Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.1056.2 Apache Tomcat Denial of Service & DIGEST authentication weaknesses 19 November 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Tomcat Publisher: The Apache Software Foundation Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Denial of Service -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-5887 CVE-2012-5886 CVE-2012-5885 CVE-2012-3439 CVE-2012-2733 Comment: This bulletin contains two (2) The Apache Software Foundation security advisories. Revision History: November 19 2012: Added CVE-2012-5885, CVE-2012-5886, & CVE-2012-5887 November 6 2012: Initial Release - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2012-2733 Apache Tomcat Denial of Service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - - Tomcat 7.0.0 to 7.0.27 - - - Tomcat 6.0.0 to 6.0.35 Description: The checks that limited the permitted size of request headers were implemented too late in the request parsing process for the HTTP NIO connector. This enabled a malicious user to trigger an OutOfMemoryError by sending a single request with very large headers. Mitigation: Users of affected versions should apply one of the following mitigations: - - - Tomcat 7.0.x users should upgrade to 7.0.28 or later - - - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: This issue was identified by Josh Spiewak. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQmERaAAoJEBDAHFovYFnnn3MQAOpo2bXRZqp7m6B9Baixivr3 XsahCY6g+lk1G9PZewYirHQ9I8rX0Zte0c+7M+D0jfn5kxDsvOzHGSHxn9IMQkYU 4dRKYrSi75b2RvwxWB1AT0PMDLEk6ttaPLSlA0/JdnPluh54dzVJ+4DPCm1NDfzh 7+UTGSIXESstOo9ogJG8oslXdv5m4aYscMdxrJMEDe3SeHp/vtphY8JfO5F8aGlF zUVrl/JY8lXl0UH79dMUHoyFbVeLLfv5vyNauSEQZKIa/2y58B9396H4sMlfAXoe +NcVTo9vb419CQs6I0G4qiN15lZKQk9+bF5hgjTX0GSxi3E88ZJMGuk9rCK8MXr+ XfTTX+YjnRfSjRlrbbd4zejovFUJukVGqkbmXj01Zm42kDmqQnem5lsKWo8IrmCJ Qe9gQstoqfWUY+gBAJ2msfg3HkJkPvehYYvmVO+pIdI7EemOAKOfgGxSjg947gtd gf97Z2BOmpWHUH8+erZ3ro8OaOdhHa9ixmDl2EZxZwjngAn59f9P/srBwmPtTsbh o9GYr3KgU7rfEVOgsZN1aUXvTFjwF50Ju8Yz4D+PagLPnGaraQLIkFc/MdvAFRm6 VP/UxJCRJDdxwjU/cj9jx6/6ZS99JL1ItfYF/v+v/0GCsERcKLphKNzhYpcY888u gpYL4yE7b4ZmqBUuoK1T =+jW7 - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - - Tomcat 7.0.0 to 7.0.29 - - - Tomcat 6.0.0 to 6.0.35 - - - Tomcat 5.5.0 to 5.5.35 - - - Earlier, unsupported versions may also be affected Description: Three weaknesses in Tomcat's implementation of DIGEST authentication were identified and resolved: 1. Tomcat tracked client rather than server nonces and nonce count. 2. When a session ID was present, authentication was bypassed. 3. The user name and password were not checked before when indicating that a nonce was stale. These issues reduced the security of DIGEST authentication making replay attacks possible in some circumstances. Mitigation: Users of affected versions should apply one of the following mitigations: - - - Tomcat 7.0.x users should upgrade to 7.0.30 or later - - - Tomcat 6.0.x users should upgrade to 6.0.36 or later - - - Tomcat 5.5.x users should upgrade to 5.5.36 or later Credit: The first issue was identified by Tilmann Kuhn. The second and third issues were identified by the Tomcat security team during the code review resulting from the first issue. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQmEReAAoJEBDAHFovYFnnZxwP/2AZNEbwqQXw+7JYHOgjzr7T DyNJFlOSA0AwsflhvCQFJ75qyFgYzYjmyCVJGl/GniBkdnYwLS/wPGrBED3bn1lw 9nXMDLjXToLl4o7qv52gyIlvv60YJs6DW2YzqT7R0WtjF5lTx+JxatUmibFGp826 T+CNwMdGbZUTf57O9JnWnzaiTimC42+5d8q/o6JPmKGWrLrKM8QuS+LtIDckn6o3 FJNly5Sfcc8CAVj3dblRAwVXc6+a0U/A9cLGPDUoEAWHnPfq3VwbMlc90xuKMJno R1huGGxxbp7tOL2qOrI1Tl2ro3ofnVkzdLKOxp5DjSt8+fmPJttOztt8zTCtLNYd 2qFOHxwNrM0tL8RAviQbF1G+sVJtZPO9QrS5EwPTi36nCdZaKWEfhNAtLZ7WRDQ7 0Yxcce+EVjsEJdGNtFOe7CvKTwoRx50OflQeQj9ho3xqJuu6kwKzDUah2Hqlv0Pk 9cTIB5jI/gosvK42KXxq6tKPn+ieHNoL+w58bFAlqBoejQ82E9f4PRV+FFs4mMrt aq5EA/rN3WmorZpTVvecLfyHDg7O4lfWnSvZV6sEWZZyUdKxV7O/IbvHYkfbBg1/ ypZyjcQRZ9VovbDWLdbvy5hb7NMFijGaWeK1ZPVQRMO7DJ7ny61CCa5Rm/2XYDKp 8+W6GnYLC/a4LopbH53O =ANZP - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUKmPXu4yVqjM2NGpAQL89RAAqfPRvICh54yF12FfsKRggEGbJ5gZEM5X jS+f2SocjrxlHtA6dnHd3LDv6wL86Tz01fyR0aufM6gxNSoc+wpfCBtjCm9Zss70 rdZ8XHZv2XStD+90lsG7KBDjF2CG/nuAI+DJBNFUqKhdmEQHuiR4xH82E0wTuDxf Lwyov6rQAtwfeR3CkGEW+6R4aa3L+OP33rW9jhsgynfVZYtI3sFtiXyKkxcukx9w BJmTQavylLa8JKtB2Y2NqBN0B4BiunLJNHJ1SXZRAd/8yKw9j3Tu0q7vud+B2Mgg bFsCuXOpBH7XjnL7MXVxh2fWsbCuijYe0HiX3GrYgfCxgEpbwz/JqYqgmGXUwZ5R uWmnwYplUdZMnV7WajuVmBpMSI9r/Z+VAhg5omG+Vn0m5TPMC7SnfCOvebHkfpGI uw2/so3g4CEdDaRv8/N0RDDy2OyXpx6oA4erEXQCJCr1xT+L1JKDgNYfu8m3qc35 7w0rXjBTmmzmfq57vjEiu13TrgokppwTajdIpuf8GNE+I/pXmUq/ia/r9qbeQLmC NFgQONKqUh6bbV6Umsp1AuXuGgtSeXsdrcxuxgWjC7LeeCyBzkZ+OH/1lkSjHXJ/ oXS0uw6IGU2M1WoH7x/snjCAtkSGhgLPbkQnsKGtWdjvcCqg71h/Tg9DzIoGckfJ HZvqAYVeqw0= =sloR -----END PGP SIGNATURE-----