製品・ソフトウェアに関する情報

JVN脆弱性詳細

Apache Tomcat の JULI ロギングコンポーネントにおけるウェブアプリケーションのパーミッションに関する脆弱性

タイトル	Apache Tomcat の JULI ロギングコンポーネントにおけるウェブアプリケーションのパーミッションに関する脆弱性
概要	Apache Tomcat の JULI ロギングコンポーネントには、catalina.policy において、ウェブアプリケーションのパーミッションを適切に処理しない脆弱性が存在します。
想定される影響	第三者により、ロギング設定オプションを改ざんされたり、任意のファイルを上書きされたりする可能性があります。
対策	ベンダより対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2007年12月27日0:00
登録日	2008年1月17日12:03
最終更新日	2015年3月5日18:27

CVSS2.0 : 警告
スコア	6.4
ベクター	AV:N/AC:L/Au:N/C:P/I:P/A:N

影響を受けるシステム

レッドハット

Red Hat Enterprise Linux 5 (server)

Red Hat Enterprise Linux Desktop 5.0 (client)

RHEL Desktop Workstation 5 (client)

ヒューレット・パッカード

HP XP P9000 Performance Advisor ソフトウェア 5.4.1 未満

Apache Software Foundation

Apache Tomcat 5.5.9 から 5.5.25 のバージョン

Apache Tomcat 6.0.0 から 6.0.15 のバージョン

サイバートラスト株式会社

Asianux Server 3 (x86)

Asianux Server 3 (x86-64)

アップル

Apple Mac OS X Server v10.5.5

VMware

VMware ESX 3.0.3

VMware ESX 3.5

VMware ESX 4.0

VMware Server 2.x

VMware vCenter 4.0

VMware VirtualCenter 2.0.2

VMware VirtualCenter 2.5

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2007-5342	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5342
National Vulnerability Database (NVD)
2	CVE-2007-5342	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5342

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	名前	URL
Apache Tomcat
1	Fixed in SVN trunk and proposed for inclusion in 5.5.x	http://tomcat.apache.org/security-5.html
2	Fixed in SVN trunk and proposed for inclusion in 6.0.x	http://tomcat.apache.org/security-6.html
Apache-SVN
3	Revision 606594	http://svn.apache.org/viewvc?view=rev&revision=606594
Apple Security Updates
4	HT3216	http://support.apple.com/kb/HT3216
Apple セキュリティアップデート
5	HT3216	http://support.apple.com/kb/HT3216?viewlocale=ja_JP
Asianux Technical Support Network
6	tomcat5-5.5.23-0jpp.3.0.3.1AX	https://tsn.miraclelinux.com/tsn_local/index.php?m=errata&a=detail&eid=117
HP セキュリティ報告
7	HPSBST02955 SSRT101157	http://h20000.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c04047415
Red Hat Security Advisory
8	RHSA-2008:0042	https://rhn.redhat.com/errata/RHSA-2008-0042.html
9	RHSA-2008:0195	https://rhn.redhat.com/errata/RHSA-2008-0195.html
10	RHSA-2008:0831	https://rhn.redhat.com/errata/RHSA-2008-0831.html
11	RHSA-2008:0832	https://rhn.redhat.com/errata/RHSA-2008-0832.html
12	RHSA-2008:0833	https://rhn.redhat.com/errata/RHSA-2008-0833.html
13	RHSA-2008:0834	https://rhn.redhat.com/errata/RHSA-2008-0834.html
14	RHSA-2008:0862	https://rhn.redhat.com/errata/RHSA-2008-0862.html
SECURITY BLOG
15	Multiple vulnerabilities in Oracle Java Web Console	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_oracle_java1
VMware Security Advisories
16	VMSA-2008-0010.3	http://www.vmware.com/security/advisories/VMSA-2008-0010.html
17	VMSA-2009-0016	http://www.vmware.com/security/advisories/VMSA-2009-0016.html

その他

No	名前	URL
FrSIRT Advisories
1	FrSIRT/ADV-2008-0013	http://www.frsirt.com/english/advisories/2008/0013
ISS X-Force Database
2	39201	http://xforce.iss.net/xforce/xfdb/39201
Secunia Advisory
3	SA28274	http://secunia.com/advisories/28274/
SecurityFocus
4	27006	http://www.securityfocus.com/bid/27006
関連文書
5	ASA-2008-401 (RHSA-2008-0862)	https://downloads.avaya.com/elmodocs2/security/ASA-2008-401.htm

変更履歴

No	変更内容	変更日
0	[2008年01月17日] 掲載 [2008年03月24日] 影響を受けるシステム：レッドハット (RHSA-2008:0100) の情報追加。ベンダ情報：レッドハット (RHSA-2008:0100) を追加。 [2008年04月21日] 影響を受けるシステム：ミラクル・リナックス (tomcat5-5.5.23-0jpp.3.0.3.1AX) の情報追加。ベンダ情報: ミラクル・リナックス (tomcat5-5.5.23-0jpp.3.0.3.1AX) 追加。 [2008年11月04日] 影響を受けるシステム：アップル（HT3216）の情報を追加ベンダ情報：アップル（HT3216）を追加 [2010年01月05日] 影響を受けるシステム：VMware (VMSA-2009-0016) の情報を追加ベンダ情報：VMware (VMSA-2009-0016) を追加 [2012年09月24日] ベンダ情報：オラクル (Multiple vulnerabilities in Oracle Java Web Console) を追加 [2015年03月05日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：ヒューレット・パッカード (HPSBST02955 SSRT101157) を追加ベンダ情報：VMware (VMSA-2008-0010.3) を追加ベンダ情報：レッドハット (RHSA-2008:0862) を追加ベンダ情報：レッドハット (RHSA-2008:0831) を追加ベンダ情報：レッドハット (RHSA-2008:0833) を追加ベンダ情報：レッドハット (RHSA-2008:0834) を追加ベンダ情報：レッドハット (RHSA-2008:0195) を追加ベンダ情報：レッドハット (RHSA-2008:0832) を追加参考情報：関連文書 (ASA-2008-401 (RHSA-2008-0862)) を追加	2018年2月17日10:37

NVD脆弱性情報

CVE-2007-5342

概要	The default catalina.policy in the JULI logging component in Apache Tomcat 5.5.9 through 5.5.25 and 6.0.0 through 6.0.15 does not restrict certain permissions for web applications, which allows attackers to modify logging configuration options and overwrite arbitrary files, as demonstrated by changing the (1) level, (2) directory, and (3) prefix attributes in the org.apache.juli.FileHandler handler.
概要	La catalina.policy por defecto en el componente de acceso JULI de Apache Tomcat 5.5.9 hasta 5.5.25 y 6.0.0 hasta 6.0.15 no restringe determinados permisos para aplicaciones web, lo cual permite a atacantes remotos modificar opciones de configuración de acceso y sobrescribir ficheros de su elección, como se demuestra cambiando los atributos (1) level, (2) directory, y (3) prefix en el gestor org.apache.juli.FileHandler.
公表日	2007年12月28日7:46
登録日	2021年1月29日14:21
最終更新日	2026年4月23日9:35

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:apache:tomcat:5.5.9:::::::*
cpe:2.3:a:apache:tomcat:5.5.10:::::::*
cpe:2.3:a:apache:tomcat:5.5.11:::::::*
cpe:2.3:a:apache:tomcat:5.5.12:::::::*
cpe:2.3:a:apache:tomcat:5.5.13:::::::*
cpe:2.3:a:apache:tomcat:5.5.14:::::::*
cpe:2.3:a:apache:tomcat:5.5.15:::::::*
cpe:2.3:a:apache:tomcat:5.5.16:::::::*
cpe:2.3:a:apache:tomcat:5.5.17:::::::*
cpe:2.3:a:apache:tomcat:5.5.18:::::::*
cpe:2.3:a:apache:tomcat:5.5.19:::::::*
cpe:2.3:a:apache:tomcat:5.5.20:::::::*
cpe:2.3:a:apache:tomcat:5.5.21:::::::*
cpe:2.3:a:apache:tomcat:5.5.22:::::::*
cpe:2.3:a:apache:tomcat:5.5.23:::::::*
cpe:2.3:a:apache:tomcat:5.5.24:::::::*
cpe:2.3:a:apache:tomcat:5.5.25:::::::*
cpe:2.3:a:apache:tomcat:6.0:::::::*
cpe:2.3:a:apache:tomcat:6.0.1:::::::*
cpe:2.3:a:apache:tomcat:6.0.2:::::::*
cpe:2.3:a:apache:tomcat:6.0.3:::::::*
cpe:2.3:a:apache:tomcat:6.0.4:::::::*
cpe:2.3:a:apache:tomcat:6.0.5:::::::*
cpe:2.3:a:apache:tomcat:6.0.6:::::::*
cpe:2.3:a:apache:tomcat:6.0.7:::::::*
cpe:2.3:a:apache:tomcat:6.0.8:::::::*
cpe:2.3:a:apache:tomcat:6.0.9:::::::*
cpe:2.3:a:apache:tomcat:6.0.10:::::::*
cpe:2.3:a:apache:tomcat:6.0.11:::::::*
cpe:2.3:a:apache:tomcat:6.0.12:::::::*
cpe:2.3:a:apache:tomcat:6.0.13:::::::*
cpe:2.3:a:apache:tomcat:6.0.14:::::::*
cpe:2.3:a:apache:tomcat:6.0.15:::::::*

関連情報、対策とツール

No	URL	refsource
1	http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html	secalert@redhat.com
2	http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html	secalert@redhat.com
3	http://marc.info/?l=bugtraq&m=139344343412337&w=2	secalert@redhat.com
4	http://osvdb.org/39833	secalert@redhat.com
5	http://secunia.com/advisories/28274	secalert@redhat.com
6	http://secunia.com/advisories/28317	secalert@redhat.com
7	http://secunia.com/advisories/28915	secalert@redhat.com
8	http://secunia.com/advisories/29313	secalert@redhat.com
9	http://secunia.com/advisories/29711	secalert@redhat.com
10	http://secunia.com/advisories/30676	secalert@redhat.com
11	http://secunia.com/advisories/32120	secalert@redhat.com
12	http://secunia.com/advisories/32222	secalert@redhat.com
13	http://secunia.com/advisories/32266	secalert@redhat.com
14	http://secunia.com/advisories/37460	secalert@redhat.com
15	http://secunia.com/advisories/57126	secalert@redhat.com
16	http://security.gentoo.org/glsa/glsa-200804-10.xml	secalert@redhat.com
17	http://securityreason.com/securityalert/3485	secalert@redhat.com
18	http://support.apple.com/kb/HT3216	secalert@redhat.com
19	http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm	secalert@redhat.com
20	http://svn.apache.org/viewvc?view=rev&revision=606594	secalert@redhat.com
21	http://tomcat.apache.org/security-5.html	secalert@redhat.com
22	http://tomcat.apache.org/security-6.html	secalert@redhat.com
23	http://www.debian.org/security/2008/dsa-1447	secalert@redhat.com
24	http://www.mandriva.com/security/advisories?name=MDVSA-2008:188	secalert@redhat.com
25	http://www.redhat.com/support/errata/RHSA-2008-0042.html	secalert@redhat.com
26	http://www.redhat.com/support/errata/RHSA-2008-0195.html	secalert@redhat.com
27	http://www.redhat.com/support/errata/RHSA-2008-0831.html	secalert@redhat.com
28	http://www.redhat.com/support/errata/RHSA-2008-0832.html	secalert@redhat.com
29	http://www.redhat.com/support/errata/RHSA-2008-0833.html	secalert@redhat.com
30	http://www.redhat.com/support/errata/RHSA-2008-0834.html	secalert@redhat.com
31	http://www.redhat.com/support/errata/RHSA-2008-0862.html	secalert@redhat.com
32	http://www.securityfocus.com/archive/1/485481/100/0/threaded	secalert@redhat.com
33	http://www.securityfocus.com/archive/1/507985/100/0/threaded	secalert@redhat.com
34	http://www.securityfocus.com/bid/27006	secalert@redhat.com
35	http://www.securityfocus.com/bid/31681	secalert@redhat.com
36	http://www.vmware.com/security/advisories/VMSA-2008-0010.html	secalert@redhat.com
37	http://www.vmware.com/security/advisories/VMSA-2009-0016.html	secalert@redhat.com
38	http://www.vupen.com/english/advisories/2008/0013	secalert@redhat.com
39	http://www.vupen.com/english/advisories/2008/1856/references	secalert@redhat.com
40	http://www.vupen.com/english/advisories/2008/2780	secalert@redhat.com
41	http://www.vupen.com/english/advisories/2008/2823	secalert@redhat.com
42	http://www.vupen.com/english/advisories/2009/3316	secalert@redhat.com
43	https://exchange.xforce.ibmcloud.com/vulnerabilities/39201	secalert@redhat.com
44	https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E	secalert@redhat.com
45	https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E	secalert@redhat.com
46	https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E	secalert@redhat.com
47	https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E	secalert@redhat.com
48	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10417	secalert@redhat.com
49	https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html	secalert@redhat.com
50	https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html	secalert@redhat.com
51	http://lists.apple.com/archives/security-announce/2008/Oct/msg00001.html	af854a3a-2127-422b-91ae-364da2661108
52	http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html	af854a3a-2127-422b-91ae-364da2661108
53	http://marc.info/?l=bugtraq&m=139344343412337&w=2	af854a3a-2127-422b-91ae-364da2661108
54	http://osvdb.org/39833	af854a3a-2127-422b-91ae-364da2661108
55	http://secunia.com/advisories/28274	af854a3a-2127-422b-91ae-364da2661108
56	http://secunia.com/advisories/28317	af854a3a-2127-422b-91ae-364da2661108
57	http://secunia.com/advisories/28915	af854a3a-2127-422b-91ae-364da2661108
58	http://secunia.com/advisories/29313	af854a3a-2127-422b-91ae-364da2661108
59	http://secunia.com/advisories/29711	af854a3a-2127-422b-91ae-364da2661108
60	http://secunia.com/advisories/30676	af854a3a-2127-422b-91ae-364da2661108
61	http://secunia.com/advisories/32120	af854a3a-2127-422b-91ae-364da2661108
62	http://secunia.com/advisories/32222	af854a3a-2127-422b-91ae-364da2661108
63	http://secunia.com/advisories/32266	af854a3a-2127-422b-91ae-364da2661108
64	http://secunia.com/advisories/37460	af854a3a-2127-422b-91ae-364da2661108
65	http://secunia.com/advisories/57126	af854a3a-2127-422b-91ae-364da2661108
66	http://security.gentoo.org/glsa/glsa-200804-10.xml	af854a3a-2127-422b-91ae-364da2661108
67	http://securityreason.com/securityalert/3485	af854a3a-2127-422b-91ae-364da2661108
68	http://support.apple.com/kb/HT3216	af854a3a-2127-422b-91ae-364da2661108
69	http://support.avaya.com/elmodocs2/security/ASA-2008-401.htm	af854a3a-2127-422b-91ae-364da2661108
70	http://svn.apache.org/viewvc?view=rev&revision=606594	af854a3a-2127-422b-91ae-364da2661108
71	http://tomcat.apache.org/security-5.html	af854a3a-2127-422b-91ae-364da2661108
72	http://tomcat.apache.org/security-6.html	af854a3a-2127-422b-91ae-364da2661108
73	http://www.debian.org/security/2008/dsa-1447	af854a3a-2127-422b-91ae-364da2661108
74	http://www.mandriva.com/security/advisories?name=MDVSA-2008:188	af854a3a-2127-422b-91ae-364da2661108
75	http://www.redhat.com/support/errata/RHSA-2008-0042.html	af854a3a-2127-422b-91ae-364da2661108
76	http://www.redhat.com/support/errata/RHSA-2008-0195.html	af854a3a-2127-422b-91ae-364da2661108
77	http://www.redhat.com/support/errata/RHSA-2008-0831.html	af854a3a-2127-422b-91ae-364da2661108
78	http://www.redhat.com/support/errata/RHSA-2008-0832.html	af854a3a-2127-422b-91ae-364da2661108
79	http://www.redhat.com/support/errata/RHSA-2008-0833.html	af854a3a-2127-422b-91ae-364da2661108
80	http://www.redhat.com/support/errata/RHSA-2008-0834.html	af854a3a-2127-422b-91ae-364da2661108
81	http://www.redhat.com/support/errata/RHSA-2008-0862.html	af854a3a-2127-422b-91ae-364da2661108
82	http://www.securityfocus.com/archive/1/485481/100/0/threaded	af854a3a-2127-422b-91ae-364da2661108
83	http://www.securityfocus.com/archive/1/507985/100/0/threaded	af854a3a-2127-422b-91ae-364da2661108
84	http://www.securityfocus.com/bid/27006	af854a3a-2127-422b-91ae-364da2661108
85	http://www.securityfocus.com/bid/31681	af854a3a-2127-422b-91ae-364da2661108
86	http://www.vmware.com/security/advisories/VMSA-2008-0010.html	af854a3a-2127-422b-91ae-364da2661108
87	http://www.vmware.com/security/advisories/VMSA-2009-0016.html	af854a3a-2127-422b-91ae-364da2661108
88	http://www.vupen.com/english/advisories/2008/0013	af854a3a-2127-422b-91ae-364da2661108
89	http://www.vupen.com/english/advisories/2008/1856/references	af854a3a-2127-422b-91ae-364da2661108
90	http://www.vupen.com/english/advisories/2008/2780	af854a3a-2127-422b-91ae-364da2661108
91	http://www.vupen.com/english/advisories/2008/2823	af854a3a-2127-422b-91ae-364da2661108
92	http://www.vupen.com/english/advisories/2009/3316	af854a3a-2127-422b-91ae-364da2661108
93	https://exchange.xforce.ibmcloud.com/vulnerabilities/39201	af854a3a-2127-422b-91ae-364da2661108
94	https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
95	https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
96	https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
97	https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
98	https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10417	af854a3a-2127-422b-91ae-364da2661108
99	https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00315.html	af854a3a-2127-422b-91ae-364da2661108
100	https://www.redhat.com/archives/fedora-package-announce/2008-February/msg00460.html	af854a3a-2127-422b-91ae-364da2661108

共通脆弱性一覧

No	CWE	名前	URL
1	CWE-264	認可・権限・アクセス制御	https://cwe.mitre.org/data/definitions/264.html

構成1	以上	以下	より上	未満
cpe:2.3:a:apache:tomcat:5.5.9:::::::*
cpe:2.3:a:apache:tomcat:5.5.10:::::::*
cpe:2.3:a:apache:tomcat:5.5.11:::::::*
cpe:2.3:a:apache:tomcat:5.5.12:::::::*
cpe:2.3:a:apache:tomcat:5.5.13:::::::*
cpe:2.3:a:apache:tomcat:5.5.14:::::::*
cpe:2.3:a:apache:tomcat:5.5.15:::::::*
cpe:2.3:a:apache:tomcat:5.5.16:::::::*
cpe:2.3:a:apache:tomcat:5.5.17:::::::*
cpe:2.3:a:apache:tomcat:5.5.18:::::::*
cpe:2.3:a:apache:tomcat:5.5.19:::::::*
cpe:2.3:a:apache:tomcat:5.5.20:::::::*
cpe:2.3:a:apache:tomcat:5.5.21:::::::*
cpe:2.3:a:apache:tomcat:5.5.22:::::::*
cpe:2.3:a:apache:tomcat:5.5.23:::::::*
cpe:2.3:a:apache:tomcat:5.5.24:::::::*
cpe:2.3:a:apache:tomcat:5.5.25:::::::*
cpe:2.3:a:apache:tomcat:6.0:::::::*
cpe:2.3:a:apache:tomcat:6.0.1:::::::*
cpe:2.3:a:apache:tomcat:6.0.2:::::::*
cpe:2.3:a:apache:tomcat:6.0.3:::::::*
cpe:2.3:a:apache:tomcat:6.0.4:::::::*
cpe:2.3:a:apache:tomcat:6.0.5:::::::*
cpe:2.3:a:apache:tomcat:6.0.6:::::::*
cpe:2.3:a:apache:tomcat:6.0.7:::::::*
cpe:2.3:a:apache:tomcat:6.0.8:::::::*
cpe:2.3:a:apache:tomcat:6.0.9:::::::*
cpe:2.3:a:apache:tomcat:6.0.10:::::::*
cpe:2.3:a:apache:tomcat:6.0.11:::::::*
cpe:2.3:a:apache:tomcat:6.0.12:::::::*
cpe:2.3:a:apache:tomcat:6.0.13:::::::*
cpe:2.3:a:apache:tomcat:6.0.14:::::::*
cpe:2.3:a:apache:tomcat:6.0.15:::::::*