Apache Tomcat version older than 6.0.35
Description
Apache Tomcat versions 6.0.0 through 6.0.33 contain multiple critical vulnerabilities that were resolved in version 6.0.35. These include an information disclosure issue (CVE-2011-3375) caused by improper request object recycling during error logging, an authentication bypass vulnerability (CVE-2011-3190) in the AJP protocol implementation that allows attackers to manipulate request processing, and a denial of service vulnerability (CVE-2012-0022) resulting from inefficient handling of large numbers of parameters. These vulnerabilities can be exploited remotely without authentication and may lead to unauthorized access, data leakage, and service disruption.
Remediation
Immediately upgrade Apache Tomcat to version 6.0.35 or later to address all identified vulnerabilities. Follow these steps:
- Backup your current installation: Create a complete backup of your existing Tomcat configuration, web applications, and data before proceeding.
- Download the latest version: Obtain Apache Tomcat 6.0.35 or newer from the official Apache Tomcat website (http://tomcat.apache.org/).
- Review release notes: Check the changelog and migration guide for any configuration changes or compatibility considerations.
- Perform the upgrade: Stop the Tomcat service, replace the installation files with the new version, and migrate your configuration settings and applications.
- Test thoroughly: Verify that all applications function correctly in a staging environment before deploying to production.
- Restart and monitor: Start the Tomcat service and monitor logs for any errors or unusual activity.
Note: If immediate upgrade is not feasible, consider implementing temporary mitigations such as restricting AJP protocol access to trusted sources only and implementing request rate limiting, though these measures do not fully address the vulnerabilities.