======================================================================== JVN#79314822, Patch for Vulnerability in Apache Tomcat AJP/1.3 Connector IPA Security Center http://www.ipa.go.jp/security/index-e.html ======================================================================== -- About this Archive: This archive includes the patch and patched binary file for Apache Tomcat AJP/1.3 Connector for which vulnerability allows in retrieving residual information. Currently, the AJP/1.3 Connector is deprecated by ASF. Any patches are not provided officially. ASF said "Use the Coyote JK Connector instead" on their web. If you can't do that, this patch might be useful. -- Files: This archive includes following files; ------------------------------------------------------------------- * README --- is this description. * LICENSE --- is Apache License Version 2.0. * NOTICE --- is based on the above mentioned License. * source/tomcat-connectors-4.1.31-ajp13-ipa.patch --- is patch for Tomcat 4.1.31 source file. * binary/tomcat-jk.jar --- is patched binary file. ------------------------------------------------------------------- -- How to Use: You can select two ways from: applying the patch or replacing with the binary file. - Applying the patch: Change current directory to Tomcat Connector source file directory. Then, apply the patch. -------------------------------------------------------------------- cd jakarta-tomcat-connectors-4.1.31-src patch -p1 < /path/to/patch/tomcat-connectors-4.1.31-ajp13-ipa.patch -------------------------------------------------------------------- - Replacing the Binary File: Back up the original binary file if necessary. Replace the original Tomcat file ($TOMCAT_HOME/server/lib/tomcat- jk.jar) with the patched files (binary/tomcat-jk.jar) and restart Tomcat. -- Results of Verification: IPA has checked that the vulnerability is fixed and no other problems are occurred by applying the patch. - Verification of the patch that fixes the vulnerability Following verification demonstrates that the vulnerability is fixed. * The patched Tomcat works effectively by our test. * The facts are demonstrated by concerned enterprises as well. - Verification of side effects Following verification demonstrates that side effects by applying patch does not occur. However, malicious request packets might have been caused exception handling. * All "ant test" ( "ant" is a Java-based build tool) upon compilation were successfully passed. * All the tests by tester module included in the Tomcat source distribution show unchanged result in both applied/not applied patch. * Number of enterprises where operate the patch applied Tomcat reported that it works effectively without any problem. - Comparison of Performance To measure the processing time, we have conducted 100 times of HTTP requests by ab (is Apache HTTP server benchmarking tool) against the servlet which displays the contents entered before and after applying patch. As its result, significant difference in operation speed was not generated. Unpatched: ------------------------------------------------------------------ Connnection Times (ms) min mean[+/-sd] median max Connect: 0 0 0.0 0 0 Processing: 1 39 3.7 39 43 Waiting: 1 39 3.7 39 42 Total: 1 39 3.7 39 43 ------------------------------------------------------------------ Patched: ------------------------------------------------------------------ Connnection Times (ms) min mean[+/-sd] median max Connect: 0 0 0.0 0 0 Processing: 1 39 3.7 39 41 Waiting: 1 39 3.7 39 41 Total: 1 39 3.7 39 41 ------------------------------------------------------------------ -- Environment: This patch was created and tested on following environment; ------------------------------------------------------------------ Red Hat Enterprise Linux ES release 2.1 (Panama) Apache/1.3.33 (Unix) mod_jk/1.2.14 Java 1.4.2_04-b04 Apache Ant 1.6.5 ------------------------------------------------------------------ Following libraries are used upon compilation; ------------------------------------------------------------------ Jasper 2 JSP Engine Commons BeanUtils 1.7.0 Commons Collections 2.1.1 Commons Digester 1.7 Commons FileUpload 1.0 Commons Logging 1.0.4 JNDI 1.2.1 Commons Modeler 1.1 Jakarta Regexp 1.4 Servlet API Xerces2 Java Parser 2.7.1 Commons Daemon 1.0.1 Commons DBCP 1.2.1 Commons Pool 1.2 JDBC Optional Pacakge API package 2.0 MX4J 2.1.1 JUnit 3.8.1 ------------------------------------------------------------------ -- Disclaimer: This patch was created by IPA Security Center. And it's not Apache Software Foundation (ASF) official. This patch does not fix the other problems. IPA does not guarantee any of the problems nor be responsible with the damages occurred by applying the patch. The License is complied with Apache License Version 2.0. For further details, please refer to the following URL; http://www.apache.org/licenses/LICENSE-2.0 -- Reference: - Vulnerability in Apache Tomcat AJP/1.3 Connector Could Allow Retrieving Residual Information http://www.ipa.go.jp/security/vuln/documents/2005/JVN_79314822_Tomcat_en.html Copyright(c) Information-technology Promotion Agency, Japan. All rights reserved 2005