The Apache Software Foundation reports that a number of three vulnerabilities – all catalogued as being of important severity – have been identified in Apache Tomcat, the open source web server and servlet container developed by the organization.
The first vulnerability is a denial-of-service (DOS) bug that affects all versions of Tomcat 7.0.0 to 7.0.27 and Tomcat 6.0.0 to 6.0.35.
The DOS state occurs when customers are using the NIO connector with sendfile and HTTPS enabled. If the client breaks the connection while reading the response, an infinite loop occurs.
The second issue refers to a bypass of security constraints. Tomcat 7.0.0 to 7.0.29 and Tomcat 6.0.0 to 6.0.35 are affected.
“When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending "/j_security_check" to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate(),” the description of the bug reads.
The last security hole can be leveraged to bypass the CSRF prevention filter by making a request to a protected resource without a session identifier present in the request. Tomcat 7.0.0 to 7.0.31 and Tomcat 6.0.0 to 6.0.35 are impacted.
In order to prevent any incidents, users are advised to update their installations to the latest versions.
The latest versions of Apache Tomcat are available for download here