Table of Contents

Apache Tomcat APR/native Connector vulnerabilities

This page lists all security vulnerabilities fixed in released versions of Apache Tomcat APR/native Connector. Each vulnerability is given a security impact rating by the Apache Tomcat security team — please note that this rating may vary from platform to platform. We also list the versions of Apache Tomcat APR/native Connectors the flaw is known to affect, and where a flaw has not been verified list the version with a question mark.

Note: Vulnerabilities that are not Tomcat vulnerabilities but have either been incorrectly reported against Tomcat or where Tomcat provides a workaround are listed at the end of this page.

This page has been created from a review of the Apache Tomcat archives and the CVE list. Please send comments or corrections for these vulnerabilities to the Tomcat Security Team.

Not a vulnerability in the Apache Tomcat APR/native Connector

TLS SSL Man In The Middle CVE-2009-3555

A vulnerability exists in the TLS protocol that allows an attacker to inject arbitrary requests into an TLS stream during renegotiation.

The TLS implementation used by Tomcat varies with connector. The APR/native connector uses OpenSSL.

The APR/native connector is vulnerable if the OpenSSL version used is vulnerable. Note: Building with OpenSSL 0.9.8l will disable all renegotiation and protect against this vulnerability.

From 1.1.18 onwards, client initiated renegotiations are rejected to provide partial protection against this vulnerability with any OpenSSL version.

Users should be aware that the impact of disabling renegotiation will vary with both application and client. In some circumstances disabling renegotiation may result in some clients being unable to access the application.

Important: Remote Memory Read CVE-2014-0160 (a.k.a. "Heartbleed")

A bug in certain versions of OpenSSL can allow an unauthenticated remote user to read certain contents of the server's memory. Binary versions of tcnative 1.1.24 - 1.1.29 include this vulnerable version of OpenSSL. tcnative 1.1.30 and later ship with patched versions of OpenSSL.

An explanation of how to deterine whether you are vulnerable and what steps to take, see the Tomcat Wiki's Heartbleed page.

This issue was first announced on 7 April 2014.

Affects: OpenSSL 1.0.1-1.0.1f, tcnative 1.1.24-1.1.29