The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.

Updated tomcat6 packages that fix multiple security issues and three bugs are now available for JBoss Enterprise Web Server 1.0.2 for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container.

JBoss Enterprise Web Server includes the Tomcat Native library, providing Apache Portable Runtime (APR) support for Tomcat. References in this text to APR refer to the Tomcat Native implementation, not any other apr package.

This update fixes the JBPAPP-4873, JBPAPP-6133, and JBPAPP-6852 bugs.
It also resolves the following security issues :

Multiple flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor) and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ Protocol) connectors processed certain POST requests. An attacker could send a specially crafted request that would cause the connector to treat the message body as a new request. This allows arbitrary AJP messages to be injected, possibly allowing an attacker to bypass a web application's authentication checks and gain access to information they would otherwise be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler) connector is used by default when the APR libraries are not present. The JK connector is not affected by this flaw. (CVE-2011-3190)

A flaw in the way Tomcat recycled objects that contain data from user requests (such as IP addresses and HTTP headers) when certain errors occurred. If a user sent a request that caused an error to be logged, Tomcat would return a reply to the next request (which could be sent by a different user) with data from the first user's request, leading to information disclosure. Under certain conditions, a remote attacker could leverage this flaw to hijack sessions. (CVE-2011-3375)

The Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause Tomcat to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters processed per request to mitigate this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2011-4858)

Tomcat did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make Tomcat use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values. This update introduces limits on the number of parameters and headers processed per request to address this issue. Refer to the CVE-2011-4858 description for information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2012-0022)

A flaw in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

A flaw in the way Tomcat handled sendfile request attributes when using the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web application running on a Tomcat instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). The HTTP NIO connector is used by default in JBoss Enterprise Web Server. (CVE-2011-2526)

Red Hat would like to thank oCERT for reporting CVE-2011-4858, and the Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges Julian Walde and Alexander Klink as the original reporters of CVE-2011-4858.

Updated tomcat5 packages that fix multiple security issues and two bugs are now available for JBoss Enterprise Web Server 1.0.2 for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

JBoss Enterprise Web Server includes the Tomcat Native library, providing Apache Portable Runtime (APR) support for Tomcat. References in this text to APR refer to the Tomcat Native implementation, not any other apr package.

This update includes bug fixes as documented in JBPAPP-4873 and JBPAPP-6133. It also resolves the following security issues :

Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor) and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ Protocol) connectors processed certain POST requests. An attacker could send a specially crafted request that would cause the connector to treat the message body as a new request. This allows arbitrary AJP messages to be injected, possibly allowing an attacker to bypass a web application's authentication checks and gain access to information they would otherwise be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler) connector is used by default when the APR libraries are not present. The JK connector is not affected by this flaw. (CVE-2011-3190)

It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause Tomcat to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters processed per request to mitigate this issue.
The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2011-4858)

It was found that Tomcat did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make Tomcat use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values.
This update introduces limits on the number of parameters and headers processed per request to address this issue. Refer to the CVE-2011-4858 description for information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2012-0022)

A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

A flaw was found in the way Tomcat handled sendfile request attributes when using the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web application running on a Tomcat instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). The HTTP NIO connector is used by default in JBoss Enterprise Web Server. (CVE-2011-2526)

Red Hat would like to thank oCERT for reporting CVE-2011-4858, and the Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges Julian Walde and Alexander Klink as the original reporters of CVE-2011-4858.

Users of Tomcat should upgrade to these updated packages, which resolve these issues. Tomcat must be restarted for this update to take effect.

This update fixes a regression in parameter passing (in urldecoding of parameters that contain spaces).

In addition, multiple weaknesses in HTTP DIGESTS are fixed (CVE-2011-1184).

CVE-2011-5062: The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33 and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.

CVE-2011-5063: The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.

CVE-2011-5064: DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.

From Red Hat Security Advisory 2011:1845 :

Updated tomcat5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

It was found that web applications could modify the location of the Tomcat host's work directory. As web applications deployed on Tomcat have read and write access to this directory, a malicious web application could use this flaw to trick Tomcat into giving it read and write access to an arbitrary directory on the file system.
(CVE-2010-3718)

A cross-site scripting (XSS) flaw was found in the Manager application, used for managing web applications on Apache Tomcat. A malicious web application could use this flaw to conduct an XSS attack, leading to arbitrary web script execution with the privileges of victims who are logged into and viewing Manager application web pages. (CVE-2011-0013)

Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184)

A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

Users of Tomcat should upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

From Red Hat Security Advisory 2011:1780 :

Updated tomcat6 packages that fix several security issues and one bug are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

APR (Apache Portable Runtime) as mentioned in the CVE-2011-3190 and CVE-2011-2526 descriptions does not refer to APR provided by the apr packages. It refers to the implementation of APR provided by the Tomcat Native library, which provides support for using APR with Tomcat. This library is not shipped with Red Hat Enterprise Linux 6.
This update includes fixes for users who have elected to use APR with Tomcat by taking the Tomcat Native library from a different product.
Such a configuration is not supported by Red Hat, however.

Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor) and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ Protocol) connectors processed certain POST requests. An attacker could send a specially crafted request that would cause the connector to treat the message body as a new request. This allows arbitrary AJP messages to be injected, possibly allowing an attacker to bypass a web application's authentication checks and gain access to information they would otherwise be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler) connector is used by default when the APR libraries are not present. The JK connector is not affected by this flaw. (CVE-2011-3190)

A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

A flaw was found in the way Tomcat handled sendfile request attributes when using the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web application running on a Tomcat instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). The HTTP blocking IO (BIO) connector, which is not vulnerable to this issue, is used by default in Red Hat Enterprise Linux 6. (CVE-2011-2526)

Red Hat would like to thank the Apache Tomcat project for reporting the CVE-2011-2526 issue.

This update also fixes the following bug :

* Previously, in certain cases, if 'LANG=fr_FR' or 'LANG=fr_FR.UTF-8' was set as an environment variable or in '/etc/sysconfig/tomcat6' on 64-bit PowerPC systems, Tomcat may have failed to start correctly.
With this update, Tomcat works as expected when LANG is set to 'fr_FR' or 'fr_FR.UTF-8'. (BZ#748807)

Users of Tomcat should upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

Updated jbossweb packages that fix multiple security issues are now available for JBoss Enterprise Application Platform 5.1.2 for Red Hat Enterprise Linux 4, 5, and 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

JBoss Web is the web container, based on Apache Tomcat, in JBoss Enterprise Application Platform. It provides a single deployment platform for the JavaServer Pages (JSP) and Java Servlet technologies.

A flaw was found in the way JBoss Web handled UTF-8 surrogate pair characters. If JBoss Web was hosting an application with UTF-8 character encoding enabled, or that included user-supplied UTF-8 strings in a response, a remote attacker could use this flaw to cause a denial of service (infinite loop) on the JBoss Web server.
(CVE-2011-4610)

It was found that the Java hashCode() method implementation was susceptible to predictable hash collisions. A remote attacker could use this flaw to cause JBoss Web to use an excessive amount of CPU time by sending an HTTP request with a large number of parameters whose names map to the same hash value. This update introduces a limit on the number of parameters and headers processed per request to mitigate this issue. The default limit is 512 for parameters and 128 for headers. These defaults can be changed by setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties in 'jboss-as/server/[PROFILE]/deploy/properties-service.xml'.
(CVE-2011-4858)

It was found that JBoss Web did not handle large numbers of parameters and large parameter values efficiently. A remote attacker could make a JBoss Web server use an excessive amount of CPU time by sending an HTTP request containing a large number of parameters or large parameter values. This update introduces limits on the number of parameters and headers processed per request to address this issue.
Refer to the CVE-2011-4858 description for information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2012-0022)

Multiple flaws were found in the way JBoss Web handled HTTP DIGEST authentication. These flaws weakened the JBoss Web HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064)

A flaw was found in the way JBoss Web handled sendfile request attributes when using the HTTP APR (Apache Portable Runtime) or NIO (Non-Blocking I/O) connector. A malicious web application running on a JBoss Web instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM).
(CVE-2011-2526)

Red Hat would like to thank NTT OSSC for reporting CVE-2011-4610;
oCERT for reporting CVE-2011-4858; and the Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges Julian Walde and Alexander Klink as the original reporters of CVE-2011-4858.

Warning: Before applying this update, back up your JBoss Enterprise Application Platform's 'jboss-as/server/[PROFILE]/deploy/' directory, along with all other customized configuration files.

Users of JBoss Enterprise Application Platform 5.1.2 on Red Hat Enterprise Linux 4, 5, and 6 should upgrade to these updated packages, which correct these issues. The JBoss server process must be restarted for this update to take effect.

The remote host is affected by the vulnerability described in GLSA-201206-24 (Apache Tomcat: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache Tomcat. Please       review the CVE identifiers referenced below for details.
  Impact :

    The vulnerabilities allow an attacker to cause a Denial of Service, to       hijack a session, to bypass authentication, to inject webscript, to       enumerate valid usernames, to read, modify and overwrite arbitrary files,       to bypass intended access restrictions, to delete work-directory files,       to discover the server&rsquo;s hostname or IP, to bypass read permissions for       files or HTTP headers, to read or write files outside of the intended       working directory, and to obtain sensitive information by reading a log       file.
  Workaround :

    There is no known workaround at this time.

This update fixes a regression in parameter passing (in urldecoding of parameters that contain spaces).

In addition, multiple weaknesses in HTTP DIGESTS have been fixed (CVE-2011-1184) :

  - The HTTP Digest Access Authentication implementation in     Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33 and     7.x before 7.0.12 does not check qop values, which might     allow remote attackers to bypass intended     integrity-protection requirements via a qop=auth value,     a different vulnerability than CVE-2011-1184.
    (CVE-2011-5062)

  - The HTTP Digest Access Authentication implementation in     Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33,     and 7.x before 7.0.12 does not check realm values, which     might allow remote attackers to bypass intended access     restrictions by leveraging the availability of a     protection space with weaker authentication or     authorization requirements, a different vulnerability     than CVE-2011-1184. (CVE-2011-5063)

  - DigestAuthenticator.java in the HTTP Digest Access     Authentication implementation in Apache Tomcat 5.5.x     before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12     uses Catalina as the hard-coded server secret (aka     private key), which makes it easier for remote attackers     to bypass cryptographic protection mechanisms by     leveraging knowledge of this string, a different     vulnerability than CVE-2011-1184. (CVE-2011-5064)

Several vulnerabilities have been found in Tomcat, a servlet and JSP engine :

  - CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064     The HTTP Digest Access Authentication implementation     performed insufficient countermeasures against replay     attacks.

  - CVE-2011-2204     In rare setups passwords were written into a logfile.

  - CVE-2011-2526     Missing input sanitising in the HTTP APR or HTTP NIO     connectors could lead to denial of service.

  - CVE-2011-3190     AJP requests could be spoofed in some setups.

  - CVE-2011-3375     Incorrect request caching could lead to information     disclosure.

  - CVE-2011-4858 CVE-2012-0022     This update adds countermeasures against a collision     denial of service vulnerability in the Java hashtable     implementation and addresses denial of service     potentials when processing large amounts of requests.

Additional information can be found at

Updated tomcat6 packages that fix several security issues and one bug are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

APR (Apache Portable Runtime) as mentioned in the CVE-2011-3190 and CVE-2011-2526 descriptions does not refer to APR provided by the apr packages. It refers to the implementation of APR provided by the Tomcat Native library, which provides support for using APR with Tomcat. This library is not shipped with Red Hat Enterprise Linux 6.
This update includes fixes for users who have elected to use APR with Tomcat by taking the Tomcat Native library from a different product.
Such a configuration is not supported by Red Hat, however.

Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor) and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ Protocol) connectors processed certain POST requests. An attacker could send a specially crafted request that would cause the connector to treat the message body as a new request. This allows arbitrary AJP messages to be injected, possibly allowing an attacker to bypass a web application's authentication checks and gain access to information they would otherwise be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler) connector is used by default when the APR libraries are not present. The JK connector is not affected by this flaw. (CVE-2011-3190)

A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

A flaw was found in the way Tomcat handled sendfile request attributes when using the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web application running on a Tomcat instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). The HTTP blocking IO (BIO) connector, which is not vulnerable to this issue, is used by default in Red Hat Enterprise Linux 6. (CVE-2011-2526)

Red Hat would like to thank the Apache Tomcat project for reporting the CVE-2011-2526 issue.

This update also fixes the following bug :

* Previously, in certain cases, if 'LANG=fr_FR' or 'LANG=fr_FR.UTF-8' was set as an environment variable or in '/etc/sysconfig/tomcat6' on 64-bit PowerPC systems, Tomcat may have failed to start correctly.
With this update, Tomcat works as expected when LANG is set to 'fr_FR' or 'fr_FR.UTF-8'. (BZ#748807)

Users of Tomcat should upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2011:1845 advisory.

  - tomcat: file permission bypass flaw (CVE-2010-3718)

  - tomcat: XSS vulnerability in HTML Manager interface (CVE-2011-0013)

  - tomcat: Multiple weaknesses in HTTP DIGEST authentication (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063,     CVE-2011-5064)

  - tomcat: password disclosure vulnerability (CVE-2011-2204)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated tomcat5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

It was found that web applications could modify the location of the Tomcat host's work directory. As web applications deployed on Tomcat have read and write access to this directory, a malicious web application could use this flaw to trick Tomcat into giving it read and write access to an arbitrary directory on the file system.
(CVE-2010-3718)

A cross-site scripting (XSS) flaw was found in the Manager application, used for managing web applications on Apache Tomcat. A malicious web application could use this flaw to conduct an XSS attack, leading to arbitrary web script execution with the privileges of victims who are logged into and viewing Manager application web pages. (CVE-2011-0013)

Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184)

A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

Users of Tomcat should upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

According to its self-reported version number, the instance of Apache Tomcat 5.5.x listening on the remote host is prior to 5.5.34. It is, there, affected by multiple vulnerabilities :

  - Several weaknesses were found in the HTTP Digest     authentication implementation. The issues are as     follows: replay attacks are possible, server nonces     are not checked, client nonce counts are not checked,     'quality of protection' (qop) values are not checked,     realm values are not checked and the server secret is     a hard-coded, known string. The effect of these issues     is that Digest authentication is no stronger than Basic     authentication. (CVE-2011-1184, CVE-2011-5062,     CVE-2011-5063, CVE-2011-5064)

  - An error handling issue exists related to the     MemoryUserDatabase that allows user passwords to be     disclosed through log files. (CVE-2011-2204)

  - An input validation error exists that allows a local     attacker to either bypass security or carry out denial     of service attacks when the APR or NIO connectors are     enabled. (CVE-2011-2526)

  - A component that Apache Tomcat relies on called 'jsvc'     contains an error in that it does not drop capabilities     after starting and can allow access to sensitive files     owned by the super user. Note this vulnerability only     affects Linux operating systems and only when 'jsvc' is     compiled with libpcap and the '-user' parameter is     used. (CVE-2011-2729)

  - Specially crafted requests are incorrectly processed by     Tomcat and can cause the server to allow injection of     arbitrary AJP messages. This can lead to authentication     bypass and disclosure of sensitive information. Note     this vulnerability only occurs when the     org.apache.jk.server.JkCoyoteHandler AJP connector is     not used, POST requests are accepted, and the request     body is not processed.(CVE-2011-3190)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the instance of Apache Tomcat 6.0.x listening on the remote host is prior to 6.0.33. It is, therefore, affected by multiple vulnerabilities :

  - Several weaknesses were found in the HTTP Digest     authentication implementation. The issues are as     follows: replay attacks are possible, server nonces     are not checked, client nonce counts are not checked,     'quality of protection' (qop) values are not checked,     realm values are not checked and the server secret is     a hard-coded, known string. The effect of these issues     is that Digest authentication is no stronger than Basic     authentication. (CVE-2011-1184, CVE-2011-5062,     CVE-2011-5063, CVE-2011-5064)

  - An error handling issue exists related to the     MemoryUserDatabase that allows user passwords to be     disclosed through log files. (CVE-2011-2204)

  - An input validation error exists that allows a local     attacker to either bypass security or carry out denial     of service attacks when the APR or NIO connectors are     enabled. (CVE-2011-2526)

  - A component that Apache Tomcat relies on called 'jsvc'     contains an error in that it does not drop capabilities     after starting and can allow access to sensitive files     owned by the super user. Note this vulnerability only     affects Linux operating systems and only when the     following are true: jsvc is compiled with libpcap and     the '-user' parameter is used. (CVE-2011-2729)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Versions of Tomcat 7.0.x earlier than 7.0.12 are potentially affected by multiple vulnerabilities : 

  - An information disclosure exists in the HTTP BIO connector. (CVE-2011-1475)

  - A security bypass vulnerability exists due to a regression in the fix for CVE-2011-1088.  Note that this issue only affects Tomcat 7.0.11.(CVE-2011-1183)

According to its self-reported version number, the instance of Apache Tomcat 7.x listening on the remote host is prior to 7.0.12. It is, therefore, affected by multiple vulnerabilities :

  - A fix for CVE-2011-1088 introduced a security bypass     vulnerability. If login configuration data is absent     from the 'web.xml' file and a web application is     marked as 'metadata-complete', security constraints are     ignored and may be bypassed by an attacker. Please note     this vulnerability only affects version 7.0.11 of     Tomcat. (CVE-2011-1183)

  - Several weaknesses were found in the HTTP Digest     authentication implementation. The issues are as     follows: replay attacks are possible, server nonces     are not checked, client nonce counts are not checked,     'quality of protection' (qop) values are not checked,     realm values are not checked, and the server secret is     a hard-coded, known string. The effect of these issues     is that Digest authentication is no stronger than Basic     authentication. (CVE-2011-1184, CVE-2011-5062,     CVE-2011-5063, CVE-2011-5064)

  - Updates to the HTTP BIO connector, in support of     Servlet 3.0 asynchronous requests, fail to completely     handle HTTP pipelining. Sensitive information may be     disclosed because responses from the server can be     improperly returned to the wrong request and possibly     to the wrong user. (CVE-2011-1475)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
78925	RHEL 5 / 6 : JBoss Web Server (RHSA-2012:0682)	Nessus	Red Hat Local Security Checks	high
78924	RHEL 5 / 6 : JBoss Web Server (RHSA-2012:0680)	Nessus	Red Hat Local Security Checks	high
76037	openSUSE Security Update : tomcat6 (openSUSE-SU-2012:0208-1)	Nessus	SuSE Local Security Checks	medium
68410	Oracle Linux 5 : tomcat5 (ELSA-2011-1845)	Nessus	Oracle Linux Local Security Checks	medium
68399	Oracle Linux 6 : tomcat6 (ELSA-2011-1780)	Nessus	Oracle Linux Local Security Checks	high
64022	RHEL 5 / 6 : jbossweb (RHSA-2012:0074)	Nessus	Red Hat Local Security Checks	medium
59677	GLSA-201206-24 : Apache Tomcat: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
57855	SuSE 11.1 Security Update : tomcat6 (SAT Patch Number 5759)	Nessus	SuSE Local Security Checks	medium
57812	Debian DSA-2401-1 : tomcat6 - several vulnerabilities	Nessus	Debian Local Security Checks	high
57374	CentOS 6 : tomcat6 (CESA-2011:1780)	Nessus	CentOS Local Security Checks	high
57356	RHEL 5 : tomcat5 (RHSA-2011:1845)	Nessus	Red Hat Local Security Checks	medium
57354	CentOS 5 : tomcat5 (CESA-2011:1845)	Nessus	CentOS Local Security Checks	medium
57023	RHEL 6 : tomcat6 (RHSA-2011:1780)	Nessus	Red Hat Local Security Checks	high
56301	Apache Tomcat 5.5.x < 5.5.34 Multiple Vulnerabilities	Nessus	Web Servers	high
56008	Apache Tomcat 6.0.x < 6.0.33 Multiple Vulnerabilities	Nessus	Web Servers	medium
800625	Apache Tomcat 7.0.x < 7.0.12 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	medium
53323	Apache Tomcat 7.x < 7.0.12 Multiple Vulnerabilities	Nessus	Web Servers	medium

Detections

Analytics

CVE-2011-5063

medium

Tenable Plugins

high

high

medium

medium

high

medium

medium

medium

high

high

medium

medium

high

high

medium

medium

medium