NVD Vulnerability Detail

CVE-2007-1858

Summary	The default SSL cipher configuration in Apache Tomcat 4.1.28 through 4.1.31, 5.0.0 through 5.0.30, and 5.5.0 through 5.5.17 uses certain insecure ciphers, including the anonymous cipher, which allows remote attackers to obtain sensitive information or have other, unspecified impacts.
Summary	La configuración de cifrado SSL por defecto en Apache Tomcat 4.1.28 hasta 4.1.31, 5.0.0 hasta 5.0.30, y 5.5.0 hasta 5.5.17 utiliza determinadas claves inseguras, incluyendo la clave anónima, lo cual permite a atacantes remotos obtener información sensible o tener otros impactos no especificados.
Publication Date	May 10, 2007, 9:19 a.m.
Registration Date	Jan. 29, 2021, 2:10 p.m.
Last Update	April 23, 2026, 9:35 a.m.

CVSS2.0 : LOW
Score	2.6
Vector	AV:N/AC:H/Au:N/C:P/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	高
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	なし
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat:4.1.28:::::::*
cpe:2.3:a:apache:tomcat:4.1.31:::::::*
cpe:2.3:a:apache:tomcat:5.0.0:::::::*
cpe:2.3:a:apache:tomcat:5.0.1:::::::*
cpe:2.3:a:apache:tomcat:5.0.2:::::::*
cpe:2.3:a:apache:tomcat:5.0.10:::::::*
cpe:2.3:a:apache:tomcat:5.0.11:::::::*
cpe:2.3:a:apache:tomcat:5.0.12:::::::*
cpe:2.3:a:apache:tomcat:5.0.13:::::::*
cpe:2.3:a:apache:tomcat:5.0.14:::::::*
cpe:2.3:a:apache:tomcat:5.0.15:::::::*
cpe:2.3:a:apache:tomcat:5.0.16:::::::*
cpe:2.3:a:apache:tomcat:5.0.17:::::::*
cpe:2.3:a:apache:tomcat:5.0.18:::::::*
cpe:2.3:a:apache:tomcat:5.0.19:::::::*
cpe:2.3:a:apache:tomcat:5.0.21:::::::*
cpe:2.3:a:apache:tomcat:5.0.22:::::::*
cpe:2.3:a:apache:tomcat:5.0.23:::::::*
cpe:2.3:a:apache:tomcat:5.0.24:::::::*
cpe:2.3:a:apache:tomcat:5.0.25:::::::*
cpe:2.3:a:apache:tomcat:5.0.26:::::::*
cpe:2.3:a:apache:tomcat:5.0.27:::::::*
cpe:2.3:a:apache:tomcat:5.0.28:::::::*
cpe:2.3:a:apache:tomcat:5.0.29:::::::*
cpe:2.3:a:apache:tomcat:5.0.30:::::::*
cpe:2.3:a:apache:tomcat:5.5.0:::::::*
cpe:2.3:a:apache:tomcat:5.5.1:::::::*
cpe:2.3:a:apache:tomcat:5.5.2:::::::*
cpe:2.3:a:apache:tomcat:5.5.3:::::::*
cpe:2.3:a:apache:tomcat:5.5.4:::::::*
cpe:2.3:a:apache:tomcat:5.5.5:::::::*
cpe:2.3:a:apache:tomcat:5.5.6:::::::*
cpe:2.3:a:apache:tomcat:5.5.7:::::::*
cpe:2.3:a:apache:tomcat:5.5.8:::::::*
cpe:2.3:a:apache:tomcat:5.5.9:::::::*
cpe:2.3:a:apache:tomcat:5.5.10:::::::*
cpe:2.3:a:apache:tomcat:5.5.11:::::::*
cpe:2.3:a:apache:tomcat:5.5.12:::::::*
cpe:2.3:a:apache:tomcat:5.5.13:::::::*
cpe:2.3:a:apache:tomcat:5.5.14:::::::*
cpe:2.3:a:apache:tomcat:5.5.15:::::::*
cpe:2.3:a:apache:tomcat:5.5.16:::::::*
cpe:2.3:a:apache:tomcat:5.5.17:::::::*

Related information, measures and tools

No	URL	refsource
1	http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx	secalert@redhat.com
2	http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.html	secalert@redhat.com
3	http://marc.info/?l=bugtraq&m=133114899904925&w=2	secalert@redhat.com
4	http://osvdb.org/34882	secalert@redhat.com
5	http://secunia.com/advisories/29392	secalert@redhat.com
6	http://secunia.com/advisories/33668	secalert@redhat.com
7	http://secunia.com/advisories/44183	secalert@redhat.com
8	http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm	secalert@redhat.com
9	http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540	secalert@redhat.com
10	http://tomcat.apache.org/security-4.html	secalert@redhat.com
11	http://tomcat.apache.org/security-5.html	secalert@redhat.com
12	http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html	secalert@redhat.com
13	http://www.securityfocus.com/archive/1/500396/100/0/threaded	secalert@redhat.com
14	http://www.securityfocus.com/archive/1/500412/100/0/threaded	secalert@redhat.com
15	http://www.securityfocus.com/bid/28482	secalert@redhat.com
16	http://www.securityfocus.com/bid/64758	secalert@redhat.com
17	http://www.vupen.com/english/advisories/2007/1729	secalert@redhat.com
18	http://www.vupen.com/english/advisories/2009/0233	secalert@redhat.com
19	https://exchange.xforce.ibmcloud.com/vulnerabilities/34212	secalert@redhat.com
20	https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E	secalert@redhat.com
21	https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E	secalert@redhat.com
22	https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E	secalert@redhat.com
23	http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx	af854a3a-2127-422b-91ae-364da2661108
24	http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.html	af854a3a-2127-422b-91ae-364da2661108
25	http://marc.info/?l=bugtraq&m=133114899904925&w=2	af854a3a-2127-422b-91ae-364da2661108
26	http://osvdb.org/34882	af854a3a-2127-422b-91ae-364da2661108
27	http://secunia.com/advisories/29392	af854a3a-2127-422b-91ae-364da2661108
28	http://secunia.com/advisories/33668	af854a3a-2127-422b-91ae-364da2661108
29	http://secunia.com/advisories/44183	af854a3a-2127-422b-91ae-364da2661108
30	http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm	af854a3a-2127-422b-91ae-364da2661108
31	http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540	af854a3a-2127-422b-91ae-364da2661108
32	http://tomcat.apache.org/security-4.html	af854a3a-2127-422b-91ae-364da2661108
33	http://tomcat.apache.org/security-5.html	af854a3a-2127-422b-91ae-364da2661108
34	http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html	af854a3a-2127-422b-91ae-364da2661108
35	http://www.securityfocus.com/archive/1/500396/100/0/threaded	af854a3a-2127-422b-91ae-364da2661108
36	http://www.securityfocus.com/archive/1/500412/100/0/threaded	af854a3a-2127-422b-91ae-364da2661108
37	http://www.securityfocus.com/bid/28482	af854a3a-2127-422b-91ae-364da2661108
38	http://www.securityfocus.com/bid/64758	af854a3a-2127-422b-91ae-364da2661108
39	http://www.vupen.com/english/advisories/2007/1729	af854a3a-2127-422b-91ae-364da2661108
40	http://www.vupen.com/english/advisories/2009/0233	af854a3a-2127-422b-91ae-364da2661108
41	https://exchange.xforce.ibmcloud.com/vulnerabilities/34212	af854a3a-2127-422b-91ae-364da2661108
42	https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
43	https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108
44	https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E	af854a3a-2127-422b-91ae-364da2661108

Common Vulnerabilities List

JVN Vulnerability Information

Apache Tomcat のデフォルト設定における SSL 通信により安全でない暗号スイートが適用される問題

Title	Apache Tomcat のデフォルト設定における SSL 通信により安全でない暗号スイートが適用される問題
Summary	Apache Tomcat には、デフォルト設定における SSL 通信において、anonymous 暗号スイートを含む安全でない暗号スイートの適用が意図せず許可されている問題が存在します。
Possible impacts	第三者が弱い暗号スイートによる SSL 通信を Apache Tomcat にリクエストすることで、安全でない暗号スイートにより通信が行われてしまい、重要な情報が漏えいするなどの影響を受ける可能性があります。
Solution	ベンダより正式な対策が公開されています (Apache Tomcat 4.1.32 および 5.5.17 で修正済み)。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	May 9, 2007, midnight
Registration Date	May 17, 2007, 11:30 a.m.
Last Update	Jan. 22, 2014, 1:56 p.m.

Affected System

Apache Software Foundation

Apache Tomcat 4.1.28 から 4.1.31 までのバージョン

Apache Tomcat 5.0.30 およびそれ以前

Apache Tomcat 5.5.16 およびそれ以前

オラクル

Oracle Fusion Middleware の Oracle Forms and Reports 11.1.2.1

Oracle HTTP Server 11.1.1.6.0

Oracle HTTP Server 11.1.1.7.0

サイバートラスト株式会社

Asianux Server 2.0

Asianux Server 2.1

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2007-1858	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1858
National Vulnerability Database (NVD)
2	CVE-2007-1858	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-1858

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-DesignError	https://www.ipa.go.jp/security/vuln/CWE.html#CWEDesignError

ベンダー情報

No	Name	URL
Apache Tomcat
1	Fixed in Apache Tomcat 4.1.32	http://tomcat.apache.org/security-4.html
2	Fixed in Apache Tomcat 5.5.17, 5.0.SVN	http://tomcat.apache.org/security-5.html
MIRACLE LINUX アップデート情報
3	tomcat4 (V2.x)	http://www.miraclelinux.com/support/update/list.php?errata_id=1168
Oracle Critical Patch Update
4	Oracle Critical Patch Update Advisory - January 2014	http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
5	Text Form of Oracle Critical Patch Update - January 2014 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2014verbose-1972951.html
SECURITY BLOG
6	January 2014 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2014_critical_patch_update

その他

No	Name	URL
FrSIRT Advisories
1	FrSIRT/ADV-2007-1729	http://www.frsirt.com/english/advisories/2007/1729
ISS X-Force Database
2	34212	http://xforce.iss.net/xforce/xfdb/34212
SecurityFocus
3	28482	http://www.securityfocus.com/bid/28482

Change Log

No	Changed Details	Date of change
0	[2007年05月17日] 掲載 [2007年12月10日] 影響を受けるシステム：ミラクル・リナックス (tomcat4 (V2.x)) の情報追加。ベンダ情報: ミラクル・リナックス (tomcat4 (V2.x)) 追加。 [2014年01月22日] 影響を受けるシステム：オラクル (Oracle Critical Patch Update Advisory - January 2014) の情報を追加ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2014) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2014 Risk Matrices) を追加ベンダ情報：オラクル (January 2014 Critical Patch Update Released) を追加	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat:4.1.28:::::::*
cpe:2.3:a:apache:tomcat:4.1.31:::::::*
cpe:2.3:a:apache:tomcat:5.0.0:::::::*
cpe:2.3:a:apache:tomcat:5.0.1:::::::*
cpe:2.3:a:apache:tomcat:5.0.2:::::::*
cpe:2.3:a:apache:tomcat:5.0.10:::::::*
cpe:2.3:a:apache:tomcat:5.0.11:::::::*
cpe:2.3:a:apache:tomcat:5.0.12:::::::*
cpe:2.3:a:apache:tomcat:5.0.13:::::::*
cpe:2.3:a:apache:tomcat:5.0.14:::::::*
cpe:2.3:a:apache:tomcat:5.0.15:::::::*
cpe:2.3:a:apache:tomcat:5.0.16:::::::*
cpe:2.3:a:apache:tomcat:5.0.17:::::::*
cpe:2.3:a:apache:tomcat:5.0.18:::::::*
cpe:2.3:a:apache:tomcat:5.0.19:::::::*
cpe:2.3:a:apache:tomcat:5.0.21:::::::*
cpe:2.3:a:apache:tomcat:5.0.22:::::::*
cpe:2.3:a:apache:tomcat:5.0.23:::::::*
cpe:2.3:a:apache:tomcat:5.0.24:::::::*
cpe:2.3:a:apache:tomcat:5.0.25:::::::*
cpe:2.3:a:apache:tomcat:5.0.26:::::::*
cpe:2.3:a:apache:tomcat:5.0.27:::::::*
cpe:2.3:a:apache:tomcat:5.0.28:::::::*
cpe:2.3:a:apache:tomcat:5.0.29:::::::*
cpe:2.3:a:apache:tomcat:5.0.30:::::::*
cpe:2.3:a:apache:tomcat:5.5.0:::::::*
cpe:2.3:a:apache:tomcat:5.5.1:::::::*
cpe:2.3:a:apache:tomcat:5.5.2:::::::*
cpe:2.3:a:apache:tomcat:5.5.3:::::::*
cpe:2.3:a:apache:tomcat:5.5.4:::::::*
cpe:2.3:a:apache:tomcat:5.5.5:::::::*
cpe:2.3:a:apache:tomcat:5.5.6:::::::*
cpe:2.3:a:apache:tomcat:5.5.7:::::::*
cpe:2.3:a:apache:tomcat:5.5.8:::::::*
cpe:2.3:a:apache:tomcat:5.5.9:::::::*
cpe:2.3:a:apache:tomcat:5.5.10:::::::*
cpe:2.3:a:apache:tomcat:5.5.11:::::::*
cpe:2.3:a:apache:tomcat:5.5.12:::::::*
cpe:2.3:a:apache:tomcat:5.5.13:::::::*
cpe:2.3:a:apache:tomcat:5.5.14:::::::*
cpe:2.3:a:apache:tomcat:5.5.15:::::::*
cpe:2.3:a:apache:tomcat:5.5.16:::::::*
cpe:2.3:a:apache:tomcat:5.5.17:::::::*