Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.0067 Apache Tomcat Information disclosure 18 January 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Tomcat Publisher: The Apache Software Foundation Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Access Privileged Data -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-0022 CVE-2011-3375 Comment: This bulletin contains two (2) Apache Software Foundation security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2011-3375 Apache Tomcat Information disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.21 - - Tomcat 6.0.30 to 6.0.33 - - Earlier versions are not affected Description: For performance reasons, information parsed from a request is often cached in two places: the internal request object and the internal processor object. These objects are not recycled at exactly the same time. When certain errors occur that needed to be added to the access log, the access logging process triggers the re-population of the request object after it has been recycled. However, the request object was not recycled before being used for the next request. That lead to information leakage (e.g. remote IP address, HTTP headers) from the previous request to the next request. The issue was resolved be ensuring that the request and response objects were recycled after being re-populated to generate the necessary access log entries. Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.22 or later - - Tomcat 6.0.x users should upgrade to 6.0.35 or later Credit: The issue was initially reported via Apache Tomcat's public issue tracker with the potential security implications identified by the Apache Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html https://issues.apache.org/bugzilla/show_bug.cgi?id=51872 - ----------------------------------------------------------------------------- CVE-2012-0022 Apache Tomcat Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.22 - - Tomcat 6.0.0 to 6.0.33 - - Tomcat 5.5.0 to 5.5.34 - - Earlier, unsupported versions may also be affected Description: Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of large numbers of parameters and parameter values. These inefficiencies could allow an attacker, via a specially crafted request, to cause large amounts of CPU to be used which in turn could create a denial of service. The issue was addressed by modifying the Tomcat parameter handling code to efficiently process large numbers of parameters and parameter values. Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.23 or later - - Tomcat 6.0.x users should upgrade to 6.0.35 or later - - Tomcat 5.5.x users should upgrade to 5.5.35 or later Credit: The inefficiencies in handling large numbers of parameters were identified by the Apache Tomcat security team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBTxZqxu4yVqjM2NGpAQLVoA/+KTv3MHg3FenEHnwKDROBhTAQfu5RcSHA AlL3PVdVKIaNYlOTLvBl9U2SciO86Zy2goRnQYxG4UcG3jdpDPqlltGB0QzjC1cd +3a/seFhkq+q/zPgWejscBNz+5+C1y/B3mP+Fechwx1s9eXbZf9fq5J0z1Sv700f Uqir/P9bavMvhvoPOpTetRWcigD2jgBDVuaEgUiebTboHRAHfx82tsG36YtPAaZF WgkEe5eXLh/3bzL/W/oSTuUPxQvzuNOCul+cbJDUxqpLsMSsVBHnEyLM8UJg3gNm 1Q+jLE+cHveaFlOLsGsqrTLMyYcKAPprp1ofLZdE+eGtAWjb7eToIRnT636W3U5o wASJNV/NZhLg0ORwWKJUI9Sr8Xfk+GUyg7edRvY7zxuVU0ufCOjcXoWDrPR20PeF pEvkw01F5buXVMJ6xZ/RpVuFAh/SRIImEx7vGkNDeZiFp4dEok+3kdwSxF+NBgGo MlkHMNVgsQ7gN3N4ZUGUVRvHmQO2fw0aScvuspHOv98DyTrpix6E5fmB/Z8FZSop 78WfZtU3GLBWDdoffIJOKTVnUyK+sDEe5yYcgAmjmpiA9xoOnSJhabqSKTxlzpf5 waxZRhM8iI/krMqe44Bp1oJbqBe3oqwfXLcmisZ1DihItW+XWCRQhaeMC5QLZVWB vv3aNyex0u0= =ZyZZ -----END PGP SIGNATURE-----