Slavik Markovich

Name of the Vulnerable Software and Affected Versions: Apache Tomcat versions 4.1.0 through 4.1.31 Apache Tomcat version 5.5.0 Description: The issue allows remote attackers to bypass IP address restrictions and obtain sensitive information due to a synchronization problem and lack of thread safety. This is related to the `RemoteFilterValve`, `RemoteAddrValve`, and `RemoteHostValve` components. In rare circumstances, a user from a non-permitted IP address can gain access to a protected context. Recommendations: For Apache Tomcat versions 4.1.0 through 4.1.31, consider disabling the `RemoteFilterValve` to minimize the risk of exploitation until a patch is available. For Apache Tomcat version 5.5.0, restrict access to the `RemoteAddrValve` and `RemoteHostValve` implementations to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider implementing additional thread safety measures to prevent instance-variable overwrites associated with concurrent request processing.