Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2012.1056.2
Apache Tomcat Denial of Service & DIGEST authentication weaknesses
19 November 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Apache Tomcat
Publisher: The Apache Software Foundation
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Denial of Service -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2012-5887 CVE-2012-5886 CVE-2012-5885
CVE-2012-3439 CVE-2012-2733
Comment: This bulletin contains two (2) The Apache Software Foundation
security advisories.
Revision History: November 19 2012: Added CVE-2012-5885, CVE-2012-5886, & CVE-2012-5887
November 6 2012: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2012-2733 Apache Tomcat Denial of Service
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected:
- - - Tomcat 7.0.0 to 7.0.27
- - - Tomcat 6.0.0 to 6.0.35
Description:
The checks that limited the permitted size of request headers were
implemented too late in the request parsing process for the HTTP NIO
connector. This enabled a malicious user to trigger an
OutOfMemoryError by sending a single request with very large headers.
Mitigation:
Users of affected versions should apply one of the following mitigations:
- - - Tomcat 7.0.x users should upgrade to 7.0.28 or later
- - - Tomcat 6.0.x users should upgrade to 6.0.36 or later
Credit:
This issue was identified by Josh Spiewak.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQIcBAEBAgAGBQJQmERaAAoJEBDAHFovYFnnn3MQAOpo2bXRZqp7m6B9Baixivr3
XsahCY6g+lk1G9PZewYirHQ9I8rX0Zte0c+7M+D0jfn5kxDsvOzHGSHxn9IMQkYU
4dRKYrSi75b2RvwxWB1AT0PMDLEk6ttaPLSlA0/JdnPluh54dzVJ+4DPCm1NDfzh
7+UTGSIXESstOo9ogJG8oslXdv5m4aYscMdxrJMEDe3SeHp/vtphY8JfO5F8aGlF
zUVrl/JY8lXl0UH79dMUHoyFbVeLLfv5vyNauSEQZKIa/2y58B9396H4sMlfAXoe
+NcVTo9vb419CQs6I0G4qiN15lZKQk9+bF5hgjTX0GSxi3E88ZJMGuk9rCK8MXr+
XfTTX+YjnRfSjRlrbbd4zejovFUJukVGqkbmXj01Zm42kDmqQnem5lsKWo8IrmCJ
Qe9gQstoqfWUY+gBAJ2msfg3HkJkPvehYYvmVO+pIdI7EemOAKOfgGxSjg947gtd
gf97Z2BOmpWHUH8+erZ3ro8OaOdhHa9ixmDl2EZxZwjngAn59f9P/srBwmPtTsbh
o9GYr3KgU7rfEVOgsZN1aUXvTFjwF50Ju8Yz4D+PagLPnGaraQLIkFc/MdvAFRm6
VP/UxJCRJDdxwjU/cj9jx6/6ZS99JL1ItfYF/v+v/0GCsERcKLphKNzhYpcY888u
gpYL4yE7b4ZmqBUuoK1T
=+jW7
- -----END PGP SIGNATURE-----
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
- - - Tomcat 7.0.0 to 7.0.29
- - - Tomcat 6.0.0 to 6.0.35
- - - Tomcat 5.5.0 to 5.5.35
- - - Earlier, unsupported versions may also be affected
Description:
Three weaknesses in Tomcat's implementation of DIGEST authentication
were identified and resolved:
1. Tomcat tracked client rather than server nonces and nonce count.
2. When a session ID was present, authentication was bypassed.
3. The user name and password were not checked before when indicating
that a nonce was stale.
These issues reduced the security of DIGEST authentication making
replay attacks possible in some circumstances.
Mitigation:
Users of affected versions should apply one of the following mitigations:
- - - Tomcat 7.0.x users should upgrade to 7.0.30 or later
- - - Tomcat 6.0.x users should upgrade to 6.0.36 or later
- - - Tomcat 5.5.x users should upgrade to 5.5.36 or later
Credit:
The first issue was identified by Tilmann Kuhn. The second and third
issues were identified by the Tomcat security team during the code
review resulting from the first issue.
References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iQIcBAEBAgAGBQJQmEReAAoJEBDAHFovYFnnZxwP/2AZNEbwqQXw+7JYHOgjzr7T
DyNJFlOSA0AwsflhvCQFJ75qyFgYzYjmyCVJGl/GniBkdnYwLS/wPGrBED3bn1lw
9nXMDLjXToLl4o7qv52gyIlvv60YJs6DW2YzqT7R0WtjF5lTx+JxatUmibFGp826
T+CNwMdGbZUTf57O9JnWnzaiTimC42+5d8q/o6JPmKGWrLrKM8QuS+LtIDckn6o3
FJNly5Sfcc8CAVj3dblRAwVXc6+a0U/A9cLGPDUoEAWHnPfq3VwbMlc90xuKMJno
R1huGGxxbp7tOL2qOrI1Tl2ro3ofnVkzdLKOxp5DjSt8+fmPJttOztt8zTCtLNYd
2qFOHxwNrM0tL8RAviQbF1G+sVJtZPO9QrS5EwPTi36nCdZaKWEfhNAtLZ7WRDQ7
0Yxcce+EVjsEJdGNtFOe7CvKTwoRx50OflQeQj9ho3xqJuu6kwKzDUah2Hqlv0Pk
9cTIB5jI/gosvK42KXxq6tKPn+ieHNoL+w58bFAlqBoejQ82E9f4PRV+FFs4mMrt
aq5EA/rN3WmorZpTVvecLfyHDg7O4lfWnSvZV6sEWZZyUdKxV7O/IbvHYkfbBg1/
ypZyjcQRZ9VovbDWLdbvy5hb7NMFijGaWeK1ZPVQRMO7DJ7ny61CCa5Rm/2XYDKp
8+W6GnYLC/a4LopbH53O
=ANZP
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUKmPXu4yVqjM2NGpAQL89RAAqfPRvICh54yF12FfsKRggEGbJ5gZEM5X
jS+f2SocjrxlHtA6dnHd3LDv6wL86Tz01fyR0aufM6gxNSoc+wpfCBtjCm9Zss70
rdZ8XHZv2XStD+90lsG7KBDjF2CG/nuAI+DJBNFUqKhdmEQHuiR4xH82E0wTuDxf
Lwyov6rQAtwfeR3CkGEW+6R4aa3L+OP33rW9jhsgynfVZYtI3sFtiXyKkxcukx9w
BJmTQavylLa8JKtB2Y2NqBN0B4BiunLJNHJ1SXZRAd/8yKw9j3Tu0q7vud+B2Mgg
bFsCuXOpBH7XjnL7MXVxh2fWsbCuijYe0HiX3GrYgfCxgEpbwz/JqYqgmGXUwZ5R
uWmnwYplUdZMnV7WajuVmBpMSI9r/Z+VAhg5omG+Vn0m5TPMC7SnfCOvebHkfpGI
uw2/so3g4CEdDaRv8/N0RDDy2OyXpx6oA4erEXQCJCr1xT+L1JKDgNYfu8m3qc35
7w0rXjBTmmzmfq57vjEiu13TrgokppwTajdIpuf8GNE+I/pXmUq/ia/r9qbeQLmC
NFgQONKqUh6bbV6Umsp1AuXuGgtSeXsdrcxuxgWjC7LeeCyBzkZ+OH/1lkSjHXJ/
oXS0uw6IGU2M1WoH7x/snjCAtkSGhgLPbkQnsKGtWdjvcCqg71h/Tg9DzIoGckfJ
HZvqAYVeqw0=
=sloR
-----END PGP SIGNATURE-----