NVD脆弱性詳細

CVE-2013-4286

概要	Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.
公表日	2014年2月26日23:55
登録日	2021年1月26日15:42
最終更新日	2024年11月21日10:55

CVSS2.0 : MEDIUM
スコア	5.8
ベクター	AV:N/AC:M/Au:N/C:P/I:P/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	中
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	低
可用性への影響(A)	なし
全ての特権を取得	いいえ
ユーザー権限を取得	いいえ
その他の権限を取得	いいえ
ユーザー操作が必要	いいえ

影響を受けるソフトウェアの構成

構成1	以上	以下	より上	未満
cpe:2.3:a:apache:tomcat:7.0.2:beta::::::
cpe:2.3:a:apache:tomcat:7.0.12:::::::*
cpe:2.3:a:apache:tomcat:7.0.20:::::::*
cpe:2.3:a:apache:tomcat:7.0.34:::::::*
cpe:2.3:a:apache:tomcat:7.0.1:::::::*
cpe:2.3:a:apache:tomcat:7.0.2:::::::*
cpe:2.3:a:apache:tomcat:7.0.4:beta::::::
cpe:2.3:a:apache:tomcat:7.0.22:::::::*
cpe:2.3:a:apache:tomcat:7.0.39:::::::*
cpe:2.3:a:apache:tomcat:7.0.26:::::::*
cpe:2.3:a:apache:tomcat:7.0.46:::::::*
cpe:2.3:a:apache:tomcat:7.0.28:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:::::::*
cpe:2.3:a:apache:tomcat:7.0.18:::::::*
cpe:2.3:a:apache:tomcat:7.0.14:::::::*
cpe:2.3:a:apache:tomcat:7.0.11:::::::*
cpe:2.3:a:apache:tomcat:7.0.23:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:beta::::::
cpe:2.3:a:apache:tomcat:7.0.44:::::::*
cpe:2.3:a:apache:tomcat:7.0.42:::::::*
cpe:2.3:a:apache:tomcat:7.0.37:::::::*
cpe:2.3:a:apache:tomcat:7.0.29:::::::*
cpe:2.3:a:apache:tomcat:7.0.45:::::::*
cpe:2.3:a:apache:tomcat:7.0.13:::::::*
cpe:2.3:a:apache:tomcat:7.0.41:::::::*
cpe:2.3:a:apache:tomcat:7.0.31:::::::*
cpe:2.3:a:apache:tomcat:7.0.30:::::::*
cpe:2.3:a:apache:tomcat:7.0.15:::::::*
cpe:2.3:a:apache:tomcat:7.0.19:::::::*
cpe:2.3:a:apache:tomcat:7.0.16:::::::*
cpe:2.3:a:apache:tomcat:7.0.10:::::::*
cpe:2.3:a:apache:tomcat:7.0.36:::::::*
cpe:2.3:a:apache:tomcat:7.0.25:::::::*
cpe:2.3:a:apache:tomcat:7.0.35:::::::*
cpe:2.3:a:apache:tomcat:7.0.43:::::::*
cpe:2.3:a:apache:tomcat:7.0.32:::::::*
cpe:2.3:a:apache:tomcat:7.0.38:::::::*
cpe:2.3:a:apache:tomcat:7.0.21:::::::*
cpe:2.3:a:apache:tomcat:7.0.27:::::::*
cpe:2.3:a:apache:tomcat:7.0.24:::::::*
cpe:2.3:a:apache:tomcat:7.0.17:::::::*
cpe:2.3:a:apache:tomcat:7.0.40:::::::*
cpe:2.3:a:apache:tomcat:7.0.4:::::::*
cpe:2.3:a:apache:tomcat:7.0.3:::::::*
cpe:2.3:a:apache:tomcat:7.0.33:::::::*

構成2	以上	以下	より上	未満
cpe:2.3:a:apache:tomcat:8.0.0:rc2::::::
cpe:2.3:a:apache:tomcat:8.0.0:rc1::::::

構成3	以上	以下	より上	未満
cpe:2.3:a:apache:tomcat:5.5.27:::::::*
cpe:2.3:a:apache:tomcat:6.0.33:::::::*
cpe:2.3:a:apache:tomcat:6.0.0:alpha::::::
cpe:2.3:a:apache:tomcat:3.1:::::::*
cpe:2.3:a:apache:tomcat:4.1.2:::::::*
cpe:2.3:a:apache:tomcat:4.0.4:::::::*
cpe:2.3:a:apache:tomcat:4.1.36:::::::*
cpe:2.3:a:apache:tomcat:3.2.1:::::::*
cpe:2.3:a:apache:tomcat:4.1.9:beta::::::
cpe:2.3:a:apache:tomcat:5.5.18:::::::*
cpe:2.3:a:apache:tomcat:5.0.8:::::::*
cpe:2.3:a:apache:tomcat:5:::::::*
cpe:2.3:a:apache:tomcat:5.0.19:::::::*
cpe:2.3:a:apache:tomcat:6.0.11:::::::*
cpe:2.3:a:apache:tomcat:5.5.12:::::::*
cpe:2.3:a:apache:tomcat:5.0.14:::::::*
cpe:2.3:a:apache:tomcat:5.5.14:::::::*
cpe:2.3:a:apache:tomcat:4.1.24:::::::*
cpe:2.3:a:apache:tomcat:3.2.2:::::::*
cpe:2.3:a:apache:tomcat:5.5.10:::::::*
cpe:2.3:a:apache:tomcat:5.0.22:::::::*
cpe:2.3:a:apache:tomcat:5.5.4:::::::*
cpe:2.3:a:apache:tomcat:5.5.7:::::::*
cpe:2.3:a:apache:tomcat:5.5.1:::::::*
cpe:2.3:a:apache:tomcat:6:::::::*
cpe:2.3:a:apache:tomcat:5.0.7:::::::*
cpe:2.3:a:apache:tomcat:5.5.11:::::::*
cpe:2.3:a:apache:tomcat:5.5.28:::::::*
cpe:2.3:a:apache:tomcat:5.5.6:::::::*
cpe:2.3:a:apache:tomcat:5.5.26:::::::*
cpe:2.3:a:apache:tomcat:3.2.2:beta2::::::
cpe:2.3:a:apache:tomcat:5.0.9:::::::*
cpe:2.3:a:apache:tomcat:5.0.15:::::::*
cpe:2.3:a:apache:tomcat:5.5.35:::::::*
cpe:2.3:a:apache:tomcat:3.3.2:::::::*
cpe:2.3:a:apache:tomcat:5.0.30:::::::*
cpe:2.3:a:apache:tomcat:5.5.20:::::::*
cpe:2.3:a:apache:tomcat:5.5.15:::::::*
cpe:2.3:a:apache:tomcat:5.0.23:::::::*
cpe:2.3:a:apache:tomcat:1.1.3:::::::*
cpe:2.3:a:apache:tomcat:3.2.4:::::::*
cpe:2.3:a:apache:tomcat:5.0.2:::::::*
cpe:2.3:a:apache:tomcat:5.5.5:::::::*
cpe:2.3:a:apache:tomcat:5.0.10:::::::*
cpe:2.3:a:apache:tomcat:6.0.15:::::::*
cpe:2.3:a:apache:tomcat:5.5.30:::::::*
cpe:2.3:a:apache:tomcat:5.0.21:::::::*
cpe:2.3:a:apache:tomcat:3.0:::::::*
cpe:2.3:a:apache:tomcat:5.0.26:::::::*
cpe:2.3:a:apache:tomcat:5.5.21:::::::*
cpe:2.3:a:apache:tomcat:5.5.22:::::::*
cpe:2.3:a:apache:tomcat:6.0.20:::::::*
cpe:2.3:a:apache:tomcat:6.0.10:::::::*
cpe:2.3:a:apache:tomcat:6.0.31:::::::*
cpe:2.3:a:apache:tomcat:6.0.29:::::::*
cpe:2.3:a:apache:tomcat:6.0.3:::::::*
cpe:2.3:a:apache:tomcat:5.0.0:::::::*
cpe:2.3:a:apache:tomcat:5.0.6:::::::*
cpe:2.3:a:apache:tomcat:4.1.31:::::::*
cpe:2.3:a:apache:tomcat:6.0.1:alpha::::::
cpe:2.3:a:apache:tomcat:6.0.24:::::::*
cpe:2.3:a:apache:tomcat:5.5.3:::::::*
cpe:2.3:a:apache:tomcat:5.0.27:::::::*
cpe:2.3:a:apache:tomcat:4.1.29:::::::*
cpe:2.3:a:apache:tomcat:5.0.16:::::::*
cpe:2.3:a:apache:tomcat:6.0.17:::::::*
cpe:2.3:a:apache:tomcat:4.0.6:::::::*
cpe:2.3:a:apache:tomcat:6.0:::::::*
cpe:2.3:a:apache:tomcat:5.5.32:::::::*
cpe:2.3:a:apache:tomcat:6.0.32:::::::*
cpe:2.3:a:apache:tomcat:5.5.31:::::::*
cpe:2.3:a:apache:tomcat:6.0.28:::::::*
cpe:2.3:a:apache:tomcat:5.5.9:::::::*
cpe:2.3:a:apache:tomcat:4.0.3:::::::*
cpe:2.3:a:apache:tomcat:5.5.25:::::::*
cpe:2.3:a:apache:tomcat::::::::		6.0.37
cpe:2.3:a:apache:tomcat:5.0.18:::::::*
cpe:2.3:a:apache:tomcat:6.0.0:::::::*
cpe:2.3:a:apache:tomcat:5.5.33:::::::*
cpe:2.3:a:apache:tomcat:4.0.1:::::::*
cpe:2.3:a:apache:tomcat:3.3.1a:::::::*
cpe:2.3:a:apache:tomcat:6.0.14:::::::*
cpe:2.3:a:apache:tomcat:5.5.2:::::::*
cpe:2.3:a:apache:tomcat:5.0.5:::::::*
cpe:2.3:a:apache:tomcat:5.0.28:::::::*
cpe:2.3:a:apache:tomcat:5.0.29:::::::*
cpe:2.3:a:apache:tomcat:5.5.0:::::::*
cpe:2.3:a:apache:tomcat:4.1.1:::::::*
cpe:2.3:a:apache:tomcat:5.5.13:::::::*
cpe:2.3:a:apache:tomcat:6.0.1:::::::*
cpe:2.3:a:apache:tomcat:6.0.12:::::::*
cpe:2.3:a:apache:tomcat:5.5.24:::::::*
cpe:2.3:a:apache:tomcat:4.1.12:::::::*
cpe:2.3:a:apache:tomcat:4.1.28:::::::*
cpe:2.3:a:apache:tomcat:5.0.13:::::::*
cpe:2.3:a:apache:tomcat:6.0.18:::::::*
cpe:2.3:a:apache:tomcat:5.5.34:::::::*
cpe:2.3:a:apache:tomcat:4.1.15:::::::*
cpe:2.3:a:apache:tomcat:4.1.3:beta::::::
cpe:2.3:a:apache:tomcat:6.0.2:alpha::::::
cpe:2.3:a:apache:tomcat:4.1.10:::::::*
cpe:2.3:a:apache:tomcat:5.5.8:::::::*
cpe:2.3:a:apache:tomcat:5.0.17:::::::*
cpe:2.3:a:apache:tomcat:5.5.16:::::::*
cpe:2.3:a:apache:tomcat:4.1.0:::::::*
cpe:2.3:a:apache:tomcat:3.1.1:::::::*
cpe:2.3:a:apache:tomcat:4.0.2:::::::*
cpe:2.3:a:apache:tomcat:5.5.17:::::::*
cpe:2.3:a:apache:tomcat:4.1.3:::::::*
cpe:2.3:a:apache:tomcat:5.5.29:::::::*
cpe:2.3:a:apache:tomcat:5.5.19:::::::*
cpe:2.3:a:apache:tomcat:4.0.5:::::::*
cpe:2.3:a:apache:tomcat:4.0.0:::::::*
cpe:2.3:a:apache:tomcat:4:::::::*
cpe:2.3:a:apache:tomcat:5.0.4:::::::*
cpe:2.3:a:apache:tomcat:3.2.3:::::::*
cpe:2.3:a:apache:tomcat:6.0.30:::::::*
cpe:2.3:a:apache:tomcat:6.0.2:::::::*
cpe:2.3:a:apache:tomcat:5.0.25:::::::*
cpe:2.3:a:apache:tomcat:6.0.2:beta::::::
cpe:2.3:a:apache:tomcat:6.0.13:::::::*
cpe:2.3:a:apache:tomcat:5.0.1:::::::*
cpe:2.3:a:apache:tomcat:3.2:::::::*
cpe:2.3:a:apache:tomcat:3.3.1:::::::*
cpe:2.3:a:apache:tomcat:5.0.11:::::::*
cpe:2.3:a:apache:tomcat:5.5.23:::::::*
cpe:2.3:a:apache:tomcat:6.0.26:::::::*
cpe:2.3:a:apache:tomcat:5.0.3:::::::*
cpe:2.3:a:apache:tomcat:6.0.19:::::::*
cpe:2.3:a:apache:tomcat:5.0.24:::::::*
cpe:2.3:a:apache:tomcat:6.0.27:::::::*
cpe:2.3:a:apache:tomcat:6.0.35:::::::*
cpe:2.3:a:apache:tomcat:6.0.16:::::::*
cpe:2.3:a:apache:tomcat:3.3:::::::*
cpe:2.3:a:apache:tomcat:6.0.36:::::::*
cpe:2.3:a:apache:tomcat:5.0.12:::::::*

関連情報、対策とツール

No	URL	タグ
1	http://advisories.mageia.org/MGASA-2014-0148.html
2	http://advisories.mageia.org/MGASA-2014-0148.html
3	http://marc.info/?l=bugtraq&m=141390017113542&w=2
4	http://marc.info/?l=bugtraq&m=141390017113542&w=2
5	http://marc.info/?l=bugtraq&m=144498216801440&w=2
6	http://marc.info/?l=bugtraq&m=144498216801440&w=2
7	http://rhn.redhat.com/errata/RHSA-2014-0343.html
8	http://rhn.redhat.com/errata/RHSA-2014-0343.html
9	http://rhn.redhat.com/errata/RHSA-2014-0344.html
10	http://rhn.redhat.com/errata/RHSA-2014-0344.html
11	http://rhn.redhat.com/errata/RHSA-2014-0345.html
12	http://rhn.redhat.com/errata/RHSA-2014-0345.html
13	http://seclists.org/fulldisclosure/2014/Dec/23
14	http://seclists.org/fulldisclosure/2014/Dec/23
15	http://secunia.com/advisories/57675
16	http://secunia.com/advisories/57675
17	http://secunia.com/advisories/59036
18	http://secunia.com/advisories/59036
19	http://secunia.com/advisories/59675
20	http://secunia.com/advisories/59675
21	http://secunia.com/advisories/59722
22	http://secunia.com/advisories/59722
23	http://secunia.com/advisories/59724
24	http://secunia.com/advisories/59724
25	http://secunia.com/advisories/59733
26	http://secunia.com/advisories/59733
27	http://secunia.com/advisories/59873
28	http://secunia.com/advisories/59873
29	http://svn.apache.org/viewvc?view=revision&revision=1521829
30	http://svn.apache.org/viewvc?view=revision&revision=1521829
31	http://svn.apache.org/viewvc?view=revision&revision=1521854
32	http://svn.apache.org/viewvc?view=revision&revision=1521854
33	http://svn.apache.org/viewvc?view=revision&revision=1552565
34	http://svn.apache.org/viewvc?view=revision&revision=1552565
35	http://tomcat.apache.org/security-6.html	Vendor Advisory
36	http://tomcat.apache.org/security-6.html	Vendor Advisory
37	http://tomcat.apache.org/security-7.html	Vendor Advisory
38	http://tomcat.apache.org/security-7.html	Vendor Advisory
39	http://tomcat.apache.org/security-8.html	Vendor Advisory
40	http://tomcat.apache.org/security-8.html	Vendor Advisory
41	http://www.debian.org/security/2016/dsa-3530
42	http://www.debian.org/security/2016/dsa-3530
43	http://www.mandriva.com/security/advisories?name=MDVSA-2015:052
44	http://www.mandriva.com/security/advisories?name=MDVSA-2015:052
45	http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
46	http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
47	http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
48	http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
49	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
50	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
51	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
52	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
53	http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
54	http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
55	http://www.securityfocus.com/archive/1/534161/100/0/threaded
56	http://www.securityfocus.com/archive/1/534161/100/0/threaded
57	http://www.securityfocus.com/bid/65773
58	http://www.securityfocus.com/bid/65773
59	http://www.ubuntu.com/usn/USN-2130-1
60	http://www.ubuntu.com/usn/USN-2130-1
61	http://www.vmware.com/security/advisories/VMSA-2014-0012.html
62	http://www.vmware.com/security/advisories/VMSA-2014-0012.html
63	http://www-01.ibm.com/support/docview.wss?uid=swg21667883
64	http://www-01.ibm.com/support/docview.wss?uid=swg21667883
65	http://www-01.ibm.com/support/docview.wss?uid=swg21675886
66	http://www-01.ibm.com/support/docview.wss?uid=swg21675886
67	http://www-01.ibm.com/support/docview.wss?uid=swg21677147
68	http://www-01.ibm.com/support/docview.wss?uid=swg21677147
69	http://www-01.ibm.com/support/docview.wss?uid=swg21678113
70	http://www-01.ibm.com/support/docview.wss?uid=swg21678113
71	http://www-01.ibm.com/support/docview.wss?uid=swg21678231
72	http://www-01.ibm.com/support/docview.wss?uid=swg21678231
73	https://bugzilla.redhat.com/show_bug.cgi?id=1069921
74	https://bugzilla.redhat.com/show_bug.cgi?id=1069921
75	https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013
76	https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013
77	https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
78	https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
79	https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
80	https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
81	https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
82	https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
83	https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
84	https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
85	https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
86	https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
87	https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
88	https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E
89	https://rhn.redhat.com/errata/RHSA-2014-0686.html
90	https://rhn.redhat.com/errata/RHSA-2014-0686.html

共通脆弱性一覧

No	CWE	名前	URL
1	CWE-20	不適切な入力確認	https://cwe.mitre.org/data/definitions/20.html

JVN脆弱性情報

Apache Tomcat におけるリクエスト長の誤った識別を誘発される脆弱性

タイトル	Apache Tomcat におけるリクエスト長の誤った識別を誘発される脆弱性
概要	Apache Tomcat は、HTTP コネクタまたは AJP コネクタが使用されている場合、特定の矛盾する HTTP リクエストヘッダを適切に処理しないため、リクエスト長の誤った識別を誘発され、リクエスト・スマグリング攻撃を実行される脆弱性が存在します。本脆弱性は、CVE-2005-2090 に対する修正が不十分だったことによる脆弱性です。
想定される影響	第三者により、(1) 複数の Content-Length ヘッダ、または (2) Content-Length ヘッダと "Transfer-Encoding: chunked" ヘッダを介して、リクエスト長の誤った識別を誘発され、リクエスト・スマグリング攻撃を実行される可能性があります。
対策	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
公表日	2013年9月23日0:00
登録日	2014年2月27日16:30
最終更新日	2016年11月22日16:00

影響を受けるシステム

Apache Software Foundation

Apache Tomcat 6.0.39 未満

Apache Tomcat 7.0.47 未満の 7.x

Apache Tomcat 8.0.0-RC3 未満の 8.x

オラクル

Oracle Communications Policy Management 10.4.1

Oracle Communications Policy Management 12.1.1 およびそれ以前

Oracle Communications Policy Management 9.7.3

Oracle Communications Policy Management 9.9.1

Oracle Fusion Middleware の Oracle BI Publisher 10.1.3.4.2

Oracle Fusion Middleware の Oracle BI Publisher 11.1.1.7

Oracle Fusion Middleware の Oracle Enterprise Data Quality 8.1.2

Oracle Fusion Middleware の Oracle Enterprise Data Quality 9.0.11

Oracle Fusion Middleware の Oracle GoldenGate Monitor 11.1.2.1.0

Oracle Virtualization の Oracle Secure Global Desktop 4.63

Oracle Virtualization の Oracle Secure Global Desktop 4.71

Oracle Virtualization の Oracle Secure Global Desktop 5.0

Oracle Virtualization の Oracle Secure Global Desktop 5.1

CVE (情報セキュリティ共通脆弱性識別子)

No	名前	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2013-4286	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286
National Vulnerability Database (NVD)
2	CVE-2013-4286	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4286

CWE (共通脆弱性タイプ一覧)

No	名前	URL
JVNDB
1	CWE-20	https://jvndb.jvn.jp/ja/cwe/CWE-20.html

ベンダー情報

No	名前	URL
Apache Tomcat
1	Apache Tomcat 6.x vulnerabilities	http://tomcat.apache.org/security-6.html
2	Apache Tomcat 7.x vulnerabilities	http://tomcat.apache.org/security-7.html
3	Apache Tomcat 8.x vulnerabilities	http://tomcat.apache.org/security-8.html
Apache-SVN
4	Revision 1521829	http://svn.apache.org/viewvc?view=revision&revision=1521829
5	Revision 1521854	http://svn.apache.org/viewvc?view=revision&revision=1521854
6	Revision 1552565	http://svn.apache.org/viewvc?view=revision&revision=1552565
HP Security Bulletin
7	HPSBUX03150 SSRT101681	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c04483248
IBM Support Document
8	1667883	http://www-01.ibm.com/support/docview.wss?uid=swg21667883
9	1675886	http://www-01.ibm.com/support/docview.wss?uid=swg21675886
10	1677147	http://www-01.ibm.com/support/docview.wss?uid=swg21677147
11	1678113	http://www-01.ibm.com/support/docview.wss?uid=swg21678113
12	1678231	http://www-01.ibm.com/support/docview.wss?uid=swg21678231
Oracle Critical Patch Update
13	Oracle Critical Patch Update Advisory - April 2015	http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
14	Oracle Critical Patch Update Advisory - January 2015	http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
15	Oracle Critical Patch Update Advisory - July 2014	http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
16	Oracle Critical Patch Update Advisory - October 2014	http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
17	Oracle Critical Patch Update Advisory - October 2016	http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
18	Text Form of Oracle Critical Patch Update - April 2015 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpuapr2015verbose-2365613.html
19	Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujan2015verbose-1972976.html
20	Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpujul2014verbose-1972958.html
21	Text Form of Oracle Critical Patch Update - October 2014 Risk Matrices	http://www.oracle.com/technetwork/topics/security/cpuoct2014verbose-1972962.html
22	Text Form of Oracle Critical Patch Update - October 2016 Risk Matrices	http://www.oracle.com/technetwork/security-advisory/cpuoct2016verbose-2881725.html
Red Hat Bugzilla
23	Bug 1069921	https://bugzilla.redhat.com/show_bug.cgi?id=1069921
Red Hat Security Advisory
24	RHSA-2014:0343	https://rhn.redhat.com/errata/RHSA-2014-0343.html
25	RHSA-2014:0344	http://rhn.redhat.com/errata/RHSA-2014-0344.html
26	RHSA-2014:0345	https://rhn.redhat.com/errata/RHSA-2014-0345.html
27	RHSA-2014:0686	https://rhn.redhat.com/errata/RHSA-2014-0686.html
SECURITY BLOG
28	April 2015 Critical Patch Update Released	https://blogs.oracle.com/security/entry/april_2015_critical_patch_update
29	January 2015 Critical Patch Update Released	https://blogs.oracle.com/security/entry/january_2015_critical_patch_update
30	July 2014 Critical Patch Update Released	https://blogs.oracle.com/security/entry/july_2014_critical_patch_update
31	Multiple vulnerabilities in Apache Tomcat	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_apache_tomcat4
32	October 2014 Critical Patch Update Released	https://blogs.oracle.com/security/entry/october_2014_critical_patch_update
33	October 2016 Critical Patch Update Released	https://blogs.oracle.com/security/entry/october_2016_critical_patch_update

変更履歴

No	変更内容	変更日
0	[2014年02月27日] 掲載 [2014年06月02日] ベンダ情報：オラクル (Multiple vulnerabilities in Apache Tomcat) を追加 [2014年07月18日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - July 2014) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices) を追加ベンダ情報：オラクル (July 2014 Critical Patch Update Released) を追加 [2014年10月21日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - October 2014) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - October 2014 Risk Matrices) を追加ベンダ情報：オラクル (October 2014 Critical Patch Update Released) を追加 [2014年12月08日] ベンダ情報：ヒューレット・パッカード (HPSBUX03150 SSRT101681) を追加ベンダ情報：IBM (1667883) を追加ベンダ情報：IBM (1675886) を追加ベンダ情報：IBM (1678113) を追加ベンダ情報：IBM (1678231) を追加ベンダ情報：IBM (1677147) を追加ベンダ情報：レッドハット (RHSA-2014:0343) を追加ベンダ情報：レッドハット (RHSA-2014:0344) を追加ベンダ情報：レッドハット (RHSA-2014:0686) を追加ベンダ情報：レッドハット (RHSA-2014:0345) を追加 [2015年01月22日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - January 2015) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - January 2015 Risk Matrices) を追加ベンダ情報：オラクル (January 2015 Critical Patch Update Released) を追加 [2015年04月20日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - April 2015) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - April 2015 Risk Matrices) を追加ベンダ情報：オラクル (April 2015 Critical Patch Update Released) を追加 [2016年11月22日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：オラクル (Oracle Critical Patch Update Advisory - October 2016) を追加ベンダ情報：オラクル (Text Form of Oracle Critical Patch Update - October 2016 Risk Matrices) を追加ベンダ情報：オラクル (October 2016 Critical Patch Update Released) を追加	2018年2月17日10:37

構成1	以上	以下	より上	未満
cpe:2.3:a:apache:tomcat:7.0.2:beta::::::
cpe:2.3:a:apache:tomcat:7.0.12:::::::*
cpe:2.3:a:apache:tomcat:7.0.20:::::::*
cpe:2.3:a:apache:tomcat:7.0.34:::::::*
cpe:2.3:a:apache:tomcat:7.0.1:::::::*
cpe:2.3:a:apache:tomcat:7.0.2:::::::*
cpe:2.3:a:apache:tomcat:7.0.4:beta::::::
cpe:2.3:a:apache:tomcat:7.0.22:::::::*
cpe:2.3:a:apache:tomcat:7.0.39:::::::*
cpe:2.3:a:apache:tomcat:7.0.26:::::::*
cpe:2.3:a:apache:tomcat:7.0.46:::::::*
cpe:2.3:a:apache:tomcat:7.0.28:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:::::::*
cpe:2.3:a:apache:tomcat:7.0.18:::::::*
cpe:2.3:a:apache:tomcat:7.0.14:::::::*
cpe:2.3:a:apache:tomcat:7.0.11:::::::*
cpe:2.3:a:apache:tomcat:7.0.23:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:beta::::::
cpe:2.3:a:apache:tomcat:7.0.44:::::::*
cpe:2.3:a:apache:tomcat:7.0.42:::::::*
cpe:2.3:a:apache:tomcat:7.0.37:::::::*
cpe:2.3:a:apache:tomcat:7.0.29:::::::*
cpe:2.3:a:apache:tomcat:7.0.45:::::::*
cpe:2.3:a:apache:tomcat:7.0.13:::::::*
cpe:2.3:a:apache:tomcat:7.0.41:::::::*
cpe:2.3:a:apache:tomcat:7.0.31:::::::*
cpe:2.3:a:apache:tomcat:7.0.30:::::::*
cpe:2.3:a:apache:tomcat:7.0.15:::::::*
cpe:2.3:a:apache:tomcat:7.0.19:::::::*
cpe:2.3:a:apache:tomcat:7.0.16:::::::*
cpe:2.3:a:apache:tomcat:7.0.10:::::::*
cpe:2.3:a:apache:tomcat:7.0.36:::::::*
cpe:2.3:a:apache:tomcat:7.0.25:::::::*
cpe:2.3:a:apache:tomcat:7.0.35:::::::*
cpe:2.3:a:apache:tomcat:7.0.43:::::::*
cpe:2.3:a:apache:tomcat:7.0.32:::::::*
cpe:2.3:a:apache:tomcat:7.0.38:::::::*
cpe:2.3:a:apache:tomcat:7.0.21:::::::*
cpe:2.3:a:apache:tomcat:7.0.27:::::::*
cpe:2.3:a:apache:tomcat:7.0.24:::::::*
cpe:2.3:a:apache:tomcat:7.0.17:::::::*
cpe:2.3:a:apache:tomcat:7.0.40:::::::*
cpe:2.3:a:apache:tomcat:7.0.4:::::::*
cpe:2.3:a:apache:tomcat:7.0.3:::::::*
cpe:2.3:a:apache:tomcat:7.0.33:::::::*

構成3	以上	以下	より上	未満
cpe:2.3:a:apache:tomcat:5.5.27:::::::*
cpe:2.3:a:apache:tomcat:6.0.33:::::::*
cpe:2.3:a:apache:tomcat:6.0.0:alpha::::::
cpe:2.3:a:apache:tomcat:3.1:::::::*
cpe:2.3:a:apache:tomcat:4.1.2:::::::*
cpe:2.3:a:apache:tomcat:4.0.4:::::::*
cpe:2.3:a:apache:tomcat:4.1.36:::::::*
cpe:2.3:a:apache:tomcat:3.2.1:::::::*
cpe:2.3:a:apache:tomcat:4.1.9:beta::::::
cpe:2.3:a:apache:tomcat:5.5.18:::::::*
cpe:2.3:a:apache:tomcat:5.0.8:::::::*
cpe:2.3:a:apache:tomcat:5:::::::*
cpe:2.3:a:apache:tomcat:5.0.19:::::::*
cpe:2.3:a:apache:tomcat:6.0.11:::::::*
cpe:2.3:a:apache:tomcat:5.5.12:::::::*
cpe:2.3:a:apache:tomcat:5.0.14:::::::*
cpe:2.3:a:apache:tomcat:5.5.14:::::::*
cpe:2.3:a:apache:tomcat:4.1.24:::::::*
cpe:2.3:a:apache:tomcat:3.2.2:::::::*
cpe:2.3:a:apache:tomcat:5.5.10:::::::*
cpe:2.3:a:apache:tomcat:5.0.22:::::::*
cpe:2.3:a:apache:tomcat:5.5.4:::::::*
cpe:2.3:a:apache:tomcat:5.5.7:::::::*
cpe:2.3:a:apache:tomcat:5.5.1:::::::*
cpe:2.3:a:apache:tomcat:6:::::::*
cpe:2.3:a:apache:tomcat:5.0.7:::::::*
cpe:2.3:a:apache:tomcat:5.5.11:::::::*
cpe:2.3:a:apache:tomcat:5.5.28:::::::*
cpe:2.3:a:apache:tomcat:5.5.6:::::::*
cpe:2.3:a:apache:tomcat:5.5.26:::::::*
cpe:2.3:a:apache:tomcat:3.2.2:beta2::::::
cpe:2.3:a:apache:tomcat:5.0.9:::::::*
cpe:2.3:a:apache:tomcat:5.0.15:::::::*
cpe:2.3:a:apache:tomcat:5.5.35:::::::*
cpe:2.3:a:apache:tomcat:3.3.2:::::::*
cpe:2.3:a:apache:tomcat:5.0.30:::::::*
cpe:2.3:a:apache:tomcat:5.5.20:::::::*
cpe:2.3:a:apache:tomcat:5.5.15:::::::*
cpe:2.3:a:apache:tomcat:5.0.23:::::::*
cpe:2.3:a:apache:tomcat:1.1.3:::::::*
cpe:2.3:a:apache:tomcat:3.2.4:::::::*
cpe:2.3:a:apache:tomcat:5.0.2:::::::*
cpe:2.3:a:apache:tomcat:5.5.5:::::::*
cpe:2.3:a:apache:tomcat:5.0.10:::::::*
cpe:2.3:a:apache:tomcat:6.0.15:::::::*
cpe:2.3:a:apache:tomcat:5.5.30:::::::*
cpe:2.3:a:apache:tomcat:5.0.21:::::::*
cpe:2.3:a:apache:tomcat:3.0:::::::*
cpe:2.3:a:apache:tomcat:5.0.26:::::::*
cpe:2.3:a:apache:tomcat:5.5.21:::::::*
cpe:2.3:a:apache:tomcat:5.5.22:::::::*
cpe:2.3:a:apache:tomcat:6.0.20:::::::*
cpe:2.3:a:apache:tomcat:6.0.10:::::::*
cpe:2.3:a:apache:tomcat:6.0.31:::::::*
cpe:2.3:a:apache:tomcat:6.0.29:::::::*
cpe:2.3:a:apache:tomcat:6.0.3:::::::*
cpe:2.3:a:apache:tomcat:5.0.0:::::::*
cpe:2.3:a:apache:tomcat:5.0.6:::::::*
cpe:2.3:a:apache:tomcat:4.1.31:::::::*
cpe:2.3:a:apache:tomcat:6.0.1:alpha::::::
cpe:2.3:a:apache:tomcat:6.0.24:::::::*
cpe:2.3:a:apache:tomcat:5.5.3:::::::*
cpe:2.3:a:apache:tomcat:5.0.27:::::::*
cpe:2.3:a:apache:tomcat:4.1.29:::::::*
cpe:2.3:a:apache:tomcat:5.0.16:::::::*
cpe:2.3:a:apache:tomcat:6.0.17:::::::*
cpe:2.3:a:apache:tomcat:4.0.6:::::::*
cpe:2.3:a:apache:tomcat:6.0:::::::*
cpe:2.3:a:apache:tomcat:5.5.32:::::::*
cpe:2.3:a:apache:tomcat:6.0.32:::::::*
cpe:2.3:a:apache:tomcat:5.5.31:::::::*
cpe:2.3:a:apache:tomcat:6.0.28:::::::*
cpe:2.3:a:apache:tomcat:5.5.9:::::::*
cpe:2.3:a:apache:tomcat:4.0.3:::::::*
cpe:2.3:a:apache:tomcat:5.5.25:::::::*
cpe:2.3:a:apache:tomcat::::::::		6.0.37
cpe:2.3:a:apache:tomcat:5.0.18:::::::*
cpe:2.3:a:apache:tomcat:6.0.0:::::::*
cpe:2.3:a:apache:tomcat:5.5.33:::::::*
cpe:2.3:a:apache:tomcat:4.0.1:::::::*
cpe:2.3:a:apache:tomcat:3.3.1a:::::::*
cpe:2.3:a:apache:tomcat:6.0.14:::::::*
cpe:2.3:a:apache:tomcat:5.5.2:::::::*
cpe:2.3:a:apache:tomcat:5.0.5:::::::*
cpe:2.3:a:apache:tomcat:5.0.28:::::::*
cpe:2.3:a:apache:tomcat:5.0.29:::::::*
cpe:2.3:a:apache:tomcat:5.5.0:::::::*
cpe:2.3:a:apache:tomcat:4.1.1:::::::*
cpe:2.3:a:apache:tomcat:5.5.13:::::::*
cpe:2.3:a:apache:tomcat:6.0.1:::::::*
cpe:2.3:a:apache:tomcat:6.0.12:::::::*
cpe:2.3:a:apache:tomcat:5.5.24:::::::*
cpe:2.3:a:apache:tomcat:4.1.12:::::::*
cpe:2.3:a:apache:tomcat:4.1.28:::::::*
cpe:2.3:a:apache:tomcat:5.0.13:::::::*
cpe:2.3:a:apache:tomcat:6.0.18:::::::*
cpe:2.3:a:apache:tomcat:5.5.34:::::::*
cpe:2.3:a:apache:tomcat:4.1.15:::::::*
cpe:2.3:a:apache:tomcat:4.1.3:beta::::::
cpe:2.3:a:apache:tomcat:6.0.2:alpha::::::
cpe:2.3:a:apache:tomcat:4.1.10:::::::*
cpe:2.3:a:apache:tomcat:5.5.8:::::::*
cpe:2.3:a:apache:tomcat:5.0.17:::::::*
cpe:2.3:a:apache:tomcat:5.5.16:::::::*
cpe:2.3:a:apache:tomcat:4.1.0:::::::*
cpe:2.3:a:apache:tomcat:3.1.1:::::::*
cpe:2.3:a:apache:tomcat:4.0.2:::::::*
cpe:2.3:a:apache:tomcat:5.5.17:::::::*
cpe:2.3:a:apache:tomcat:4.1.3:::::::*
cpe:2.3:a:apache:tomcat:5.5.29:::::::*
cpe:2.3:a:apache:tomcat:5.5.19:::::::*
cpe:2.3:a:apache:tomcat:4.0.5:::::::*
cpe:2.3:a:apache:tomcat:4.0.0:::::::*
cpe:2.3:a:apache:tomcat:4:::::::*
cpe:2.3:a:apache:tomcat:5.0.4:::::::*
cpe:2.3:a:apache:tomcat:3.2.3:::::::*
cpe:2.3:a:apache:tomcat:6.0.30:::::::*
cpe:2.3:a:apache:tomcat:6.0.2:::::::*
cpe:2.3:a:apache:tomcat:5.0.25:::::::*
cpe:2.3:a:apache:tomcat:6.0.2:beta::::::
cpe:2.3:a:apache:tomcat:6.0.13:::::::*
cpe:2.3:a:apache:tomcat:5.0.1:::::::*
cpe:2.3:a:apache:tomcat:3.2:::::::*
cpe:2.3:a:apache:tomcat:3.3.1:::::::*
cpe:2.3:a:apache:tomcat:5.0.11:::::::*
cpe:2.3:a:apache:tomcat:5.5.23:::::::*
cpe:2.3:a:apache:tomcat:6.0.26:::::::*
cpe:2.3:a:apache:tomcat:5.0.3:::::::*
cpe:2.3:a:apache:tomcat:6.0.19:::::::*
cpe:2.3:a:apache:tomcat:5.0.24:::::::*
cpe:2.3:a:apache:tomcat:6.0.27:::::::*
cpe:2.3:a:apache:tomcat:6.0.35:::::::*
cpe:2.3:a:apache:tomcat:6.0.16:::::::*
cpe:2.3:a:apache:tomcat:3.3:::::::*
cpe:2.3:a:apache:tomcat:6.0.36:::::::*
cpe:2.3:a:apache:tomcat:5.0.12:::::::*