The vulnerability in Apache Tomcat 4.x with the AJP/1.3 Connector
allows retrieving residual information.
Apache Tomcat is the servlet container that is used in the official
Reference Implementation for the Java Servlet and JavaServer Pages
AJP (Apache JServ Protocol) is one of a protocol communicates with
web servers such as Apache HTTP Server, etc. And the AJP/1.3 Connector
(org.apache.ajp.tomcat4.Ajp13Connector) is one of the AJP implementation
for the Tomcat. When Tomcat receives an AJP request packet from
the web server, then it calls a Servlet based on the requested information.
Tomcat does not erase the AJP request from buffer; although malicious
AJP 1.3 packet is received, Tomcat retrieves the immediately requested
information along with the residual information in the buffer.
Malicious request can cause residual information leakage, and it
leads to session hijack.
IPA has created the patch for this vulnerability. And it's not The
Apache Software Foundation (ASF) official.
Currently, the AJP/1.3 Connector is deprecated by ASF. Any patches
are not provided officially. Now, we are trying to contact via JPCERT/CC
and CERT/CC, but no respond from ASF.
ASF said "Use the Coyote JK Connector instead" on their
web. If you can't do that, following patch might be useful.
the patch (tar.gz : 69KB)
the patch (zip : 69KB)
This patch does not fix the other problems. IPA does not guarantee
any of the problems nor be responsible with the damages occurred
by applying the patch.
The License is complied with the Apache License Version 2.0. For
further details, please refer to the following URL.
IPA expresses acknowledgement to the following enterprises for their
substantial collaboration to check up that the patch work properly.
- NIPPON TELEGRAPH AND TELEPHONE CORPORATION
- NTT Software Corporation
- NTT DATA CORPORATION
- NTT DATA INTELLILINK CORPORATION
- Steadfast Systems Co., Ltd.