Rapid7 Vulnerability & Exploit Database

RHSA-2010:0580: tomcat5 security update

Back to Search

RHSA-2010:0580: tomcat5 security update



Apache Tomcat is a servlet container for the Java Servlet and JavaServerPages (JSP) technologies.A flaw was found in the way Tomcat handled the Transfer-Encoding header inHTTP requests. A specially-crafted HTTP request could prevent Tomcat fromsending replies, or cause Tomcat to return truncated replies, or repliescontaining data related to the requests of other users, for all subsequentHTTP requests. (CVE-2010-2227)The Tomcat security update RHSA-2009:1164 did not, unlike the erratum textstated, provide a fix for CVE-2009-0781, a cross-site scripting (XSS) flawin the examples calendar application. With some web browsers, remoteattackers could use this flaw to inject arbitrary web script or HTML viathe "time" parameter. (CVE-2009-2696)Two directory traversal flaws were found in the Tomcat deployment process.A specially-crafted WAR file could, when deployed, cause a file to becreated outside of the web root into any directory writable by the Tomcatuser, or could lead to the deletion of files in the Tomcat host's workdirectory. (CVE-2009-2693, CVE-2009-2902)Users of Tomcat should upgrade to these updated packages, which containbackported patches to resolve these issues. Tomcat must be restarted forthis update to take effect.


  • redhat-upgrade-tomcat5
  • redhat-upgrade-tomcat5-admin-webapps
  • redhat-upgrade-tomcat5-common-lib
  • redhat-upgrade-tomcat5-jasper
  • redhat-upgrade-tomcat5-jasper-javadoc
  • redhat-upgrade-tomcat5-jsp-2-0-api
  • redhat-upgrade-tomcat5-jsp-2-0-api-javadoc
  • redhat-upgrade-tomcat5-server-lib
  • redhat-upgrade-tomcat5-servlet-2-4-api
  • redhat-upgrade-tomcat5-servlet-2-4-api-javadoc
  • redhat-upgrade-tomcat5-webapps

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center