CVE-2007-3382/3385 + JBoss 4.0.3SP1

dabramov Sep 11, 2007 11:45 AM

Hi,

We're deployed on JBoss 4.0.3SP1 - and are getting some questions about CVE-2007-3382 and CVE-2007-3385, which are Tomcat vulnerabilities.

I see that this has been addressed in the 4.0.4/4.0.5 stream. (http://jira.jboss.org/jira/browse/ASPATCH-286).

Anyone have any information relating to 4.0.3 SP1? I believe the Tomcat version that shipped with that is 5.5.0.0, which is affected by the vulnerability.

If we are forced to upgrade, any advice on which version upgrade would have the least impact?

Thanks,
-Dan

1. Re: CVE-2007-3382/3385 + JBoss 4.0.3SP1

jfclere Sep 12, 2007 3:15 AM (in response to dabramov)

4.0.3 SP1 was shipped with 5.5.9 (See http://wiki.jboss.org/wiki/Wiki.jsp?page=VersionOfTomcatInJBossAS).
Use http://repository.jboss.com/apache-tomcat/5.5.9.patch03-brew/
Actions
2. Re: CVE-2007-3382/3385 + JBoss 4.0.3SP1

dabramov Sep 24, 2007 4:50 PM (in response to dabramov)

Can you confirm JBAS-2866 addresses these vulnerabilities since neither the description of the patch or JBAS-2866 explicitly reference either CVE-2007-3382 or CVE-2007-3385. (though JBAS-2866 is related to the use of quotes in cookies)

"Tomcat 5.5 servlet 2.4 web container with a fix for the JBAS-2866, as well as backported fixes for CVE-2005-2090, CVE-2006-3835, CVE-2006-7195, CVE-2007-0450, CVE-2007-1858, CVE-2005-3510, plus fixes for CVE-2007-2450 and CVE-2007-3386"
Actions

Go to original post