Multiple vulnerabilities have been identified in Apache Tomcat, which could be exploited by attackers or malicious users to bypass restrictions, gain knowledge of sensitive information or manipulate data.

The first issue is caused by an input validation error when deploying WAR files, which could allow an attacker to create arbitrary content outside of the web root folder via a directory traversal.

The second vulnerability is caused by an error when deploying files after a failed undeploy, which could cause arbitrary files to be deployed without security constraints, making them accessible without authentication.

The third issue is caused by an input validation error when deploying and undeploying WAR files with specially crafted file names, which could allow an attacker to cause the deletion of the current contents of the host's work directory.

Affected Products

Apache Tomcat versions 6.0.0 through 6.0.20
Apache Tomcat versions 5.5.0 through 5.5.28

Solution

Upgrade to Apache Tomcat version 6.0.24 :
http://tomcat.apache.org/download-60.cgi

Apply patches for Tomcat 5.x :
http://svn.apache.org/viewvc?rev=902650&view=rev

References

http://www.vupen.com/english/advisories/2010/0213
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0476.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0477.html
http://archives.neohapsis.com/archives/fulldisclosure/2010-01/0478.html

Credits

Vulnerabilities reported by the vendor and Marc Schoenefeld of (Red Hat Security Response Team).

Changelog

2010-01-25 : Initial release

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.