Tomcat 5.0.28 in ZLM 7.3 subject to "Multiple Vendor Multiple HTTP Request Smuggling Vulnerabilities"

  • 7006398
  • 05-Jul-2010
  • 30-Apr-2012

Environment

Novell ZENworks 7.3 Linux Management - ZLM7.3

Situation

Tomcat 5.0.28, which is used by ZLM, is subject to several security vulnerabilities:
CVE-2005-2090
CVE-2007-1858
CVE-2007-2449
CVE-2007-2450
CVE-2007-5333
CVE-2008-0128
CVE-2008-1232
CVE-2008-2370
CVE-2008-2938
CVE-2006-7195

For a list of Security vulnerabilities in Tomcat 5, refer to http://tomcat.apache.org/security-5.html

Resolution

This is fixed in ZLM 7.3 Interim Release 4 - see KB 7003346 "Updates to Novell ZENworks 7.3 Linux Management" which can be found at https://www.novell.com/support

Workaround: if it is not possible to upgrade to ZLM 7.3 IR4 at this time, in the interim , Novell has made a Patch available for testing, in the form of a Field Test File (FTF): it can be obtained at
https://download.novell.com/Download?buildid=n5vSzfHT1vs~ as "ZLM 7.3 IR3 Tomcat 5.0.30". This Patch should only be applied if the symptoms above are being experienced, and are causing problems.

This Patch has had limited testing, and should not be used in a production system without first being checked in a test environment. Some Patches have specific requirements for deployment, it is very important to follow any instructions in the readme at the download site. Please report any problems encountered when using this Patch, by using the feedback link on this TID.

 

Status

Security Alert