- Apache Tomcat 7.x vulnerabilities
- Fixed in Apache Tomcat 7.0.40
- Fixed in Apache Tomcat 7.0.33
- Fixed in Apache Tomcat 7.0.32
- Fixed in Apache Tomcat 7.0.30
- Fixed in Apache Tomcat 7.0.28
- Fixed in Apache Tomcat 7.0.23
- Fixed in Apache Tomcat 7.0.22
- Fixed in Apache Tomcat 7.0.21
- Fixed in Apache Tomcat 7.0.20
- Fixed in Apache Tomcat 7.0.19
- Fixed in Apache Tomcat 7.0.14
- Fixed in Apache Tomcat 7.0.12
- Fixed in Apache Tomcat 7.0.11
- Fixed in Apache Tomcat 7.0.8
- Fixed in Apache Tomcat 7.0.6
- Fixed in Apache Tomcat 7.0.5
- Fixed in Apache Tomcat 7.0.4
- Fixed in Apache Tomcat 7.0.2
- Not a vulnerability in Tomcat
Table of Contents
Apache Tomcat 7.x vulnerabilities
This page lists all security vulnerabilities fixed in released versions of Apache Tomcat 7.x. Each vulnerability is given a security impact rating by the Apache Tomcat security team — please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.
Note: Vulnerabilities that are not Tomcat vulnerabilities but have either been incorrectly reported against Tomcat or where Tomcat provides a workaround are listed at the end of this page.
Please note that binary patches are never provided. If you need to
apply a source code patch, use the building instructions for the
Apache Tomcat version that you are using. For Tomcat 7.0 those are
Both files can be found in the
of a binary distributive. You may also want to review the
page in the documentation.
If you need help on building or configuring Tomcat or other help on following the instructions to mitigate the known vulnerabilities listed here, please send your questions to the public Tomcat Users mailing list
If you have encountered an unlisted security vulnerability or other unexpected behaviour that has security impact, or if the descriptions here are incomplete, please report them privately to the Tomcat Security Team. Thank you.
released 9 May 2013 Fixed in Apache Tomcat 7.0.40
Moderate: Information disclosure CVE-2013-2071
Bug 54178 described a scenario where elements of a previous request may be exposed to a current request. This was very difficult to exploit deliberately but fairly likely to happen unexpectedly if an application used AsyncListeners that threw RuntimeExceptions.
This was fixed in revision 1471372.
The root cause of the problem was identified as a Tomcat bug on 2 April 2013. The Tomcat security team identified the security implications on 24 April 2013 and made those details public on 10 May 2013.
released 21 Nov 2012 Fixed in Apache Tomcat 7.0.33
Important: Session fixation CVE-2013-2067
FORM authentication associates the most recent request requiring authentication with the current session. By repeatedly sending a request for an authenticated resource while the victim is completing the login form, an attacker could inject a request that would be executed using the victim's credentials.
This was fixed in revision 1408044.
This issue was identified by the Tomcat security team on 15 Oct 2012 and made public on 10 May 2013.
released 9 Oct 2012 Fixed in Apache Tomcat 7.0.32
Important: Bypass of CSRF prevention filter CVE-2012-4431
The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request.
This was fixed in revision 1393088.
This issue was identified by the Tomcat security team on 8 September 2012 and made public on 4 December 2012.
released 6 Sep 2012 Fixed in Apache Tomcat 7.0.30
Important: Denial of service CVE-2012-3544
When processing a request submitted using the chunked transfer encoding, Tomcat ignored but did not limit any extensions that were included. This allows a client to perform a limited DOS by streaming an unlimited amount of data to the server.
This issue was reported to the Tomcat security team on 10 November 2011 and made public on 10 May 2013.
Moderate: DIGEST authentication weakness CVE-2012-3439
Three weaknesses in Tomcat's implementation of DIGEST authentication were identified and resolved:
- Tomcat tracked client rather than server nonces and nonce count.
- When a session ID was present, authentication was bypassed.
- The user name and password were not checked before when indicating that a nonce was stale.
These issues reduced the security of DIGEST authentication making replay attacks possible in some circumstances.
This was fixed in revision 1377807.
The first issue was reported by Tilmann Kuhn to the Tomcat security team on 19 July 2012. The second and third issues were discovered by the Tomcat security team during the resulting code review. All three issues were made public on 5 November 2012.
Important: Bypass of security constraints CVE-2012-3546
When using FORM authentication it was possible to bypass the security
constraint checks in the FORM authenticator by appending
/j_security_check to the end of the URL if some other
component (such as the Single-Sign-On valve) had called
request.setUserPrincipal() before the call to
This was fixed in revision 1377892.
This issue was identified by the Tomcat security team on 13 July 2012 and made public on 4 December 2012.
released 19 Jun 2012 Fixed in Apache Tomcat 7.0.28
Important: Denial of service CVE-2012-2733
The checks that limited the permitted size of request headers were implemented too late in the request parsing process for the HTTP NIO connector. This enabled a malicious user to trigger an OutOfMemoryError by sending a single request with very large headers.
This was fixed in revision 1350301.
This was reported by Josh Spiewak to the Tomcat security team on 4 June 2012 and made public on 5 November 2012.
Important: Denial of service CVE-2012-4534
When using the NIO connector with sendfile and HTTPS enabled, if a client breaks the connection while reading the response an infinite loop is entered leading to a denial of service. This was originally reported as bug 52858.
This was fixed in revision 1340218.
The security implications of this bug were reported to the Tomcat security team by Arun Neelicattu of the Red Hat Security Response Team on 3 October 2012 and made public on 4 December 2012.
released 25 Nov 2011 Fixed in Apache Tomcat 7.0.23
Important: Denial of service CVE-2012-0022
Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of large numbers of parameters and parameter values. These inefficiencies could allow an attacker, via a specially crafted request, to cause large amounts of CPU to be used which in turn could create a denial of service. The issue was addressed by modifying the Tomcat parameter handling code to efficiently process large numbers of parameters and parameter values.
This was identified by the Tomcat security team on 21 October 2011 and made public on 17 January 2012.
released 1 Oct 2011 Fixed in Apache Tomcat 7.0.22
Important: Information disclosure CVE-2011-3375
For performance reasons, information parsed from a request is often cached in two places: the internal request object and the internal processor object. These objects are not recycled at exactly the same time. When certain errors occur that needed to be added to the access log, the access logging process triggers the re-population of the request object after it has been recycled. However, the request object was not recycled before being used for the next request. That lead to information leakage (e.g. remote IP address, HTTP headers) from the previous request to the next request. The issue was resolved be ensuring that the request and response objects were recycled after being re-populated to generate the necessary access log entries.
This was fixed in revision 1176592.
This was identified by the Tomcat security team on 22 September 2011 and made public on 17 January 2012.
Low: Privilege Escalation CVE-2011-3376
This issue only affects environments running web applications that are not trusted (e.g. shared hosting environments). The Servlets that implement the functionality of the Manager application that ships with Apache Tomcat should only be available to Contexts (web applications) that are marked as privileged. However, this check was not being made. This allowed an untrusted web application to use the functionality of the Manager application. This could be used to obtain information on running web applications as well as deploying additional web applications.
This was fixed in revision 1176588.
This was identified by Ate Douma on 27 September 2011 and made public on 8 November 2011.
released 1 Sep 2011 Fixed in Apache Tomcat 7.0.21
Important: Authentication bypass and information disclosure CVE-2011-3190
Apache Tomcat supports the AJP protocol which is used with reverse proxies to pass requests and associated data about the request from the reverse proxy to Tomcat. The AJP protocol is designed so that when a request includes a request body, an unsolicited AJP message is sent to Tomcat that includes the first part (or possibly all) of the request body. In certain circumstances, Tomcat did not process this message as a request body but as a new request. This permitted an attacker to have full control over the AJP message permitting authentication bypass and information disclosure. This vulnerability only occurs when all of the following are true:
- The org.apache.jk.server.JkCoyoteHandler AJP connector is not used
- POST requests are accepted
- The request body is not processed
This was fixed in revision 1162958.
This was reported publicly on 20th August 2011.
- Upgrade to Tomcat 7.0.21
- Apply the appropriate patch
- Configure both Tomcat and the reverse proxy to use a shared secret.
(It is "
requiredSecret" attribute in AJP <Connector>, "
worker.workername.secret" directive for mod_jk. The mod_proxy_ajp module currently does not support shared secrets).
released 11 Aug 2011 Fixed in Apache Tomcat 7.0.20
Important: Information disclosure CVE-2011-2729
Due to a bug in the capabilities code, jsvc (the service wrapper for Linux that is part of the Commons Daemon project) does not drop capabilities allowing the application to access files and directories owned by superuser. This vulnerability only occurs when all of the following are true:
- Tomcat is running on a Linux operating system
- jsvc was compiled with libcap
- -user parameter is used
Affected Tomcat versions shipped with source files for jsvc that included this vulnerability.
This was fixed in revision 1153379.
This was identified by Wilfried Weissmann on 20 July 2011 and made public on 12 August 2011.
released 19 Jul 2011 Fixed in Apache Tomcat 7.0.19
Low: Information disclosure CVE-2011-2526
Tomcat provides support for sendfile with the HTTP NIO and HTTP APR connectors. sendfile is used automatically for content served via the DefaultServlet and deployed web applications may use it directly via setting request attributes. These request attributes were not validated. When running under a security manager, this lack of validation allowed a malicious web application to do one or more of the following that would normally be prevented by a security manager:
- return files to users that the security manager should make inaccessible
- terminate (via a crash) the JVM
Additionally, these vulnerabilities only occur when all of the following are true:
- untrusted web applications are being used
- the SecurityManager is used to limit the untrusted web applications
- the HTTP NIO or HTTP APR connector is used
- sendfile is enabled for the connector (this is the default)
This was identified by the Tomcat security team on 7 July 2011 and made public on 13 July 2011.
Note: The issues below were fixed in Apache Tomcat 7.0.17 but the release votes for the 7.0.17 and 7.0.18 release candidates did not pass. Therefore, although users must download 7.0.19 to obtain a version that includes a fix for these issues, versions 7.0.17 and 7.0.18 are not included in the list of affected versions.
Low: Information disclosure CVE-2011-2204
When using the MemoryUserDatabase (based on tomcat-users.xml) and creating users via JMX, an exception during the user creation process may trigger an error message in the JMX client that includes the user's password. This error message is also written to the Tomcat logs. User passwords are visible to administrators with JMX access and/or administrators with read access to the tomcat-users.xml file. Users that do not have these permissions but are able to read log files may be able to discover a user's password.
This was fixed in revision 1140070.
This was identified by Polina Genova on 14 June 2011 and made public on 27 June 2011.
Low: Information disclosure CVE-2011-2481
The re-factoring of XML validation for Tomcat 7.0.x re-introduced the vulnerability previously reported as CVE-2009-0783. This was initially reported as a memory leak. If a web application is the first web application loaded, this bugs allows that web application to potentially view and/or alter the web.xml, context.xml and tld files of other web applications deployed on the Tomcat instance.
This was identified by the Tomcat security team on 20 June 2011 and made public on 12 August 2011.
released 12 May 2011 Fixed in Apache Tomcat 7.0.14
Important: Security constraint bypass CVE-2011-1582
An error in the fixes for CVE-2011-1088/CVE-2011-1183 meant that security constraints configured via annotations were ignored on the first request to a Servlet. Subsequent requests were secured correctly.
This was fixed in revision 1100832.
This was identified by the Tomcat security team on 13 April 2011 and made public on 17 May 2011.
released 6 Apr 2011 Fixed in Apache Tomcat 7.0.12
Important: Information disclosure CVE-2011-1475
Changes introduced to the HTTP BIO connector to support Servlet 3.0 asynchronous requests did not fully account for HTTP pipelining. As a result, when using HTTP pipelining a range of unexpected behaviours occurred including the mixing up of responses between requests. While the mix-up in responses was only observed between requests from the same user, a mix-up of responses for requests from different users may also be possible.
This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar 2011.
Moderate: Multiple weaknesses in HTTP DIGEST authentication CVE-2011-1184
Note: Mitre elected to break this issue down into multiple issues and have allocated the following additional references to parts of this issue: CVE-2011-5062, CVE-2011-5063 and CVE-2011-5064. The Apache Tomcat security team will continue to treat this as a single issue using the reference CVE-2011-1184.
The implementation of HTTP DIGEST authentication was discovered to have several weaknesses:
- replay attacks were permitted
- server nonces were not checked
- client nonce counts were not checked
- qop values were not checked
- realm values were not checked
- the server secret was hard-coded to a known string
The result of these weaknesses is that DIGEST authentication was only as secure as BASIC authentication.
This was fixed in revision 1087655.
This was identified by the Tomcat security team on 16 March 2011 and made public on 26 September 2011.
Important: Security constraint bypass CVE-2011-1183
A regression in the fix for CVE-2011-1088 meant that security constraints were ignored when no login configuration was present in the web.xml and the web application was marked as meta-data complete.
This was fixed in revision 1087643.
This was identified by the Tomcat security team on 17 March 2011 and made public on 6 April 2011.
released 11 Mar 2011 Fixed in Apache Tomcat 7.0.11
Important: Security constraint bypass CVE-2011-1088
When a web application was started,
annotations were ignored. This meant that some areas of the application
may not have been protected as expected. This was partially fixed in
Apache Tomcat 7.0.10 and fully fixed in 7.0.11.
This was reported publicly on the Tomcat users mailing list on 2 Mar 2011.
released 5 Feb 2011 Fixed in Apache Tomcat 7.0.8
Note: The issue below was fixed in Apache Tomcat 7.0.7 but the release vote for the 7.0.7 release candidate did not pass. Therefore, although users must download 7.0.8 to obtain a version that includes a fix for this issue, version 7.0.7 is not included in the list of affected versions.
Important: Remote Denial Of Service CVE-2011-0534
The NIO connector expands its buffer endlessly during request line processing. That behaviour can be used for a denial of service attack using a carefully crafted request.
This was fixed in revision 1065939.
This was identified by the Tomcat security team on 27 Jan 2011 and made public on 5 Feb 2011.
released 14 Jan 2011 Fixed in Apache Tomcat 7.0.6
Low: Cross-site scripting CVE-2011-0013
The HTML Manager interface displayed web application provided data, such as display names, without filtering. A malicious web application could trigger script execution by an administrative user when viewing the manager pages.
This was fixed in revision 1057279.
This was identified by the Tomcat security team on 12 Nov 2010 and made public on 5 Feb 2011.
released 1 Dec 2010 Fixed in Apache Tomcat 7.0.5
Low: Cross-site scripting CVE-2010-4172
The Manager application used the user provided parameters sort and orderBy directly without filtering thereby permitting cross-site scripting. The CSRF protection, which is enabled by default, prevents an attacker from exploiting this.
This was fixed in revision 1037778.
This was first reported to the Tomcat security team on 15 Nov 2010 and made public on 22 Nov 2010.
released 21 Oct 2010 Fixed in Apache Tomcat 7.0.4
Low: SecurityManager file permission bypass CVE-2010-3718
When running under a SecurityManager, access to the file system is limited but web applications are granted read/write permissions to the work directory. This directory is used for a variety of temporary files such as the intermediate files generated when compiling JSPs to Servlets. The location of the work directory is specified by a ServletContect attribute that is meant to be read-only to web applications. However, due to a coding error, the read-only setting was not applied. Therefore, a malicious web application may modify the attribute before Tomcat applies the file permissions. This can be used to grant read/write permissions to any area on the file system which a malicious web application may then take advantage of. This vulnerability is only applicable when hosting web applications from untrusted sources such as shared hosting environments.
This was fixed in revision 1022134.
This was discovered by the Tomcat security team on 12 Oct 2010 and made public on 5 Feb 2011.
released 11 Aug 2010 Fixed in Apache Tomcat 7.0.2
Note: The issue below was fixed in Apache Tomcat 7.0.1 but the release vote for the 7.0.1 release candidate did not pass. Therefore, although users must download 7.0.2 to obtain a version that includes a fix for this issue, version 7.0.2 is not included in the list of affected versions.
Important: Remote Denial Of Service and Information Disclosure Vulnerability CVE-2010-2227
Several flaws in the handling of the 'Transfer-Encoding' header were found that prevented the recycling of a buffer. A remote attacker could trigger this flaw which would cause subsequent requests to fail and/or information to leak between requests. This flaw is mitigated if Tomcat is behind a reverse proxy (such as Apache httpd 2.2) as the proxy should reject the invalid transfer encoding header.
This was fixed in revision 958911.
This was first reported to the Tomcat security team on 14 Jun 2010 and made public on 9 Jul 2010.
Not a vulnerability in Tomcat
Low: Denial Of Service CVE-2012-5568
Sending an HTTP request 1 byte at a time will consume a thread from the connection pool until the request has been fully processed if using the BIO or APR/native HTTP connectors. Multiple requests may be used to consume all threads in the connection pool thereby creating a denial of service.
Since the relationship between the client side resources and server side resources is a linear one, this issue is not something that the Tomcat Security Team views as a vulnerability. This is a generic DoS problem and there is no magic solution. This issue has been discussed several times on the Tomcat mailing lists. The best place to start to review these discussions is the report for bug 54236.
This was first discussed on the public Tomcat users mailing list on 19 June 2009.
Important: Remote Denial Of Service CVE-2010-4476
A JVM bug could cause Double conversion to hang JVM when accessing to a form based security constrained page or any page that calls javax.servlet.ServletRequest.getLocale() or javax.servlet.ServletRequest.getLocales(). A specially crafted request can be used to trigger a denial of service.
A work-around for this JVM bug was provided in revision 1066244.
This was first reported to the Tomcat security team on 01 Feb 2011 and made public on 31 Jan 2011.
Moderate: TLS SSL Man In The Middle CVE-2009-3555
A vulnerability exists in the TLS protocol that allows an attacker to inject arbitrary requests into an TLS stream during renegotiation.
The TLS implementation used by Tomcat varies with connector. The blocking IO (BIO) and non-blocking (NIO) connectors use the JSSE implementation provided by the JVM. The APR/native connector uses OpenSSL.
The BIO connector is vulnerable if the JSSE version used is vulnerable.
To workaround a vulnerable version of JSSE, use the connector attribute
allowUnsafeLegacyRenegotiation. It should be set to
false (the default) to protect against this vulnerability.
The NIO connector prior to 7.0.10 is not vulnerable as it does not support renegotiation.
The NIO connector is vulnerable from version 7.0.10 onwards if the JSSE
version used is vulnerable. To workaround a vulnerable version of JSSE,
use the connector attribute
It should be set to
false (the default) to protect against
The APR/native workarounds are detailed on the APR/native connector security page.
Users should be aware that the impact of disabling renegotiation will vary with both application and client. In some circumstances disabling renegotiation may result in some clients being unable to access the application.
This was worked-around in revision 891292.
Support for the new TLS renegotiation protocol (RFC 5746) that does not have this security issue: