Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components :

  - Apache Tomcat
  - bzip2 library
  - JRE
  - WDDM display driver
  - XPDM display driver

Updated tomcat6 packages that fix multiple security issues and three bugs are now available for JBoss Enterprise Web Server 1.0.2 for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container.

JBoss Enterprise Web Server includes the Tomcat Native library, providing Apache Portable Runtime (APR) support for Tomcat. References in this text to APR refer to the Tomcat Native implementation, not any other apr package.

This update fixes the JBPAPP-4873, JBPAPP-6133, and JBPAPP-6852 bugs.
It also resolves the following security issues :

Multiple flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor) and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ Protocol) connectors processed certain POST requests. An attacker could send a specially crafted request that would cause the connector to treat the message body as a new request. This allows arbitrary AJP messages to be injected, possibly allowing an attacker to bypass a web application's authentication checks and gain access to information they would otherwise be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler) connector is used by default when the APR libraries are not present. The JK connector is not affected by this flaw. (CVE-2011-3190)

A flaw in the way Tomcat recycled objects that contain data from user requests (such as IP addresses and HTTP headers) when certain errors occurred. If a user sent a request that caused an error to be logged, Tomcat would return a reply to the next request (which could be sent by a different user) with data from the first user's request, leading to information disclosure. Under certain conditions, a remote attacker could leverage this flaw to hijack sessions. (CVE-2011-3375)

The Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause Tomcat to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters processed per request to mitigate this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2011-4858)

Tomcat did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make Tomcat use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values. This update introduces limits on the number of parameters and headers processed per request to address this issue. Refer to the CVE-2011-4858 description for information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2012-0022)

A flaw in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

A flaw in the way Tomcat handled sendfile request attributes when using the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web application running on a Tomcat instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). The HTTP NIO connector is used by default in JBoss Enterprise Web Server. (CVE-2011-2526)

Red Hat would like to thank oCERT for reporting CVE-2011-4858, and the Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges Julian Walde and Alexander Klink as the original reporters of CVE-2011-4858.

Updated tomcat5 packages that fix multiple security issues and two bugs are now available for JBoss Enterprise Web Server 1.0.2 for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

JBoss Enterprise Web Server includes the Tomcat Native library, providing Apache Portable Runtime (APR) support for Tomcat. References in this text to APR refer to the Tomcat Native implementation, not any other apr package.

This update includes bug fixes as documented in JBPAPP-4873 and JBPAPP-6133. It also resolves the following security issues :

Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor) and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ Protocol) connectors processed certain POST requests. An attacker could send a specially crafted request that would cause the connector to treat the message body as a new request. This allows arbitrary AJP messages to be injected, possibly allowing an attacker to bypass a web application's authentication checks and gain access to information they would otherwise be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler) connector is used by default when the APR libraries are not present. The JK connector is not affected by this flaw. (CVE-2011-3190)

It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause Tomcat to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters processed per request to mitigate this issue.
The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2011-4858)

It was found that Tomcat did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make Tomcat use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values.
This update introduces limits on the number of parameters and headers processed per request to address this issue. Refer to the CVE-2011-4858 description for information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2012-0022)

A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

A flaw was found in the way Tomcat handled sendfile request attributes when using the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web application running on a Tomcat instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). The HTTP NIO connector is used by default in JBoss Enterprise Web Server. (CVE-2011-2526)

Red Hat would like to thank oCERT for reporting CVE-2011-4858, and the Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges Julian Walde and Alexander Klink as the original reporters of CVE-2011-4858.

Users of Tomcat should upgrade to these updated packages, which resolve these issues. Tomcat must be restarted for this update to take effect.

Specially crafted AJP messages could be used bypass authentication (CVE-2011-3190).

Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.

From Red Hat Security Advisory 2011:1780 :

Updated tomcat6 packages that fix several security issues and one bug are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

APR (Apache Portable Runtime) as mentioned in the CVE-2011-3190 and CVE-2011-2526 descriptions does not refer to APR provided by the apr packages. It refers to the implementation of APR provided by the Tomcat Native library, which provides support for using APR with Tomcat. This library is not shipped with Red Hat Enterprise Linux 6.
This update includes fixes for users who have elected to use APR with Tomcat by taking the Tomcat Native library from a different product.
Such a configuration is not supported by Red Hat, however.

Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor) and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ Protocol) connectors processed certain POST requests. An attacker could send a specially crafted request that would cause the connector to treat the message body as a new request. This allows arbitrary AJP messages to be injected, possibly allowing an attacker to bypass a web application's authentication checks and gain access to information they would otherwise be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler) connector is used by default when the APR libraries are not present. The JK connector is not affected by this flaw. (CVE-2011-3190)

A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

A flaw was found in the way Tomcat handled sendfile request attributes when using the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web application running on a Tomcat instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). The HTTP blocking IO (BIO) connector, which is not vulnerable to this issue, is used by default in Red Hat Enterprise Linux 6. (CVE-2011-2526)

Red Hat would like to thank the Apache Tomcat project for reporting the CVE-2011-2526 issue.

This update also fixes the following bug :

* Previously, in certain cases, if 'LANG=fr_FR' or 'LANG=fr_FR.UTF-8' was set as an environment variable or in '/etc/sysconfig/tomcat6' on 64-bit PowerPC systems, Tomcat may have failed to start correctly.
With this update, Tomcat works as expected when LANG is set to 'fr_FR' or 'fr_FR.UTF-8'. (BZ#748807)

Users of Tomcat should upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

The version of VMware vCenter Server installed on the remote host is 4.0 before Update 4a, 4.1 before Update 3, or 5.0 before Update 1.  As such it is potentially affected by multiple vulnerabilities in the embedded Apache Tomcat server and the Oracle (Sun) Java Runtime Environment.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

APR (Apache Portable Runtime) as mentioned in the CVE-2011-3190 and CVE-2011-2526 descriptions does not refer to APR provided by the apr packages. It refers to the implementation of APR provided by the Tomcat Native library, which provides support for using APR with Tomcat. This library is not shipped with Scientific Linux 6. This update includes fixes for users who have elected to use APR with Tomcat by taking the Tomcat Native library from a different product.

Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor) and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ Protocol) connectors processed certain POST requests. An attacker could send a specially crafted request that would cause the connector to treat the message body as a new request. This allows arbitrary AJP messages to be injected, possibly allowing an attacker to bypass a web application's authentication checks and gain access to information they would otherwise be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler) connector is used by default when the APR libraries are not present. The JK connector is not affected by this flaw. (CVE-2011-3190)

A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

A flaw was found in the way Tomcat handled sendfile request attributes when using the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web application running on a Tomcat instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). The HTTP blocking IO (BIO) connector, which is not vulnerable to this issue, is used by default in Scientific Linux 6. (CVE-2011-2526)

This update also fixes the following bug :

  - Previously, in certain cases, if 'LANG=fr_FR' or     'LANG=fr_FR.UTF-8' was set as an environment variable or     in '/etc/sysconfig/tomcat6' on 64-bit PowerPC systems,     Tomcat may have failed to start correctly. With this     update, Tomcat works as expected when LANG is set to     'fr_FR' or 'fr_FR.UTF-8'.

Users of Tomcat should upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

The remote host is affected by the vulnerability described in GLSA-201206-24 (Apache Tomcat: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache Tomcat. Please       review the CVE identifiers referenced below for details.
  Impact :

    The vulnerabilities allow an attacker to cause a Denial of Service, to       hijack a session, to bypass authentication, to inject webscript, to       enumerate valid usernames, to read, modify and overwrite arbitrary files,       to bypass intended access restrictions, to delete work-directory files,       to discover the server&rsquo;s hostname or IP, to bypass read permissions for       files or HTTP headers, to read or write files outside of the intended       working directory, and to obtain sensitive information by reading a log       file.
  Workaround :

    There is no known workaround at this time.

a. VMware Tools Display Driver Privilege Escalation

 The VMware XPDM and WDDM display drivers contain buffer overflow  vulnerabilities and the XPDM display driver does not properly  check for NULL pointers. Exploitation of these issues may lead  to local privilege escalation on Windows-based Guest Operating  Systems.

 VMware would like to thank Tarjei Mandt for reporting theses  issues to us.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the names CVE-2012-1509 (XPDM buffer overrun),  CVE-2012-1510 (WDDM buffer overrun) and CVE-2012-1508 (XPDM null  pointer dereference) to these issues.

 Note: CVE-2012-1509 doesn't affect ESXi and ESX.

b. vSphere Client internal browser input validation vulnerability

 The vSphere Client has an internal browser that renders html  pages from log file entries. This browser doesn't properly  sanitize input and may run script that is introduced into the  log files. In order for the script to run, the user would need  to open an individual, malicious log file entry. The script  would run with the permissions of the user that runs the vSphere  Client.

 VMware would like to thank Edward Torkington for reporting this  issue to us.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the name CVE-2012-1512 to this issue.

 In order to remediate the issue, the vSphere Client of the  vSphere 5.0 Update 1 release or the vSphere 4.1 Update 2 release  needs to be installed. The vSphere Clients that come with  vSphere 4.0 and vCenter Server 2.5 are not affected.

c. vCenter Orchestrator Password Disclosure

 The vCenter Orchestrator (vCO) Web Configuration tool reflects  back the vCenter Server password as part of the webpage. This  might allow the logged-in vCO administrator to retrieve the  vCenter Server password.

 VMware would like to thank Alexey Sintsov from Digital Security  Research Group for reporting this issue to us.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the name CVE-2012-1513 to this issue.

d. vShield Manager Cross-Site Request Forgery vulnerability

 The vShield Manager (vSM) interface has a Cross-Site Request  Forgery vulnerability. If an attacker can convince an  authenticated user to visit a malicious link, the attacker may  force the victim to forward an authenticated request to the  server.

 VMware would like to thank Frans Pehrson of Xxor AB  (www.xxor.se<http://www.xxor.se>) and Claudio Criscione for independently reporting  this issue to us

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the name CVE-2012-1514 to this issue.

e. vCenter Update Manager, Oracle (Sun) JRE update 1.6.0_30

 Oracle (Sun) JRE is updated to version 1.6.0_30, which addresses  multiple security issues that existed in earlier releases of  Oracle (Sun) JRE.

 Oracle has documented the CVE identifiers that are addressed in  JRE 1.6.0_29 and JRE 1.6.0_30 in the Oracle Java SE Critical  Patch Update Advisory of October 2011. The References section  provides a link to this advisory.

f. vCenter Server Apache Tomcat update 6.0.35

 Apache Tomcat has been updated to version 6.0.35 to address  multiple security issues.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the names CVE-2011-3190, CVE-2011-3375,  CVE-2011-4858, and CVE-2012-0022 to these issues.


g. ESXi update to third-party component bzip2

 The bzip2 library is updated to version 1.0.6, which resolves a  security issue.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the name CVE-2010-0405 to this issue.

Versions of Apache Tomcat 6.0.35 are potentially affected by multiple vulnerabilities :

  - Specially crafted requests are incorrectly processed by Tomcat and can cause the server to allow injection of arbitrary AJP messages.  This can lead to authentication bypass and disclosure of sensitive information.  Note this vulnerability only occurs when the following are true (CVE-2011-3190):

    - the org.apache.jk.server.JkCoyoteHandler AJP connector is not used.
    - POST requests are accepted.
    - Large numbers of crafted form parameters can cause excessive CPU consumption due to hash collisions. (CVE-2011-4858, CVE-2012-0022)
IAVB Reference : 2012-B-0035
STIG Finding Severity : Category I

According to its self-reported version number, the instance of Apache Tomcat 6.x listening on the remote host is prior to 6.0.35. It is, therefore, affected by multiple vulnerabilities:

 - Specially crafted requests are incorrectly processed by Tomcat and can cause the server to allow injection of arbitrary AJP messages. This can lead to authentication bypass and disclosure of sensitive information. (CVE-2011-3190)

 - An information disclosure vulnerability exists. Request information is cached in two objects and these objects are not recycled at the same time. Further requests can obtain sensitive information if certain error conditions occur. (CVE-2011-3375)

 - Large numbers of crafted form parameters can cause excessive CPU consumption due to hash collisions. (CVE-2011-4858, CVE-2012-0022)

Note that Nessus Network Monitor has not tested for these issues but has instead relied only on the application's self-reported version number.

Several vulnerabilities have been found in Tomcat, a servlet and JSP engine :

  - CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064     The HTTP Digest Access Authentication implementation     performed insufficient countermeasures against replay     attacks.

  - CVE-2011-2204     In rare setups passwords were written into a logfile.

  - CVE-2011-2526     Missing input sanitising in the HTTP APR or HTTP NIO     connectors could lead to denial of service.

  - CVE-2011-3190     AJP requests could be spoofed in some setups.

  - CVE-2011-3375     Incorrect request caching could lead to information     disclosure.

  - CVE-2011-4858 CVE-2012-0022     This update adds countermeasures against a collision     denial of service vulnerability in the Java hashtable     implementation and addresses denial of service     potentials when processing large amounts of requests.

Additional information can be found at

Updated tomcat6 packages that fix several security issues and one bug are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

APR (Apache Portable Runtime) as mentioned in the CVE-2011-3190 and CVE-2011-2526 descriptions does not refer to APR provided by the apr packages. It refers to the implementation of APR provided by the Tomcat Native library, which provides support for using APR with Tomcat. This library is not shipped with Red Hat Enterprise Linux 6.
This update includes fixes for users who have elected to use APR with Tomcat by taking the Tomcat Native library from a different product.
Such a configuration is not supported by Red Hat, however.

Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor) and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ Protocol) connectors processed certain POST requests. An attacker could send a specially crafted request that would cause the connector to treat the message body as a new request. This allows arbitrary AJP messages to be injected, possibly allowing an attacker to bypass a web application's authentication checks and gain access to information they would otherwise be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler) connector is used by default when the APR libraries are not present. The JK connector is not affected by this flaw. (CVE-2011-3190)

A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

A flaw was found in the way Tomcat handled sendfile request attributes when using the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web application running on a Tomcat instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). The HTTP blocking IO (BIO) connector, which is not vulnerable to this issue, is used by default in Red Hat Enterprise Linux 6. (CVE-2011-2526)

Red Hat would like to thank the Apache Tomcat project for reporting the CVE-2011-2526 issue.

This update also fixes the following bug :

* Previously, in certain cases, if 'LANG=fr_FR' or 'LANG=fr_FR.UTF-8' was set as an environment variable or in '/etc/sysconfig/tomcat6' on 64-bit PowerPC systems, Tomcat may have failed to start correctly.
With this update, Tomcat works as expected when LANG is set to 'fr_FR' or 'fr_FR.UTF-8'. (BZ#748807)

Users of Tomcat should upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

The following bug has been fixed :

  - Specially crafted AJP messages could have been used to     bypass authentication. (CVE-2011-3190)

According to its self-reported version number, the instance of Apache Tomcat 6.x listening on the remote host is prior to 6.0.35. It is, therefore, affected by multiple vulnerabilities :

  - Specially crafted requests are incorrectly processed     by Tomcat and can cause the server to allow injection     of arbitrary AJP messages. This can lead to     authentication bypass and disclosure of sensitive     information. (CVE-2011-3190)

  - An information disclosure vulnerability exists. Request     information is cached in two objects and these objects     are not recycled at the same time. Further requests can     obtain sensitive information if certain error conditions     occur. (CVE-2011-3375)

  - Large numbers of crafted form parameters can cause     excessive CPU consumption due to hash collisions.
    (CVE-2011-4858, CVE-2012-0022)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It was discovered that Tomcat incorrectly implemented HTTP DIGEST authentication. An attacker could use this flaw to perform a variety of authentication attacks. (CVE-2011-1184)

Polina Genova discovered that Tomcat incorrectly created log entries with passwords when encountering errors during JMX user creation. A local attacker could possibly use this flaw to obtain sensitive information. This issue only affected Ubuntu 10.04 LTS, 10.10 and 11.04. (CVE-2011-2204)

It was discovered that Tomcat incorrectly validated certain request attributes when sendfile is enabled. A local attacker could bypass intended restrictions, or cause the JVM to crash, resulting in a denial of service. (CVE-2011-2526)

It was discovered that Tomcat incorrectly handled certain AJP requests. A remote attacker could use this flaw to spoof requests, bypass authentication, and obtain sensitive information. This issue only affected Ubuntu 10.04 LTS, 10.10 and 11.04. (CVE-2011-3190).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Fixes for: CVE-2011-3190 - authentication bypass and information disclosure CVE-2011-2526 - send file validation CVE-2011-2204 - password disclosure vulnerability JAVA_HOME setting in tomcat6.conf

CVE-2011-0534, CVE-2011-0013, CVE-2010-3718

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities has been discovered and corrected in tomcat 5.5.x :

The implementation of HTTP DIGEST authentication in tomcat was discovered to have several weaknesses (CVE-2011-1184).

Apache Tomcat, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file (CVE-2011-2204).

Apache Tomcat, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application (CVE-2011-2526).

Certain AJP protocol connector implementations in Apache Tomcat allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request (CVE-2011-3190).

The updated packages have been patched to correct these issues.

According to its self-reported version number, the instance of Apache Tomcat 5.5.x listening on the remote host is prior to 5.5.34. It is, there, affected by multiple vulnerabilities :

  - Several weaknesses were found in the HTTP Digest     authentication implementation. The issues are as     follows: replay attacks are possible, server nonces     are not checked, client nonce counts are not checked,     'quality of protection' (qop) values are not checked,     realm values are not checked and the server secret is     a hard-coded, known string. The effect of these issues     is that Digest authentication is no stronger than Basic     authentication. (CVE-2011-1184, CVE-2011-5062,     CVE-2011-5063, CVE-2011-5064)

  - An error handling issue exists related to the     MemoryUserDatabase that allows user passwords to be     disclosed through log files. (CVE-2011-2204)

  - An input validation error exists that allows a local     attacker to either bypass security or carry out denial     of service attacks when the APR or NIO connectors are     enabled. (CVE-2011-2526)

  - A component that Apache Tomcat relies on called 'jsvc'     contains an error in that it does not drop capabilities     after starting and can allow access to sensitive files     owned by the super user. Note this vulnerability only     affects Linux operating systems and only when 'jsvc' is     compiled with libpcap and the '-user' parameter is     used. (CVE-2011-2729)

  - Specially crafted requests are incorrectly processed by     Tomcat and can cause the server to allow injection of     arbitrary AJP messages. This can lead to authentication     bypass and disclosure of sensitive information. Note     this vulnerability only occurs when the     org.apache.jk.server.JkCoyoteHandler AJP connector is     not used, POST requests are accepted, and the request     body is not processed.(CVE-2011-3190)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the instance of Apache Tomcat 7.x listening on the remote host is prior to 7.0.21. It is, therefore, affected by a vulnerability that allows an attacker to have control over AJP messages.

Specially crafted requests are incorrectly processed by Tomcat and can cause the server to allow injection of arbitrary AJP messages. This can lead to an authentication bypass and the disclosure of sensitive information.

Note that this vulnerability only occurs when the following are true :

  - the org.apache.jk.server.JkCoyoteHandler AJP connector     is not used.

  - POST requests are accepted.

  - the request body is not processed.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
89106	VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0005) (BEAST) (remote check)	Nessus	Misc.	critical
78925	RHEL 5 / 6 : JBoss Web Server (RHSA-2012:0682)	Nessus	Red Hat Local Security Checks	high
78924	RHEL 5 / 6 : JBoss Web Server (RHSA-2012:0680)	Nessus	Red Hat Local Security Checks	high
76035	openSUSE Security Update : tomcat6 (openSUSE-SU-2011:1134-1)	Nessus	SuSE Local Security Checks	high
75763	openSUSE Security Update : tomcat6 (openSUSE-SU-2011:1134-1)	Nessus	SuSE Local Security Checks	high
69584	Amazon Linux AMI : tomcat6 (ALAS-2011-25)	Nessus	Amazon Linux Local Security Checks	high
68399	Oracle Linux 6 : tomcat6 (ELSA-2011-1780)	Nessus	Oracle Linux Local Security Checks	high
66812	VMware vCenter Server Multiple Vulnerabilities (VMSA-2012-0005)	Nessus	Misc.	high
61184	Scientific Linux Security Update : tomcat6 on SL6.x	Nessus	Scientific Linux Local Security Checks	high
59677	GLSA-201206-24 : Apache Tomcat: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
58362	VMSA-2012-0005 : VMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi, and ESX address several security issues	Nessus	VMware ESX Local Security Checks	critical
800607	Apache Tomcat 6.0.x < 6.0.35 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	high
6332	Apache Tomcat 6.0.x < 6.0.35 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	high
57812	Debian DSA-2401-1 : tomcat6 - several vulnerabilities	Nessus	Debian Local Security Checks	high
57374	CentOS 6 : tomcat6 (CESA-2011:1780)	Nessus	CentOS Local Security Checks	high
57256	SuSE 10 Security Update : tomcat5 (ZYPP Patch Number 7756)	Nessus	SuSE Local Security Checks	high
57080	Apache Tomcat 6.x < 6.0.35 Multiple Vulnerabilities	Nessus	Web Servers	high
57023	RHEL 6 : tomcat6 (RHSA-2011:1780)	Nessus	Red Hat Local Security Checks	high
56746	Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : tomcat6 vulnerabilities (USN-1252-1)	Nessus	Ubuntu Local Security Checks	high
56616	SuSE 10 Security Update : tomcat5 (ZYPP Patch Number 7755)	Nessus	SuSE Local Security Checks	high
56573	Fedora 14 : tomcat6-6.0.26-27.fc14 (2011-13457)	Nessus	Fedora Local Security Checks	high
56551	Mandriva Linux Security Advisory : tomcat5 (MDVSA-2011:156)	Nessus	Mandriva Local Security Checks	high
56301	Apache Tomcat 5.5.x < 5.5.34 Multiple Vulnerabilities	Nessus	Web Servers	high
56070	Apache Tomcat 7.x < 7.0.21 Arbitrary AJP Message Control	Nessus	Web Servers	high

Detections

Analytics

CVE-2011-3190

high

Tenable Plugins

critical

high

high

high

high

high

high

high

high

medium

critical

high

high

high

high

high

high

high

high

high

high

high

high

high