Moderate severityNVD Advisory· Published Jan 19, 2012· Updated Apr 29, 2026
CVE-2011-3375
CVE-2011-3375
Description
Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcatMaven | >= 6.0.30, < 6.0.35 | 6.0.35 |
org.apache.tomcat:tomcatMaven | >= 7.0, < 7.0.22 | 7.0.22 |
Affected products
26cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*+ 25 more
- cpe:2.3:a:apache:tomcat:6.0.30:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.31:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.32:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:6.0.33:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*
Patches
19eae334e9492Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=51872
7 files changed · +18 −19
java/org/apache/catalina/connector/CoyoteAdapter.java+1 −5 modified@@ -466,10 +466,8 @@ public void log(org.apache.coyote.Request req, Request request = (Request) req.getNote(ADAPTER_NOTES); Response response = (Response) res.getNote(ADAPTER_NOTES); - boolean create = false; if (request == null) { - create = true; // Create objects request = connector.createRequest(); request.setCoyoteRequest(req); @@ -511,9 +509,7 @@ public void log(org.apache.coyote.Request req, } catch (Throwable t) { ExceptionUtils.handleThrowable(t); log.warn(sm.getString("coyoteAdapter.accesslogFail"), t); - } - - if (create) { + } finally { request.recycle(); response.recycle(); }
java/org/apache/coyote/ajp/AbstractAjpProcessor.java+3 −4 modified@@ -759,7 +759,6 @@ protected void prepareRequest() { secret = true; if (!tmpMB.equals(requiredSecret)) { response.setStatus(403); - adapter.log(request, response, 0); error = true; } } @@ -776,7 +775,6 @@ protected void prepareRequest() { // Check if secret was submitted if required if ((requiredSecret != null) && !secret) { response.setStatus(403); - adapter.log(request, response, 0); error = true; } @@ -810,6 +808,9 @@ protected void prepareRequest() { MessageBytes valueMB = request.getMimeHeaders().getValue("host"); parseHost(valueMB); + if (error) { + adapter.log(request, response, 0); + } } @@ -825,7 +826,6 @@ protected void parseHost(MessageBytes valueMB) { request.serverName().duplicate(request.localName()); } catch (IOException e) { response.setStatus(400); - adapter.log(request, response, 0); error = true; } return; @@ -877,7 +877,6 @@ protected void parseHost(MessageBytes valueMB) { error = true; // 400 - Bad request response.setStatus(400); - adapter.log(request, response, 0); break; } port = port + (charValue * mult);
java/org/apache/coyote/ajp/AjpAprProcessor.java+1 −1 modified@@ -182,7 +182,7 @@ public SocketState process(SocketWrapper<Long> socket) } } - if (!cping && endpoint.isPaused()) { + if (!error && !cping && endpoint.isPaused()) { // 503 - Service unavailable response.setStatus(503); adapter.log(request, response, 0);
java/org/apache/coyote/ajp/AjpNioProcessor.java+1 −1 modified@@ -169,7 +169,7 @@ public SocketState process(SocketWrapper<NioChannel> socket) } } - if (!cping && endpoint.isPaused()) { + if (!error && !cping && endpoint.isPaused()) { // 503 - Service unavailable response.setStatus(503); adapter.log(request, response, 0);
java/org/apache/coyote/ajp/AjpProcessor.java+1 −1 modified@@ -185,7 +185,7 @@ public SocketState process(SocketWrapper<Socket> socket) } } - if (!cping && endpoint.isPaused()) { + if (!error && !cping && endpoint.isPaused()) { // 503 - Service unavailable response.setStatus(503); adapter.log(request, response, 0);
java/org/apache/coyote/http11/AbstractHttp11Processor.java+6 −7 modified@@ -897,7 +897,6 @@ public SocketState process(SocketWrapper<S> socketWrapper) if (endpoint.isPaused()) { // 503 - Service unavailable response.setStatus(503); - adapter.log(request, response, 0); error = true; } else { request.setStartTime(System.currentTimeMillis()); @@ -1087,7 +1086,6 @@ protected void prepareRequest() { " Unsupported HTTP version \""+protocolMB+"\""); } response.setStatus(505); - adapter.log(request, response, 0); } MessageBytes methodMB = request.method(); @@ -1183,7 +1181,6 @@ protected void prepareRequest() { error = true; // 501 - Unimplemented response.setStatus(501); - adapter.log(request, response, 0); } startPos = commaPos + 1; commaPos = transferEncodingValue.indexOf(',', startPos); @@ -1199,7 +1196,6 @@ protected void prepareRequest() { " Unsupported transfer encoding \""+encodingName+"\""); } response.setStatus(501); - adapter.log(request, response, 0); } } @@ -1222,7 +1218,6 @@ protected void prepareRequest() { " host header missing"); } response.setStatus(400); - adapter.log(request, response, 0); } parseHost(valueMB); @@ -1252,6 +1247,10 @@ protected void prepareRequest() { request.setAttribute("org.apache.tomcat.comet.timeout.support", Boolean.TRUE); } + + if (error) { + adapter.log(request, response, 0); + } } @@ -1471,7 +1470,6 @@ protected void parseHost(MessageBytes valueMB) { error = true; // 400 - Bad request response.setStatus(400); - adapter.log(request, response, 0); break; } port = port + (charValue * mult); @@ -1552,8 +1550,9 @@ public void endRequest() { ExceptionUtils.handleThrowable(t); getLog().error(sm.getString("http11processor.request.finish"), t); // 500 - Internal Server Error + // Can't add a 500 to the access log since that has already been + // written in the Adapter.service method. response.setStatus(500); - adapter.log(request, response, 0); error = true; } try {
webapps/docs/changelog.xml+5 −0 modified@@ -133,6 +133,11 @@ Ensure Servlets that implement ContainerServlet always get treated as restricted. (markt) </fix> + <fix> + Ensure that the access log always uses the correct value for the remote + IP address associated with the request and that requests with multiple + errors do not result in multiple entires in the access log. (markt) + </fix> </changelog> </subsection> <subsection name="Coyote">
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- tomcat.apache.org/security-6.htmlnvdVendor AdvisoryWEB
- tomcat.apache.org/security-7.htmlnvdVendor AdvisoryWEB
- github.com/advisories/GHSA-rp8h-vr48-4j8pghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2011-3375ghsaADVISORY
- www.debian.org/security/2012/dsa-2401nvdWEB
- github.com/apache/tomcat/commit/9eae334e9492f55a841e6eb7ab302ff11d03ab21ghsaWEB
News mentions
0No linked articles in our index yet.