access logging process triggers the repopulation of the request object
   
    after it has been recycled However the request object was not recycled
   
    before being used for the next request That lead to information leakage
   
    （eg remote IP address HTTP headers） from the previous request to the
   
    next request
   
    The issue was resolved be ensuring that the request and response objects
   
    were recycled after being repopulated to generate the necessary access
   
    log entries
   
    解決的辦法
   
    ◆  Tomcat x 用戶應該升級到 或者更新版本
   
    ◆ Tomcat x 應該升級到 或更新版本
   
    CVE Apache Tomcat Denial of Service
   
    Severity: Important
   
    Vendor: The Apache Software Foundation
   
    Versions Affected:
   
    ◆ Tomcat to
   
    ◆ Tomcat to
   
    ◆ Tomcat to
   
    ◆ Earlier unsupported versions may also be affected
   
    Description:
   
    Analysis of the recent hash collision vulnerability identified unrelated
   
    inefficiencies with Apache Tomcats handling of large numbers of
   
    parameters and parameter values These inefficiencies could allow an
   
    attacker via a specially crafted request to cause large amounts of CPU
   
    to be used which in turn could create a denial of service
   
    The issue was addressed by modifying the Tomcat parameter handling code
   
    to efficiently process large numbers of parameters and parameter values
   
    Mitigation:
   
    Users of affected versions should apply one of the following mitigations:
   
    ◆ Tomcat x users should upgrade to or later
   
    ◆ Tomcat x users should upgrade to or later
   
    ◆ Tomcat x users should upgrade to or later
From:http://tw.wingwit.com/Article/program/Java/ky/201311/28189.html