My most recent Nessus report gave the following risk warning. Apparently I need to upgrade my BO XI deployment to Tomcat 5.5.30 from 5.5.20. Has anyone else undertaken this effort? Can someone tell me what's involved? Thanks!
-
Synopsis:
The remote Apache tomcat service is vulnerable to an information disclosure or a denial of service attack.
Description:
The remote Apache Tomcat service is vulnerable to information disclosure or a denial of service attack due to a mishandling of invalid values for the 'Transfer-Encoding' HTTP header as sent by a client.
Risk factor:
Medium
CVSS Base Score:6.4
CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P
See also:
http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.30
See also:
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.28
Solution:
Upgrade to version 5.5.30 / 6.0.28 or greater.
Plugin output:
Nessus was able to verify this issue using the following request : GET / HTTP/1.1 Host: omiprm043 Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, image/png, / Date: Wed, 25 Aug 2010 21:34:52 GMT User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0) Accept-Charset: iso-8859-1,utf-8;q=0.9,*;q=0.1 Pragma: no-cache Transfer-Encoding: NESSUS Accept-Language: en Connection: Close
Plugin ID:
47749
CVE:
CVE-2010-2227
BID:
41544
Other references:
OSVDB:66319, Secunia:39574
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.