CVE-2011-2204

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 5.5.x through 5.5.33 Apache Tomcat versions 6.x through 6.0.32 Apache Tomcat versions 7.x through 7.0.18

Description The issue allows local users to obtain sensitive information by reading a log file when the MemoryUserDatabase is used and errors occur in JMX user creation. This is because log entries contain passwords upon encountering such errors. User passwords are visible to administrators with JMX access and/or administrators with read access to the tomcat-users.xml file. Users without these permissions but with access to log files may also discover a user's password.

Recommendations For Apache Tomcat versions 5.5.x through 5.5.33, update to version 5.5.34 or later. For Apache Tomcat versions 6.x through 6.0.32, update to version 6.0.33 or later. For Apache Tomcat versions 7.x through 7.0.18, update to version 7.0.19 or later. As a temporary workaround, consider restricting access to log files and the tomcat-users.xml file to minimize the risk of exploitation.