CVE-2008-3271

Name of the Vulnerable Software and Affected Versions: Apache Tomcat versions 4.1.0 through 4.1.31 Apache Tomcat version 5.5.0

Description: The issue allows remote attackers to bypass IP address restrictions and obtain sensitive information due to a synchronization problem and lack of thread safety. This is related to the RemoteFilterValve, RemoteAddrValve, and RemoteHostValve components. In rare circumstances, a user from a non-permitted IP address can gain access to a protected context.

Recommendations: For Apache Tomcat versions 4.1.0 through 4.1.31, consider disabling the RemoteFilterValve to minimize the risk of exploitation until a patch is available. For Apache Tomcat version 5.5.0, restrict access to the RemoteAddrValve and RemoteHostValve implementations to minimize the risk of exploitation until a patch is available. As a temporary workaround, consider implementing additional thread safety measures to prevent instance-variable overwrites associated with concurrent request processing.