Low-Risk Disclosure Vulnerability To Be Fixed In 6.0.27 Release

On April 21, 2010, a patch for a low-risk security vulnerability in Apache Tomcat's source code that could cause inadvertent disclosure of a server's IP or localhost name was submitted to the Tomcat trunk by Tomcat committer Mark Thomas.

The vulnerability was discovered by Deniz Cevik, a Tomcat community member who had previously researched a number of other security vulnerabilities for the project.

The vulnerability was caused by Tomcat's ability to generate "realm-name" elements automatically if not specified in an application's web.xml file.  This name is generated by combining localhost information with server IP information.  While this is normal, useful behavior when used server-side to facilitate proper configuration, when combined with a request for authentication in the correct format, this information could be exposed to an outside client.

A malicious user could potentially send a request for a resource requiring either BASIC or DIGEST authentication in order to expose the realm-name information. WWW-Authenticate headers include the realm-name element as the "basic realm" value. While this does not pose a threat for users who have explicitly configured their realm information, users who allowed Tomcat to generate a realm-name from their server information would have IP, localhost, and port information disclosed.

The patch, Revision 936540, which will be included in the next release of both the Tomcat 5.5.x and 6.x branches, includes both a fix to the problem code itself, and an improvement to Tomcat's memory leak reporting to help identify future problems more quickly.

More information on the vulnerability, as well as the patch itself, is available from the Apache Tomcat Subversion repository.