CVE-2011-3190

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 7.0.0 through 7.0.20 Apache Tomcat versions 6.0.0 through 6.0.33 Apache Tomcat versions 5.5.0 through 5.5.33

Description The issue allows remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request. This occurs when the AJP protocol is used with reverse proxies, and Tomcat incorrectly processes an unsolicited AJP message as a new request instead of a request body. This permits an attacker to have full control over the AJP message, allowing authentication bypass and information disclosure. The vulnerability is dependent on specific conditions, including the use of the AJP connector, acceptance of POST requests, and the request body not being processed.

Recommendations For Apache Tomcat versions 7.0.0 through 7.0.20, consider disabling the AJP protocol connector until a patch is available. For Apache Tomcat versions 6.0.0 through 6.0.33, restrict access to the AJP connector to minimize the risk of exploitation. For Apache Tomcat versions 5.5.0 through 5.5.33, avoid using the AJP protocol with reverse proxies until the issue is resolved. As a temporary workaround, consider disabling the org.apache.jk.server.JkCoyoteHandler AJP connector until a patch is available.