- 1 Docker's DCT Delivers Digital Signing for Security
- 2 Red Hat Enterprise Linux 7.2 Enters Beta with Improved Container Support
- 3 VMware CEO Pat Gelsinger Gives VMworld 5 Imperatives for Success
- 4 VMware vSphere Integrated Containers Previewed at VMworld
- 5 Worldwide Server Revenues Top $13.5 Billion in 2Q15
JSP Source Code Exposure Discovered in Tomcat
Covalent Technologies has confirmed a security vulnerability is present in all Apache Tomcat 4x versions (including Tomcat 4.0.4 and Tomcat 4.1.10) that allows the use of a specially crafted URL to return the unprocessed source of a JSP page. Under special circumstances it can return a static resource that would otherwise have been protected by security constraint, without the need of being properly authenticated. Covalent Technologies has confirmed a security vulnerability in all Apache Tomcat 4x versions that allows the use of a specially crafted URL to return the unprocessed source of a JSP page.
The company said that Covalent Tomcat users should take precautions to prevent the inadvertent exposure of source code. Using the invoker servlet in conjunction with the default servlet (responsible for handling static content in Tomcat) triggers this vulnerability. This particular configuration is available in the default Tomcat configuration.
The workaround for Tomcat installations is to disable the invoker servlet found in the default webapp configuration.
In the $CATALINA_HOME/conf/web.xml file (on Windows, %CATALINA_HOME%\conf\web.xml), comment out or remove the following XML fragment (but also check the Covalent Web page for the latest details):
Covalent plans to remove this vulnerability when it releases updated versions of Tomcat 4.x as part of its product update cycle.