来自 Tomcat 邮件列表的消息,Tomcat 全系又爆安全漏洞。CVE-2011-2526: Apache Tomcat Information disclosure and availability vulnerabilities
安全级别:低该漏洞影响目前所有的 Tomcat 版本,无一幸免。Tomcat 开发团队称将很快发布修复版本。不过别着急,该漏洞只有在下面这几种情况下才存在:a) untrusted web applications are being used b) the SecurityManager is used to limit the untrusted web applications c) the HTTP NIO or HTTP APR connector is used d) sendfile is enabled for the connector (this is the default)漏洞描述:Tomcat provides support for sendfile with the HTTP NIO and HTTP APR connectors. sendfile is used automatically for content served via the DefaultServlet and deployed web applications may use it directly via setting request attributes. These request attributes were not validated. When running under a security manager, this lack of validation allowed a malicious web application to do one or more of the following that would normally be prevented by a security manager: a) return files to users that the security manager should make inaccessible b) terminate (via a crash) the JVMTrend Micro Control Manager “CASProcessor.exe” BLOB远程代码执行漏洞Linux Kernel “dns_key.c”空指针引用拒绝服务漏洞相关资讯 Tomcat
易网时代-编程资源站