Two vulnerabilities have been identified in Apache Tomcat, which could be exploited to cause a denial of service or disclose sensitive information.

The first issue is caused due to insufficient error checking in some authentication classes, which could allow attackers to enumeration valid usernames by sending specially crafted URL-encoded passwords to a server when FORM based authenticiaton (j_security_check) is used with "MemoryRealm", "DataSourceRealm" or "JDBCRealm".

The second vulnerability is caused due to Tomcat closing AJP connections when processing a request with invalid headers via the Java AJP connector, which could cause a member of a mod_jk load balancing worker to be blocked for a limited time, creating a denial of service condition.

Affected Products

Apache Tomcat versions 4.1.0 through 4.1.39
Apache Tomcat versions 5.5.0 through 5.5.27
Apache Tomcat versions 6.0.0 through 6.0.18

Solution

Upgrade to Apache Tomcat version 6.0.20 :
http://tomcat.apache.org/download-60.cgi

Upgrade to Apache Tomcat version 5.5.SVN :
http://svn.apache.org/viewvc?rev=781362&view=rev
http://svn.apache.org/viewvc?rev=781379&view=rev

Upgrade to Apache Tomcat version 4.1.SVN :
http://svn.apache.org/viewvc?rev=781362&view=rev
http://svn.apache.org/viewvc?rev=781382&view=rev

References

http://www.vupen.com/english/advisories/2009/1496
http://marc.info/?l=tomcat-dev&m=124404379413746&w=2
http://marc.info/?l=tomcat-dev&m=124404378213711&w=2

Credits

Vulnerabilities reported by D. Matscheko and T. Hackner (SEC Consult) and Yoshihito Fukuyama.

Changelog

2009-06-04 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.