[原文]Apache Tomcat 5.5.0 to 5.5.11 allows remote attackers to cause a denial of service (CPU consumption) via a large number of simultaneous requests to list a web directory that has a large number of files.
Multiple security risks exist in Apache Tomcat as included with CA Cohesion and products that contain CA Cohesion. These include, but are not limited to, arbitrary command execution. Affected products include CA Cohesion Application Configuration Manager 4.5, CA CMDB Application Server 11.1, and Unicenter Service Desk 11.2.
Title: CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
CA Advisory Reference: CA20090123-01
CA Advisory Date: 2009-01-23
Reported By: n/a
Impact: Refer to the CVE identifiers for details.
Summary: Multiple security risks exist in Apache Tomcat as
included with CA Cohesion Application Configuration Manager. CA
has issued an update to address the vulnerabilities. Refer to the
References section for the full list of resolved issues by CVE
Mitigating Factors: None
Severity: CA has given these vulnerabilities a Medium risk rating.
CA Cohesion Application Configuration Manager 4.5
CA Cohesion Application Configuration Manager 4.5 SP1
Status and Recommendation:
CA has issued the following update to address the vulnerabilities.
CA Cohesion Application Configuration Manager 4.5:
How to determine if you are affected:
1. Using Windows Explorer, locate the file "RELEASE-NOTES".
2. By default, the file is located in the
"C:\Program Files\CA\Cohesion\Server\server\" directory.
3. Open the file with a text editor.
4. If the version is less than 5.5.25, the installation is
References (URLs may wrap):
CA20090123-01: Security Notice for Cohesion Tomcat
Solution Document Reference APARs:
CA Security Response Blog posting:
CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
*Note: the issue was not completely fixed by Tomcat maintainers.
OSVDB References: Pending
Changelog for this advisory:
v1.0 - Initial Release
v1.1 - Updated Impact, Summary, Affected Products
Customers who require additional information should contact CA
Technical Support at http://support.ca.com.
For technical questions or comments related to this advisory,
please send email to vuln AT ca DOT com.
If you discover a vulnerability in CA products, please report your
findings to the CA Product Vulnerability Response Team.
Ken Williams, Director ; 0xE2941985
CA Product Vulnerability Response Team
CA, 1 CA Plaza, Islandia, NY 11749
Legal Notice http://www.ca.com/us/legal/
Copyright (c) 2009 CA. All rights reserved.
Apache Tomcat contains a flaw that may allow a remote denial of service. The issue is triggered when an attacker makes multiple concurrent requests for a directory listing that contain a large number of files. With a large number of requests, an attacker can cause the server to stop processing subsequent requests.
Upgrade to version 5.5.12 or higher, as it has been reported to partially fix this vulnerability by allowing operations to resume after a few minutes. It is also possible to correct the flaw by implementing the following workaround(s):
-Disable directory listing for web directories that has a large number of files.