Apache Tomcat Authentication Header Realm Name Information Disclosure Vulnerability
BID:39635
Info
Apache Tomcat Authentication Header Realm Name Information Disclosure Vulnerability
| Bugtraq ID: | 39635 |
| Class: | Input Validation Error |
| CVE: |
CVE-2010-1157 |
| Remote: | Yes |
| Local: | No |
| Published: | Apr 22 2010 12:00AM |
| Updated: | Mar 19 2015 09:44AM |
| Credit: | Deniz Cevik |
| Vulnerable: |
VMWare vCenter 4.0 VMWare ESX Server 4.1 VMWare ESX Server 4.0 SuSE SUSE Linux Enterprise Server 9 SuSE SUSE Linux Enterprise 11 SP1 SuSE SUSE Linux Enterprise 11 SuSE SUSE Linux Enterprise 10 SP3 SuSE openSUSE 11.3 Sun Solaris 9_x86 Sun Solaris 9_sparc Sun Solaris 10_x86 Sun Solaris 10_sparc Sun OpenSolaris build snv_99 Sun OpenSolaris build snv_98 Sun OpenSolaris build snv_96 Sun OpenSolaris build snv_95 Sun OpenSolaris build snv_94 Sun OpenSolaris build snv_93 Sun OpenSolaris build snv_92 Sun OpenSolaris build snv_91 Sun OpenSolaris build snv_90 Sun OpenSolaris build snv_89 Sun OpenSolaris build snv_88 Sun OpenSolaris build snv_87 Sun OpenSolaris build snv_86 Sun OpenSolaris build snv_85 Sun OpenSolaris build snv_84 Sun OpenSolaris build snv_83 Sun OpenSolaris build snv_82 Sun OpenSolaris build snv_81 Sun OpenSolaris build snv_80 Sun OpenSolaris build snv_78 Sun OpenSolaris build snv_77 Sun OpenSolaris build snv_76 Sun OpenSolaris build snv_74 Sun OpenSolaris build snv_71 Sun OpenSolaris build snv_68 Sun OpenSolaris build snv_67 Sun OpenSolaris build snv_64 Sun OpenSolaris build snv_61 Sun OpenSolaris build snv_59 Sun OpenSolaris build snv_58 Sun OpenSolaris build snv_57 Sun OpenSolaris build snv_56 Sun OpenSolaris build snv_54 Sun OpenSolaris build snv_51 Sun OpenSolaris build snv_50 Sun OpenSolaris build snv_49 Sun OpenSolaris build snv_48 Sun OpenSolaris build snv_47 Sun OpenSolaris build snv_45 Sun OpenSolaris build snv_41 Sun OpenSolaris build snv_39 Sun OpenSolaris build snv_38 Sun OpenSolaris build snv_37 Sun OpenSolaris build snv_36 Sun OpenSolaris build snv_35 Sun OpenSolaris build snv_29 Sun OpenSolaris build snv_28 Sun OpenSolaris build snv_22 Sun OpenSolaris build snv_19 Sun OpenSolaris build snv_111a Sun OpenSolaris build snv_111 Sun OpenSolaris build snv_110 Sun OpenSolaris build snv_109 Sun OpenSolaris build snv_108 Sun OpenSolaris build snv_107 Sun OpenSolaris build snv_106 Sun OpenSolaris build snv_105 Sun OpenSolaris build snv_104 Sun OpenSolaris build snv_103 Sun OpenSolaris build snv_102 Sun OpenSolaris build snv_101a Sun OpenSolaris build snv_101 Sun OpenSolaris build snv_100 S.u.S.E. openSUSE 11.2 S.u.S.E. openSUSE 11.1 RedHat JBoss Enterprise Web Server EL4 0 Red Hat JBoss Enterprise Web Server for Windows 1.0 Red Hat JBoss Enterprise Web Server for Solaris 1.0 Red Hat JBoss Enterprise Web Server for RHEL 6 1.0 Red Hat JBoss Enterprise Web Server for RHEL 5 Server 1.0 Red Hat JBoss Enterprise Web Server for RHEL 4 ES 1.0 Red Hat JBoss Enterprise Web Server for RHEL 4 AS 1.0 Red Hat JBoss Enterprise Web Server 5.0 Red Hat JBoss Enterprise Application Platform 4.3 EL5 Red Hat JBoss Enterprise Application Platform 4.3 EL4 Red Hat JBoss Enterprise Application Platform 4.3 Red Hat JBoss Enterprise Application Platform 4.2 EL5 Red Hat JBoss Enterprise Application Platform 4.2 EL4 Red Hat JBoss Enterprise Application Platform 4.2 Pardus Linux 2009 0 Mandriva Linux Mandrake 2010.1 x86_64 Mandriva Linux Mandrake 2010.1 Mandriva Linux Mandrake 2010.0 x86_64 Mandriva Linux Mandrake 2010.0 Mandriva Linux Mandrake 2009.1 x86_64 Mandriva Linux Mandrake 2009.1 Mandriva Linux Mandrake 2009.0 x86_64 Mandriva Linux Mandrake 2009.0 Mandriva Linux Mandrake 2008.0 x86_64 Mandriva Linux Mandrake 2008.0 MandrakeSoft Enterprise Server 5 x86_64 MandrakeSoft Enterprise Server 5 HP OpenVMS Secure Web Server 7.3 -2 HP OpenVMS Secure Web Server 7.3 -1 HP OpenVMS Secure Web Server 7.3 HP OpenVMS Secure Web Server 7.2 -2 HP OpenVMS Secure Web Server 1.2 HP OpenVMS Secure Web Server 1.1 -1 HP OpenVMS Secure Web Server 2.2 HP OpenVMS Secure Web Server 2.1-1 HP HP-UX Web Server Suite 3.22 HP HP-UX Web Server Suite 3.21 HP HP-UX Web Server Suite 3.18 HP HP-UX Web Server Suite 3.17 HP HP-UX Web Server Suite 3.12 HP HP-UX Web Server Suite 3.10 HP HP-UX B.11.31 Gentoo Linux Debian Linux 5.0 sparc Debian Linux 5.0 s/390 Debian Linux 5.0 powerpc Debian Linux 5.0 mipsel Debian Linux 5.0 mips Debian Linux 5.0 m68k Debian Linux 5.0 ia-64 Debian Linux 5.0 ia-32 Debian Linux 5.0 hppa Debian Linux 5.0 armel Debian Linux 5.0 arm Debian Linux 5.0 amd64 Debian Linux 5.0 alpha Debian Linux 5.0 Blue Coat Systems Intelligence Center 3.2.1 Blue Coat Systems Intelligence Center 3.1.2 Blue Coat Systems Intelligence Center 3.1.1 Blue Coat Systems Intelligence Center 2.1.2 Blue Coat Systems Intelligence Center 2.1.1 Blue Coat Systems Intelligence Center 2.1 Blue Coat Systems Intelligence Center 2.0.1 Blue Coat Systems Intelligence Center 2.0 Blue Coat Systems Intelligence Center 3.2 Blue Coat Systems Intelligence Center 3.1 Avaya IR 4.0 Avaya Interactive Response 4.0 Apple Mac OS X Server 10.6.6 Apple Mac OS X Server 10.6.5 Apple Mac OS X Server 10.6.4 Apple Mac OS X Server 10.6.3 Apple Mac OS X Server 10.6.2 Apple Mac OS X Server 10.6.1 Apple Mac Os X Server 10.6.8 Apple Mac Os X Server 10.6.7 Apple Mac OS X Server 10.6 Apple Mac OS X 10.6.5 Apple Mac OS X 10.6.4 Apple Mac OS X 10.6.3 Apple Mac OS X 10.6.2 Apple Mac OS X 10.6.1 Apple Mac OS X 10.6 Apache Software Foundation Tomcat 6.0.26 Apache Software Foundation Tomcat 6.0.25 Apache Software Foundation Tomcat 6.0.24 Apache Software Foundation Tomcat 6.0.20 Apache Software Foundation Tomcat 6.0.18 Apache Software Foundation Tomcat 6.0.16 Apache Software Foundation Tomcat 6.0.15 Apache Software Foundation Tomcat 6.0.14 Apache Software Foundation Tomcat 6.0.13 Apache Software Foundation Tomcat 6.0.12 Apache Software Foundation Tomcat 6.0.11 Apache Software Foundation Tomcat 6.0.10 Apache Software Foundation Tomcat 6.0.9 Apache Software Foundation Tomcat 6.0.8 Apache Software Foundation Tomcat 6.0.7 Apache Software Foundation Tomcat 6.0.6 Apache Software Foundation Tomcat 6.0.5 Apache Software Foundation Tomcat 6.0.4 Apache Software Foundation Tomcat 6.0.3 Apache Software Foundation Tomcat 6.0.2 Apache Software Foundation Tomcat 6.0.1 Apache Software Foundation Tomcat 6.0 Apache Software Foundation Tomcat 5.5.29 Apache Software Foundation Tomcat 5.5.28 Apache Software Foundation Tomcat 5.5.27 Apache Software Foundation Tomcat 5.5.26 Apache Software Foundation Tomcat 5.5.25 Apache Software Foundation Tomcat 5.5.24 Apache Software Foundation Tomcat 5.5.23 Apache Software Foundation Tomcat 5.5.22 Apache Software Foundation Tomcat 5.5.21 Apache Software Foundation Tomcat 5.5.20 Apache Software Foundation Tomcat 5.5.19 Apache Software Foundation Tomcat 5.5.18 Apache Software Foundation Tomcat 5.5.17 Apache Software Foundation Tomcat 5.5.16 Apache Software Foundation Tomcat 5.5.15 Apache Software Foundation Tomcat 5.5.14 Apache Software Foundation Tomcat 5.5.13 Apache Software Foundation Tomcat 5.5.12 Apache Software Foundation Tomcat 5.5.11 Apache Software Foundation Tomcat 5.5.10 Apache Software Foundation Tomcat 5.5.9 Apache Software Foundation Tomcat 5.5.8 Apache Software Foundation Tomcat 5.5.7 Apache Software Foundation Tomcat 5.5.6 Apache Software Foundation Tomcat 5.5.5 Apache Software Foundation Tomcat 5.5.4 Apache Software Foundation Tomcat 5.5.3 Apache Software Foundation Tomcat 5.5.2 Apache Software Foundation Tomcat 5.5.1 Apache Software Foundation Tomcat 5.5 |
| Not Vulnerable: |
VMWare ESX Server 4.1 ESX410-201101201 Sun OpenSolaris Build Snv 111B Red Hat JBoss Enterprise Web Server for Windows 1.0.2 Red Hat JBoss Enterprise Web Server for Solaris 1.0.2 Red Hat JBoss Enterprise Web Server for RHEL 6 1.0.2 Red Hat JBoss Enterprise Web Server for RHEL 5 Server 1.0.2 Red Hat JBoss Enterprise Web Server for RHEL 4 ES 1.0.2 Red Hat JBoss Enterprise Web Server for RHEL 4 AS 1.0.2 HP HP-UX Web Server Suite 3.13 Blue Coat Systems Intelligence Center 3.2.2.1 |
Discussion
Apache Tomcat Authentication Header Realm Name Information Disclosure Vulnerability
Apache Tomcat is prone to a remote information-disclosure vulnerability.
Remote attackers can exploit this issue to obtain the host name or IP address of the Tomcat server. Information harvested may lead to further attacks.
The following versions are affected:
Tomcat 5.5.0 through 5.5.29
Tomcat 6.0.0 through 6.0.26
Tomcat 3.x, 4.0.x, and 5.0.x may also be affected.
Apache Tomcat is prone to a remote information-disclosure vulnerability.
Remote attackers can exploit this issue to obtain the host name or IP address of the Tomcat server. Information harvested may lead to further attacks.
The following versions are affected:
Tomcat 5.5.0 through 5.5.29
Tomcat 6.0.0 through 6.0.26
Tomcat 3.x, 4.0.x, and 5.0.x may also be affected.
Exploit / POC
Apache Tomcat Authentication Header Realm Name Information Disclosure Vulnerability
An attacker can exploit this issue with readily available tools.
An attacker can exploit this issue with readily available tools.
Solution / Fix
Apache Tomcat Authentication Header Realm Name Information Disclosure Vulnerability
Solution:
Updates are available. Please see the references for more information.
Mandriva Linux Mandrake 2008.0
Mandriva Linux Mandrake 2009.0 x86_64
Mandriva Linux Mandrake 2009.1 x86_64
MandrakeSoft Enterprise Server 5
Solution:
Updates are available. Please see the references for more information.
Mandriva Linux Mandrake 2008.0
-
Mandriva tomcat5-5.5.23-9.2.10.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-admin-webapps-5.5.23-9.2.10.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-common-lib-5.5.23-9.2.10.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jasper-5.5.23-9.2.10.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jasper-javadoc-5.5.23-9.2.10.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jsp-2.0-api-5.5.23-9.2.10.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jsp-2.0-api-javadoc-5.5.23-9.2.10.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-server-lib-5.5.23-9.2.10.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-servlet-2.4-api-5.5.23-9.2.10.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-servlet-2.4-api-javadoc-5.5.23-9.2.10.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-webapps-5.5.23-9.2.10.3mdv2008.0.i586.rpm
http://www.mandriva.com/en/download/
Mandriva Linux Mandrake 2009.0 x86_64
-
Mandriva tomcat5-5.5.27-0.3.0.3mdv2009.0.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-admin-webapps-5.5.27-0.3.0.3mdv2009.0.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-common-lib-5.5.27-0.3.0.3mdv2009.0.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jasper-5.5.27-0.3.0.3mdv2009.0.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jasper-eclipse-5.5.27-0.3.0.3mdv2009.0.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jasper-javadoc-5.5.27-0.3.0.3mdv2009.0.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jsp-2.0-api-5.5.27-0.3.0.3mdv2009.0.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.3mdv2009.0.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-server-lib-5.5.27-0.3.0.3mdv2009.0.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-servlet-2.4-api-5.5.27-0.3.0.3mdv2009.0.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.3mdv2009.0.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-webapps-5.5.27-0.3.0.3mdv2009.0.noarch.rpm
http://www.mandriva.com/en/download/
Mandriva Linux Mandrake 2009.1 x86_64
-
Mandriva tomcat5-5.5.27-0.3.0.2mdv2009.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-admin-webapps-5.5.27-0.3.0.2mdv2009.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-common-lib-5.5.27-0.3.0.2mdv2009.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jasper-5.5.27-0.3.0.2mdv2009.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jasper-eclipse-5.5.27-0.3.0.2mdv2009.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jasper-javadoc-5.5.27-0.3.0.2mdv2009.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jsp-2.0-api-5.5.27-0.3.0.2mdv2009.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.2mdv2009.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-server-lib-5.5.27-0.3.0.2mdv2009.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-servlet-2.4-api-5.5.27-0.3.0.2mdv2009.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.2mdv2009.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-webapps-5.5.27-0.3.0.2mdv2009.1.noarch.rpm
http://www.mandriva.com/en/download/
MandrakeSoft Enterprise Server 5
-
Mandriva tomcat5-5.5.27-0.3.0.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-admin-webapps-5.5.27-0.3.0.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-common-lib-5.5.27-0.3.0.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jasper-5.5.27-0.3.0.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jasper-eclipse-5.5.27-0.3.0.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jasper-javadoc-5.5.27-0.3.0.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jsp-2.0-api-5.5.27-0.3.0.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-jsp-2.0-api-javadoc-5.5.27-0.3.0.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-server-lib-5.5.27-0.3.0.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-servlet-2.4-api-5.5.27-0.3.0.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-servlet-2.4-api-javadoc-5.5.27-0.3.0.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/ -
Mandriva tomcat5-webapps-5.5.27-0.3.0.3mdvmes5.1.noarch.rpm
http://www.mandriva.com/en/download/
References
Apache Tomcat Authentication Header Realm Name Information Disclosure Vulnerability
References:
References:
- CVE-2009-2902 CVE-2009-2693 CVE-2010-1157 CVE-2010-2227 Multiple Vulnerabilitie (Oracle)
- Apache Tomcat 5.x vulnerabilities (Apache)
- Apache Tomcat 6.x vulnerabilities (Apache)
- Apache Tomcat Homepage (Apache)
- Revision 936540 Fix CVE-2010-1157 (Apache)
- Revision 936541 Fix CVE-2010-1157. (Apache)
- [SECURITY] CVE-2010-1157: Apache Tomcat information disclosure vulnerability (Mark Thomas
- ASA-2012-026 Multiple Vulnerabilities in Apache Tomcat (Oracle October 2011) (Avaya)
- HPSBUX02579 SSRT100203 rev.1 - HP-UX Apache Running Tomcat Servlet Engine, Remot (HP)
- January 10, 2012 - Multiple Tomcat vulnerabilities in IntelligenceCenter (Blue Coat Systems)