National Cyber-Alert System

Vulnerability Summary for CVE-2008-3271

Overview

Apache Tomcat 5.5.0 and 4.1.0 through 4.1.31 allows remote attackers to bypass an IP address restriction and obtain sensitive information via a request that is processed concurrently with another request but in a different thread, leading to an instance-variable overwrite associated with a "synchronization problem" and lack of thread safety, and related to RemoteFilterValve, RemoteAddrValve, and RemoteHostValve.

Impact

CVSS Severity (version 2.0):

CVSS Version 2 Metrics:

References to Advisories, Solutions, and Tools

By selecting these links, you will be leaving NIST webspace. We have provided these links to other web sites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other web sites that are more appropriate for your purpose. NIST does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, NIST does not endorse any commercial products that may be mentioned on these sites. Please address comments about this page to nvd@nist.gov.

External Source: CONFIRM

Name: https://issues.apache.org/bugzilla/show_bug.cgi?id=25835

Hyperlink:https://issues.apache.org/bugzilla/show_bug.cgi?id=25835

External Source: XF

Name: apache-tomcat-valve-security-bypass(45791)

Hyperlink:http://xforce.iss.net/xforce/xfdb/45791

External Source: VUPEN

Name: ADV-2009-1818

Hyperlink:http://www.vupen.com/english/advisories/2009/1818

External Source: SECTRACK

Name: 1021039

Hyperlink:http://www.securitytracker.com/id?1021039

External Source: BID

Name: 31698

Hyperlink:http://www.securityfocus.com/bid/31698

External Source: BUGTRAQ

Name: 20081009 [SECURITY] CVE-2008-3271 - Apache Tomcat information disclosure

Hyperlink:http://www.securityfocus.com/archive/1/archive/1/497220/100/0/threaded

External Source: CONFIRM

Name: http://www.nec.co.jp/security-info/secinfo/nv09-006.html

Hyperlink:http://www.nec.co.jp/security-info/secinfo/nv09-006.html

External Source: CONFIRM

Name: http://www.fujitsu.com/global/support/software/security/products-f/interstage-200806e.html

Hyperlink:http://www.fujitsu.com/global/support/software/security/products-f/interstage-200806e.html

External Source: VUPEN

Name: ADV-2008-2800

Hyperlink:http://www.frsirt.com/english/advisories/2008/2800

External Source: VUPEN

Name: ADV-2008-2793

Type: Advisory

Hyperlink:http://www.frsirt.com/english/advisories/2008/2793

External Source: CONFIRM

Name: http://tomcat.apache.org/security-5.html

Hyperlink:http://tomcat.apache.org/security-5.html

External Source: CONFIRM

Name: http://tomcat.apache.org/security-4.html

Type: Advisory

Hyperlink:http://tomcat.apache.org/security-4.html

External Source: SREASON

Name: 4396

Hyperlink:http://securityreason.com/securityalert/4396

External Source: SECUNIA

Name: 35684

Hyperlink:http://secunia.com/advisories/35684

External Source: SECUNIA

Name: 32398

Type: Advisory

Hyperlink:http://secunia.com/advisories/32398

External Source: SECUNIA

Name: 32234

Type: Advisory

Hyperlink:http://secunia.com/advisories/32234

External Source: SECUNIA

Name: 32213

Type: Advisory

Hyperlink:http://secunia.com/advisories/32213

External Source: SUSE

Name: SUSE-SR:2008:023

Hyperlink:http://lists.opensuse.org/opensuse-security-announce/2008-10/msg00012.html

External Source: JVNDB

Name: JVNDB-2008-000069

Hyperlink:http://jvndb.jvn.jp/en/contents/2008/JVNDB-2008-000069.html

External Source: JVN

Name: JVN#30732239

Hyperlink:http://jvn.jp/en/jp/JVN30732239/index.html