Apache Tomcat security bypass vulnerability
A security issue and a vulnerability have been reported in Apache Tomcat, which can be exploited by malicious, local users to bypass certain security restrictions or cause a DoS, according to Secunia.
1. The security issue is caused due to Apache Tomcat not properly verifying sendfile request attributes when running under a security manager, which can be exploited by a malicious web application to bypass intended restrictions and e.g. disclose local files.
2. The vulnerability is caused due to Apache Tomcat not properly handling sendfile request with invalid start and endpoints, which can be exploited to crash the JVM.
Successful exploitation requires that a malicious web application is deployed and a security manager and the HTTP NIO or HTTP APR connector with enabled sendfile is used.
Solution: Update to versions 5.5.34, 6.0.33, or 7.0.19 when available. Also fixed in the SVN repository and the vendor has also provided a proposed patch for Apache Tomcat versions 5 and 6.