Apache Tomcat: Multiple vulnerabilities

Apache Tomcat: Multiple vulnerabilities Multiple vulnerabilities were found in Apache Tomcat, the worst of which allowing to read, modify and overwrite arbitrary files. apache tomcat 2012-06-24 2016-03-20 272566 273662 303719 320963 329937 373987 374619 382043 386213 396401 399227 local, remote 6.0.35 7.0.23 6.0.44 6.0.45 6.0.46 6.0.47 6.0.48 7.0.23

Apache Tomcat is a Servlet-3.0/JSP-2.2 Container.

Multiple vulnerabilities have been discovered in Apache Tomcat. Please review the CVE identifiers referenced below for details.

The vulnerabilities allow an attacker to cause a Denial of Service, to hijack a session, to bypass authentication, to inject webscript, to enumerate valid usernames, to read, modify and overwrite arbitrary files, to bypass intended access restrictions, to delete work-directory files, to discover the server’s hostname or IP, to bypass read permissions for files or HTTP headers, to read or write files outside of the intended working directory, and to obtain sensitive information by reading a log file.

There is no known workaround at this time.

All Apache Tomcat 6.0.x users should upgrade to the latest version:


      # emerge --sync
      # emerge --ask --oneshot --verbose ">=www-servers/tomcat-6.0.35"

All Apache Tomcat 7.0.x users should upgrade to the latest version:


      # emerge --sync
      # emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.23"

CVE-2008-5515 CVE-2009-0033 CVE-2009-0580 CVE-2009-0781 CVE-2009-0783 CVE-2009-2693 CVE-2009-2901 CVE-2009-2902 CVE-2010-1157 CVE-2010-2227 CVE-2010-3718 CVE-2010-4172 CVE-2010-4312 CVE-2011-0013 CVE-2011-0534 CVE-2011-1088 CVE-2011-1183 CVE-2011-1184 CVE-2011-1419 CVE-2011-1475 CVE-2011-1582 CVE-2011-2204 CVE-2011-2481 CVE-2011-2526 CVE-2011-2729 CVE-2011-3190 CVE-2011-3375 CVE-2011-4858 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 CVE-2012-0022 craig keytoaster