Security

Apache Tomcat “@ServletSecurity” Annotation Security Bypass

Description

A vulnerability has been reported in Apache Tomcat, which can be exploited by malicious people to bypass certain security restrictions.

The vulnerability is caused due to the application not properly enforcing “@ServletSecurity” annotations when loading servlets. This can be exploited to e.g. bypass the security constraints specified via the annotations and disclose certain information.

The vulnerability is reported in versions 7.0.0 through 7.0.10.

Solution

Update to version 7.0.11.

Provided and/or discovered by
Michael McCutcheon

Changelog
Further details available in Customer Area

Original Advisory
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.10_%28released_8_Mar_2011%29
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.11_%28released_11_Mar_2011%29

Source Advisory:
http://secunia.com/advisories/43684/

Download Apache Tomcat
http://tomcat.apache.org/download-70.cgi

Advertisements

1 thought on “Apache Tomcat “@ServletSecurity” Annotation Security Bypass”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s