Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2012.1134 A number of vulnerabilities have been identified in Apache Tomcat 5 December 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Apache Tomcat Publisher: The Apache Software Foundation Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Cross-site Request Forgery -- Remote with User Interaction Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2012-4534 CVE-2012-4431 CVE-2012-3546 Original Bulletin: http://mail-archives.us.apache.org/mod_mbox/www-announce/201212.mbox/%3C50BE535A.9000600@apache.org%3E http://mail-archives.us.apache.org/mod_mbox/www-announce/201212.mbox/%3C50BE5367.6090809@apache.org%3E http://mail-archives.us.apache.org/mod_mbox/www-announce/201212.mbox/%3C50BE536F.6000705@apache.org%3E Comment: This bulletin contains three (3) The Apache Software Foundation security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- CVE-2012-4534 Apache Tomcat denial of service Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.27 - - Tomcat 6.0.0 to 6.0.35 Description: When using the NIO connector with sendfile and HTTPS enabled, if a client breaks the connection while reading the response an infinite loop is entered leading to a denial of service. This was originally reported as https://issues.apache.org/bugzilla/show_bug.cgi?id=52858. Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.28 or later - - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: The security implications of this bug were identified by Arun Neelicattu of the Red Hat Security Response Team. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html - ------------------------------------------------------------------------------ - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - - Tomcat 7.0.0 to 7.0.31 - - - Tomcat 6.0.0 to 6.0.35 Description: The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request. Mitigation: Users of affected versions should apply one of the following mitigations: - - - Tomcat 7.0.x users should upgrade to 7.0.32 or later - - - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: This issue was identified by The Tomcat security team References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQvlNvAAoJEBDAHFovYFnnY80QAMvP1gIpG00vfIdiFabpJX55 UEmkPuTSefxZ6NMvAL8GkuUe8CoC6KinCgOx+s8eGlEiHtWFoYvM/Ckg8E3a8SY6 MfD8GLo2av/LdULGSCBrbaL2wFbgixPTBpgR9YS4bdpTK5nVqBZyZOjOzptqRDnE BQXDLLKa65/z7cF57l+XcLs1+JW3KJGRiGJzBNUrJK1x/AzfgRgk4jgvYdyDWdpI zuXKgwBbunblPL4sZhZA2mhoswBIMIJIaHXOAD28Ddt9IIae0UFptY6LmExOkSsa PtshA4EBlO8JTPPcfwtqA/bkHAWCzB1QshkYD57rLF3t1ouDQWI6j8l+q3AYIxzv a0Ix4qzE2hekcjGSCUMZUqNgcaGSjsggaOEo5zauM01osPQxbfpH41eH5fIWlMKi vrxRjYJwLyLdkj3bZFuP7Uq1GL4BLjeKDfqsL4aqcfdBPZea6C9rToEkB8EjD4vf DVdrX4Ivg3ImMMnL+gkX4+5aLp+jpw23G9gZbX1DJn+648iv3yFoK5ysOWy1GAAO x1Iq3pa49NigJ0ipjZvxc07THIoiK/t49/3fWzMR1Xm819oJC2/Qf512l/FpEltK kQ0y8BC4+7ypUZyhtwE3jzLW1x2j4ZBK8l1nX0X92WepJ6piro/7o80qiyDMfqPC hbmBu213eSXnV9kRHveI =jich - -----END PGP SIGNATURE----- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2012-3546 Apache Tomcat Bypass of security constraints Severity: Important Vendor: The Apache Software Foundation Versions Affected: - - - Tomcat 7.0.0 to 7.0.29 - - - Tomcat 6.0.0 to 6.0.35 Earlier unsupported versions may also be affected Description: When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending "/j_security_check" to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate(). Mitigation: Users of affected versions should apply one of the following mitigations: - - - Tomcat 7.0.x users should upgrade to 7.0.30 or later - - - Tomcat 6.0.x users should upgrade to 6.0.36 or later Credit: This issue was identified by The Tomcat security team References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with undefined - http://www.enigmail.net/ iQIcBAEBAgAGBQJQvlNnAAoJEBDAHFovYFnnsJoP/i6/NEKy6+tAcMZ0vKV5CGci 2Epf7NbfWHZhyYZlI445kHoCGQAvMaD0pXlLBUTlzVd2N9Jugk1j2WNPzvOlsaZ0 jx3qeuvNhVZzAa2LIDVSj8ENVNYMiA/S4reZu2u9lHqw5tTP5fapJXDNphSnr0kR A662JdkQlirQtFylkvqFdMoZ3N/vEPwzD8Cs80fafEhEqcoOtrO6yOyaR/kwEFeI 5cxbm/om4+T9cVkRduGqhzLRBWnDiCeBguXiUJXDQorOWmzHq438cNd4ylfFRa1W RBsin8aVY6LMIUqdWWqUnG8SPI7qp7odMRzhI1yLw+y4ykrV5coKeTvalIsh+3ZE FWP7kYmrOYS8NToq56Fxn8bYAuAsJiOsVZ4ox0ozR9HQCEqLEpXTa31hEowUBtig LO0HRgQIeh4rdgxxR2V46JiRw8URNfGevKrhez5B8UAb8hj02SM/3hyg3S3pL2Jn fl0vLnf1+DACd0mUuGmSQNLx5VznW6fkYHZWgmV3SigaroKL4+BbqCO7WvuNs9aA Y8dYt08IgF0O/Kt1vQdks31KEDIqHJOtrZBCySdvVLGz1x+MxluWssZGQELCcj0v ByfH80yh/uIU2Zk9QTaJlEkuODyWTYxmYRk34R3/zZ57za+NQLlpe0cfBRy33wjt VCfhXK6n3npDlmhpeBDw =pOlX - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUL6ZhO4yVqjM2NGpAQItoRAAim/5cF88eI7kJGp5Ys/ZBJKqjvHI/YG/ sFjtgffrx9sekSIaAWxy2oRi3mPYJ70gL53zQQHuKkS+j5BnSIfkv5Z510vQ51+m a8U4P2fwr7NcwbcP/tkTFLaueTnsLu86Qy7wwwG3iwlZBEhN919jjrRg4YMucgUS 2HPzNmigjY8lTP4BLdWnJatXUScYOcZVk2iAAuYiF8dRMvuCP+ta6SUiGGzZAQAc VEQwVqMDCEuS7nYafpZOhtUS6AA/XhmCbMugiZmmvTTYkKWvDK5KeH1mE/ODDs/x m1+B/ak5iJCB6HzXWTCmk4n91+hMuwCpVg9/TeyydIM98b9KCx+EI0yjHUX9H8Bu MaCc7YifBYOcUXoBXFllg2J7QZtfLm8/AmwAnfQvqPRW+Rb9R6mfhrH8xwl8TXNS oe2TuZF+plFLDJVRwX9IHWHn1Fozd5G68b9WnIC2xwhikjhwiY3JQBKg2PfV0y+0 /qvSoCR7vkQ3sWx/2goduPOZLKOy3sVOU+B5Oo7puEEHlnYfsyL0kZWp+2yHIrF/ yI+AOK6mQowzDlvm3inUBleVvy/1jX2erZGMWgPjeegqhvoqFyywHA7XpCuOo4aa 4aIadlvQLQ3pHmqCj6kRZRDOzBtnZBTUPLmEpCnV5Bb4uPgpma+I9bH+cf8ehmJQ WcbQewfqHmw= =cB+6 -----END PGP SIGNATURE-----