This article helps to determine whether you are vulnerable to the security risk detailed in announcement CVE-2011-2204 from Apache. For more information, see mailing list archives from Apache.
Note: The preceding link was correct as of July 12, 2013. If you find the link is broken, provide feedback and a VMware employee will update the link.
- Users are managed in tomcat-users.xml.
- Logs are readable by non-admins.
- An admin creates a new user via JMX.
- An unhandled exception (such as an OOME) happens at exactly the right time.
This issue is resolved in Tomcat 5.5.34, 6.0.33, 7.0.19 and later.
For Tomcat Server, upgrade to version 2.6.1 or later.