Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components :

  - Apache Tomcat
  - bzip2 library
  - JRE
  - WDDM display driver
  - XPDM display driver

The remote Solaris system is missing necessary patches to address security updates :

  - Apache Tomcat 6.0.30 through 6.0.33 and 7.x before     7.0.22 does not properly perform certain caching and     recycling operations involving request objects, which     allows remote attackers to obtain unintended read access     to IP address and HTTP header information in     opportunistic circumstances by reading TCP data.
    (CVE-2011-3375)

Updated tomcat6 packages that fix multiple security issues and three bugs are now available for JBoss Enterprise Web Server 1.0.2 for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container.

JBoss Enterprise Web Server includes the Tomcat Native library, providing Apache Portable Runtime (APR) support for Tomcat. References in this text to APR refer to the Tomcat Native implementation, not any other apr package.

This update fixes the JBPAPP-4873, JBPAPP-6133, and JBPAPP-6852 bugs.
It also resolves the following security issues :

Multiple flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor) and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ Protocol) connectors processed certain POST requests. An attacker could send a specially crafted request that would cause the connector to treat the message body as a new request. This allows arbitrary AJP messages to be injected, possibly allowing an attacker to bypass a web application's authentication checks and gain access to information they would otherwise be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler) connector is used by default when the APR libraries are not present. The JK connector is not affected by this flaw. (CVE-2011-3190)

A flaw in the way Tomcat recycled objects that contain data from user requests (such as IP addresses and HTTP headers) when certain errors occurred. If a user sent a request that caused an error to be logged, Tomcat would return a reply to the next request (which could be sent by a different user) with data from the first user's request, leading to information disclosure. Under certain conditions, a remote attacker could leverage this flaw to hijack sessions. (CVE-2011-3375)

The Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause Tomcat to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters processed per request to mitigate this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2011-4858)

Tomcat did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make Tomcat use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values. This update introduces limits on the number of parameters and headers processed per request to address this issue. Refer to the CVE-2011-4858 description for information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2012-0022)

A flaw in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

A flaw in the way Tomcat handled sendfile request attributes when using the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web application running on a Tomcat instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). The HTTP NIO connector is used by default in JBoss Enterprise Web Server. (CVE-2011-2526)

Red Hat would like to thank oCERT for reporting CVE-2011-4858, and the Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges Julian Walde and Alexander Klink as the original reporters of CVE-2011-4858.

Tomcat was vulnerable to a hash collision attack which allowed remote attackers to mount DoS attacks.

The version of VMware vCenter Server installed on the remote host is 4.0 before Update 4a, 4.1 before Update 3, or 5.0 before Update 1.  As such it is potentially affected by multiple vulnerabilities in the embedded Apache Tomcat server and the Oracle (Sun) Java Runtime Environment.

The remote host is affected by the vulnerability described in GLSA-201206-24 (Apache Tomcat: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache Tomcat. Please       review the CVE identifiers referenced below for details.
  Impact :

    The vulnerabilities allow an attacker to cause a Denial of Service, to       hijack a session, to bypass authentication, to inject webscript, to       enumerate valid usernames, to read, modify and overwrite arbitrary files,       to bypass intended access restrictions, to delete work-directory files,       to discover the server&rsquo;s hostname or IP, to bypass read permissions for       files or HTTP headers, to read or write files outside of the intended       working directory, and to obtain sensitive information by reading a log       file.
  Workaround :

    There is no known workaround at this time.

a. VMware Tools Display Driver Privilege Escalation

 The VMware XPDM and WDDM display drivers contain buffer overflow  vulnerabilities and the XPDM display driver does not properly  check for NULL pointers. Exploitation of these issues may lead  to local privilege escalation on Windows-based Guest Operating  Systems.

 VMware would like to thank Tarjei Mandt for reporting theses  issues to us.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the names CVE-2012-1509 (XPDM buffer overrun),  CVE-2012-1510 (WDDM buffer overrun) and CVE-2012-1508 (XPDM null  pointer dereference) to these issues.

 Note: CVE-2012-1509 doesn't affect ESXi and ESX.

b. vSphere Client internal browser input validation vulnerability

 The vSphere Client has an internal browser that renders html  pages from log file entries. This browser doesn't properly  sanitize input and may run script that is introduced into the  log files. In order for the script to run, the user would need  to open an individual, malicious log file entry. The script  would run with the permissions of the user that runs the vSphere  Client.

 VMware would like to thank Edward Torkington for reporting this  issue to us.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the name CVE-2012-1512 to this issue.

 In order to remediate the issue, the vSphere Client of the  vSphere 5.0 Update 1 release or the vSphere 4.1 Update 2 release  needs to be installed. The vSphere Clients that come with  vSphere 4.0 and vCenter Server 2.5 are not affected.

c. vCenter Orchestrator Password Disclosure

 The vCenter Orchestrator (vCO) Web Configuration tool reflects  back the vCenter Server password as part of the webpage. This  might allow the logged-in vCO administrator to retrieve the  vCenter Server password.

 VMware would like to thank Alexey Sintsov from Digital Security  Research Group for reporting this issue to us.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the name CVE-2012-1513 to this issue.

d. vShield Manager Cross-Site Request Forgery vulnerability

 The vShield Manager (vSM) interface has a Cross-Site Request  Forgery vulnerability. If an attacker can convince an  authenticated user to visit a malicious link, the attacker may  force the victim to forward an authenticated request to the  server.

 VMware would like to thank Frans Pehrson of Xxor AB  (www.xxor.se<http://www.xxor.se>) and Claudio Criscione for independently reporting  this issue to us

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the name CVE-2012-1514 to this issue.

e. vCenter Update Manager, Oracle (Sun) JRE update 1.6.0_30

 Oracle (Sun) JRE is updated to version 1.6.0_30, which addresses  multiple security issues that existed in earlier releases of  Oracle (Sun) JRE.

 Oracle has documented the CVE identifiers that are addressed in  JRE 1.6.0_29 and JRE 1.6.0_30 in the Oracle Java SE Critical  Patch Update Advisory of October 2011. The References section  provides a link to this advisory.

f. vCenter Server Apache Tomcat update 6.0.35

 Apache Tomcat has been updated to version 6.0.35 to address  multiple security issues.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the names CVE-2011-3190, CVE-2011-3375,  CVE-2011-4858, and CVE-2012-0022 to these issues.


g. ESXi update to third-party component bzip2

 The bzip2 library is updated to version 1.0.6, which resolves a  security issue.

 The Common Vulnerabilities and Exposures project (cve.mitre.org)  has assigned the name CVE-2010-0405 to this issue.

Versions of Apache Tomcat 6.0.35 are potentially affected by multiple vulnerabilities :

  - Specially crafted requests are incorrectly processed by Tomcat and can cause the server to allow injection of arbitrary AJP messages.  This can lead to authentication bypass and disclosure of sensitive information.  Note this vulnerability only occurs when the following are true (CVE-2011-3190):

    - the org.apache.jk.server.JkCoyoteHandler AJP connector is not used.
    - POST requests are accepted.
    - Large numbers of crafted form parameters can cause excessive CPU consumption due to hash collisions. (CVE-2011-4858, CVE-2012-0022)
IAVB Reference : 2012-B-0035
STIG Finding Severity : Category I

Versions of Tomcat 7.0.x earlier than 7.0.22 are potentially affected by multiple vulnerabilities:

  - An information disclosure vulnerability exists.  Request information is cached in two objects and these objects are not recycled at the same time.  Further requests can obtain sensitive information if certain error conditions occur. (CVE-2011-3375)

  - The web server is not properly restricting access to the servlets that provide the functionality of the Manager application.  This can allow untrusted web applications to access privileged internal functionality such as gathering information on running web applications and deploying additional web applications. (CVE-2011-3376)
IAVB Reference : 2012-B-0035
STIG Finding Severity : Category I

According to its self-reported version number, the instance of Apache Tomcat 7.x listening on the remote host is prior to 7.0.22. It is, therefore, affected by multiple vulnerabilities:

 - An information disclosure vulnerability exists. Request information is cached in two objects, and these objects are not recycled at the same time. Further requests can obtain sensitive information if certain error conditions occur. (CVE-2011-3375)

 - The web server is not properly restricting access to the servlets that provide the functionality of the Manager application. This can allow untrusted web applications to access privileged internal functionality such as gathering information on running web applications and deploying additional web applications. (CVE-2011-3376)

Note that Nessus Network Monitor has not tested for these issues but has instead relied only on the application's self-reported version number.

It was discovered that Tomcat incorrectly performed certain caching and recycling operations. A remote attacker could use this flaw to obtain read access to IP address and HTTP header information in certain cases. This issue only applied to Ubuntu 11.10.
(CVE-2011-3375)

It was discovered that Tomcat computed hash values for form parameters without restricting the ability to trigger hash collisions predictably. A remote attacker could cause a denial of service by sending many crafted parameters. (CVE-2011-4858)

It was discovered that Tomcat incorrectly handled parameters. A remote attacker could cause a denial of service by sending requests with a large number of parameters and values. (CVE-2012-0022).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been found in Tomcat, a servlet and JSP engine :

  - CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064     The HTTP Digest Access Authentication implementation     performed insufficient countermeasures against replay     attacks.

  - CVE-2011-2204     In rare setups passwords were written into a logfile.

  - CVE-2011-2526     Missing input sanitising in the HTTP APR or HTTP NIO     connectors could lead to denial of service.

  - CVE-2011-3190     AJP requests could be spoofed in some setups.

  - CVE-2011-3375     Incorrect request caching could lead to information     disclosure.

  - CVE-2011-4858 CVE-2012-0022     This update adds countermeasures against a collision     denial of service vulnerability in the Java hashtable     implementation and addresses denial of service     potentials when processing large amounts of requests.

Additional information can be found at

According to its self-reported version number, the instance of Apache Tomcat 7.x listening on the remote host is prior to 7.0.22. It is, therefore, affected by multiple vulnerabilities :

  - An information disclosure vulnerability exists. Request     information is cached in two objects, and these objects     are not recycled at the same time. Further requests can     obtain sensitive information if certain error conditions     occur. (CVE-2011-3375)

  - The web server is not properly restricting access to     the servlets that provide the functionality of the     Manager application. This can allow untrusted web     applications to access privileged internal functionality     such as gathering information on running web     applications and deploying additional web applications.
    (CVE-2011-3376)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the instance of Apache Tomcat 6.x listening on the remote host is prior to 6.0.35. It is, therefore, affected by multiple vulnerabilities :

  - Specially crafted requests are incorrectly processed     by Tomcat and can cause the server to allow injection     of arbitrary AJP messages. This can lead to     authentication bypass and disclosure of sensitive     information. (CVE-2011-3190)

  - An information disclosure vulnerability exists. Request     information is cached in two objects and these objects     are not recycled at the same time. Further requests can     obtain sensitive information if certain error conditions     occur. (CVE-2011-3375)

  - Large numbers of crafted form parameters can cause     excessive CPU consumption due to hash collisions.
    (CVE-2011-4858, CVE-2012-0022)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
89106	VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0005) (BEAST) (remote check)	Nessus	Misc.	critical
80789	Oracle Solaris Third-Party Patch Update : tomcat (cve_2011_3375_information_disclosure)	Nessus	Solaris Local Security Checks	medium
78925	RHEL 5 / 6 : JBoss Web Server (RHSA-2012:0682)	Nessus	Red Hat Local Security Checks	high
74554	openSUSE Security Update : tomcat6 (openSUSE-2012-129)	Nessus	SuSE Local Security Checks	medium
66812	VMware vCenter Server Multiple Vulnerabilities (VMSA-2012-0005)	Nessus	Misc.	high
59677	GLSA-201206-24 : Apache Tomcat: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
58362	VMSA-2012-0005 : VMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi, and ESX address several security issues	Nessus	VMware ESX Local Security Checks	critical
800607	Apache Tomcat 6.0.x < 6.0.35 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	high
800605	Apache Tomcat 7.0.x < 7.0.22 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	medium
6333	Apache Tomcat 7.0.x < 7.0.22 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
57933	Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : tomcat6 vulnerabilities (USN-1359-1)	Nessus	Ubuntu Local Security Checks	medium
57812	Debian DSA-2401-1 : tomcat6 - several vulnerabilities	Nessus	Debian Local Security Checks	high
57082	Apache Tomcat 7.x < 7.0.22 Multiple Vulnerabilities	Nessus	Web Servers	medium
57080	Apache Tomcat 6.x < 6.0.35 Multiple Vulnerabilities	Nessus	Web Servers	high

Detections

Analytics

CVE-2011-3375

medium

Tenable Plugins

critical

medium

high

medium

high

medium

critical

high

medium

medium

medium

high

medium

high