tc Server Runtime Known Vulnerabilities and Issues
Components of tc Server Runtime
SpringSource tc Server Runtime is built with the following components. Please see the security advisories information for each component for more information on the security vulnerabilities and issues that may affect that component.
| Component | Security advisories |
|---|---|
| Apache Tomcat 6 | Tomcat 6 security advisories |
tc Server is built using the following versions of these components:
| tc Server Runtime version | Apache Tomcat version |
|---|---|
| 6.0.19.A | 6.0.19 |
| 6.0.20.B | 6.0.20 |
| 6.0.20.C | 6.0.20 |
| 6.0.20.D | 6.0.20 |
| 6.0.20.E | 6.0.20 plus fix for CVE-2010-2227 |
| 6.0.20.F | 6.0.20 plus fixes for CVE-2010-2227, CVE-2010-3718 & CVE-2011-0527 |
| 6.0.20.A | 6.0.20 |
| 6.0.25.A | 6.0.25 |
| 6.0.25.A-SR01 | 6.0.25 |
| 6.0.26.A | 6.0.26 plus fix for CVE2010-1157 |
| 6.0.26.B | 6.0.26 plus fix for CVE2010-1157 |
| 6.0.26.B-SR01 | 6.0.26 plus fixes for CVE2010-1157 and CVE-2010-2227 |
| 2.0.3 | 6.0.29 (6.0.29.A) |
| 2.0.4 | 6.0.29 (6.0.29.A) |
| 2.0.5 | 6.0.29 (6.0.29.C) |
| 2.0.5.SR01 | 6.0.32 (6.0.32.A) |
| 2.0.6 | 6.0.32 (6.0.32.A) |
| 2.1.0 | 6.0.29 (6.0.29.B) |
| 2.1.1 | 6.0.29 (6.0.29.C) |
| 2.1.1.SR01 | 6.0.32 (6.0.32.A) |
| 2.1.2 | 6.0.32 (6.0.32.A) |
| 2.5.0 | 6.0.32 (6.0.32.B) 7.0.12 plus fix for CVE-2011-1582 (7.0.12.A) |
| 2.5.1 | 6.0.32 plus fix for CVE-2011-1184 (6.0.32.C) 7.0.16 (7.0.16.A) |
| 2.5.2 | 6.0.33 plus fix for CVE-2011-3190 (6.0.33.A) 7.0.20 plus fix for CVE-2011-3190 (7.0.20.B) |
| 2.6.0 | 6.0.32 plus fixes for CVE-2011-2204 and CVE-2011-1184 (6.0.32.D) 7.0.19 (7.0.19.A) |
| 2.6.1 | 6.0.33 plus fix for CVE-2011-3190 (6.0.33.A) 7.0.20 plus fix for CVE-2011-3190 (7.0.20.B) |
| 2.6.2 | 6.0.33 plus fix for CVE-2011-3190 (6.0.33.B) 7.0.22 (7.0.22.A) |
| 2.6.3 | 6.0.35 (6.0.35.A) 7.0.23 (7.0.23.A) |
CVE-2009-3548, a vulnerability in Apache Tomcat 6.0.20, does not affect tc Server since tc Server does not use the Windows installer provided with Tomcat.
CVE-2009-3555, the SSL protocol MITM vulnerability, may be worked around via configuration. Details are provided on the Tomcat 6 security advisories page.
CVE-2011-2729, the Commons Daemon vulnerability does not affect tc Server since tc Server does not use the Commons Daemon service wrapper.
Known Vulnerabilities in tc Server Runtime
The following vulnerabilities are known to exist in tc Server Runtime. The information in this section may not be complete for unsupported versions. Users of unsupported versions are strongly encouraged to upgrade to a supported version.
| Date | Vulnerability | Fixed in version | |||
| 2.1.x | 2.0.x | 6.x | |||
|---|---|---|---|---|---|
| 13 May 2010 | CVE-2010-1454 | N/A | 2.0.0.SR01 | 6.0.20.D | |
| 10 Aug 2011 | CVE-2011-0527 | 2.1.2 | 2.0.6 | - | |