Pivotal Knowledge Base

Follow

Determining Tomcat/tcServer installation vulnerability to CVE-2011-2204 (2002171)

Determining Tomcat/tcServer installation vulnerability to CVE-2011-2204 (2002171)

Purpose

This article helps to determine whether you are vulnerable to the security risk detailed in announcement CVE-2011-2204 from Apache. For more information, see mailing list archives from Apache.
 
Note: The preceding link was correct as of July 12, 2013. If you find the link is broken, provide feedback and a VMware employee will update the link.

Resolution

The SpringSource Security team has evaluated this announcement.
 
 To be vulnerable, your environment must meet all of these criteria:

  • Users are managed in tomcat-users.xml.
  • Logs are readable by non-admins.
  • An admin creates a new user via JMX.
  • An unhandled exception (such as an OOME) happens at exactly the right time.

This issue is resolved in Tomcat 5.5.34, 6.0.33, 7.0.19 and later.

For Tomcat Server, upgrade to version 2.6.1 or later. 

Additional Information

For more information, see Apache Tomcat 5.x vulnerabilities from The Apache Software Foundation, Fixed in Apache Tomcat 6.0.33 from The Apache Software Foundation and Fixed in Apache Tomcat 7.0.19 from The Apache Software Foundation.

Note: The preceding link was correct as of July 12, 2013. If you find the link is broken, provide feedback and a VMware employee will update the link.

Tags

security-vulnerability

Confidential or Internal Solution information

View is not vulnerable to CVE-2011-2204 (2002171) as we do not meet all the criteria mention in the resolution section.

See Also

©VMware 2013

Comments

Powered by Zendesk