Operating System:

[WIN][UNIX/Linux]

Published:

18 January 2012

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2012.0067 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2012.0067
                   Apache Tomcat Information disclosure
                              18 January 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          Apache Tomcat
Publisher:        The Apache Software Foundation
Operating System: Windows
                  UNIX variants (UNIX, Linux, OSX)
Impact/Access:    Access Privileged Data -- Existing Account      
                  Denial of Service      -- Remote/Unauthenticated
Resolution:       Patch/Upgrade
CVE Names:        CVE-2012-0022 CVE-2011-3375 

Comment: This bulletin contains two (2) Apache Software Foundation security 
         advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

CVE-2011-3375 Apache Tomcat Information disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.21
- - Tomcat 6.0.30 to 6.0.33
- - Earlier versions are not affected

Description:
For performance reasons, information parsed from a request is often
cached in two places: the internal request object and the internal
processor object. These objects are not recycled at exactly the same time.
When certain errors occur that needed to be added to the access log, the
access logging process triggers the re-population of the request object
after it has been recycled. However, the request object was not recycled
before being used for the next request. That lead to information leakage
(e.g. remote IP address, HTTP headers) from the previous request to the
next request.
The issue was resolved be ensuring that the request and response objects
were recycled after being re-populated to generate the necessary access
log entries.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Tomcat 7.0.x users should upgrade to 7.0.22 or later
- - Tomcat 6.0.x users should upgrade to 6.0.35 or later

Credit:
The issue was initially reported via Apache Tomcat's public issue
tracker with the potential security implications identified by the
Apache Tomcat security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
https://issues.apache.org/bugzilla/show_bug.cgi?id=51872

- -----------------------------------------------------------------------------

CVE-2012-0022 Apache Tomcat Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.22
- - Tomcat 6.0.0 to 6.0.33
- - Tomcat 5.5.0 to 5.5.34
- - Earlier, unsupported versions may also be affected

Description:
Analysis of the recent hash collision vulnerability identified unrelated
inefficiencies with Apache Tomcat's handling of large numbers of
parameters and parameter values. These inefficiencies could allow an
attacker, via a specially crafted request, to cause large amounts of CPU
to be used which in turn could create a denial of service.
The issue was addressed by modifying the Tomcat parameter handling code
to efficiently process large numbers of parameters and parameter values.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Tomcat 7.0.x users should upgrade to 7.0.23 or later
- - Tomcat 6.0.x users should upgrade to 6.0.35 or later
- - Tomcat 5.5.x users should upgrade to 5.5.35 or later

Credit:
The inefficiencies in handling large numbers of parameters were
identified by the Apache Tomcat security team.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTxZqxu4yVqjM2NGpAQLVoA/+KTv3MHg3FenEHnwKDROBhTAQfu5RcSHA
AlL3PVdVKIaNYlOTLvBl9U2SciO86Zy2goRnQYxG4UcG3jdpDPqlltGB0QzjC1cd
+3a/seFhkq+q/zPgWejscBNz+5+C1y/B3mP+Fechwx1s9eXbZf9fq5J0z1Sv700f
Uqir/P9bavMvhvoPOpTetRWcigD2jgBDVuaEgUiebTboHRAHfx82tsG36YtPAaZF
WgkEe5eXLh/3bzL/W/oSTuUPxQvzuNOCul+cbJDUxqpLsMSsVBHnEyLM8UJg3gNm
1Q+jLE+cHveaFlOLsGsqrTLMyYcKAPprp1ofLZdE+eGtAWjb7eToIRnT636W3U5o
wASJNV/NZhLg0ORwWKJUI9Sr8Xfk+GUyg7edRvY7zxuVU0ufCOjcXoWDrPR20PeF
pEvkw01F5buXVMJ6xZ/RpVuFAh/SRIImEx7vGkNDeZiFp4dEok+3kdwSxF+NBgGo
MlkHMNVgsQ7gN3N4ZUGUVRvHmQO2fw0aScvuspHOv98DyTrpix6E5fmB/Z8FZSop
78WfZtU3GLBWDdoffIJOKTVnUyK+sDEe5yYcgAmjmpiA9xoOnSJhabqSKTxlzpf5
waxZRhM8iI/krMqe44Bp1oJbqBe3oqwfXLcmisZ1DihItW+XWCRQhaeMC5QLZVWB
vv3aNyex0u0=
=ZyZZ
-----END PGP SIGNATURE-----