on 10-19-2010 8:22 PM
My most recent Nessus report gave the following risk warning. Apparently I need to upgrade my BO XI deployment to Tomcat 5.5.30 from 5.5.20. Has anyone else undertaken this effort? Can someone tell me what's involved? Thanks!
-
Synopsis:
The remote Apache tomcat service is vulnerable to an information disclosure or a denial of service attack.
Description:
The remote Apache Tomcat service is vulnerable to information disclosure or a denial of service attack due to a mishandling of invalid values for the 'Transfer-Encoding' HTTP header as sent by a client.
Risk factor:
Medium
CVSS Base Score:6.4
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P
See also:
http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.30
See also:
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.28
Solution:
Upgrade to version 5.5.30 / 6.0.28 or greater.
Plugin output:
Nessus was able to verify this issue using the following request : GET / HTTP/1.1 Host: omiprm043 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, / Date: Wed, 25 Aug 2010 21:34:52 GMT User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Pragma: no-cache Transfer-Encoding: NESSUS Accept-Language: en Connection: Close
Plugin ID:
47749
CVE:
CVE-2010-2227
BID:
41544
Other references:
OSVDB:66319, Secunia:39574
Hi,
According to my experiences if you update tomcat where you can , BO XI platform might have problems. My suggestion is for you is to full backup system before anything you do, Also you can update BO XI where you can have a new version of tomcat embeeded.
Regards.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
98 | |
11 | |
11 | |
10 | |
10 | |
8 | |
6 | |
5 | |
4 | |
4 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.