java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.

The remote Solaris system is missing necessary patches to address security updates :

  - Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30     does not properly handle chunk extensions in chunked     transfer coding, which allows remote attackers to cause     a denial of service by streaming data. (CVE-2012-3544)

  - java/org/apache/catalina/authenticator/FormAuthenticator     .java in the form authentication feature in Apache     Tomcat 6.0.21 through 6.0.36 and 7.x before 7.0.33 does     not properly handle the relationships between     authentication requirements and sessions, which allows     remote attackers to inject a request into a session by     sending this request during completion of the login     form, a variant of a session fixation attack.
    (CVE-2013-2067)

The remote host is affected by the vulnerability described in GLSA-201412-29 (Apache Tomcat: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Tomcat. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker may be able to cause a Denial of Service condition as       well as obtain sensitive information, bypass protection mechanisms and       authentication restrictions.
  Workaround :

    There is no known workaround at this time.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2013:1012 advisory.

  - httpd: multiple XSS flaws due to unescaped hostnames (CVE-2012-3499)

  - tomcat: Limited DoS in chunked transfer encoding input filter (CVE-2012-3544)

  - httpd: XSS flaw in mod_proxy_balancer manager interface (CVE-2012-4558)

  - tomcat: Session fixation in form authenticator (CVE-2013-2067)

  - tomcat: Information disclosure in asynchronous context when using AsyncListeners that threw     RuntimeExceptions (CVE-2013-2071)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Red Hat JBoss Web Server 2.0.1, which fixes multiple security issues and several bugs, is now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

This release serves as a replacement for Red Hat JBoss Web Server 2.0.0, and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.0.1 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/

The following security issues are also fixed with this release :

Cross-site scripting (XSS) flaws were found in the Apache HTTP Server mod_proxy_balancer module's manager web interface. If a remote attacker could trick a user, who was logged into the manager web interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's manager interface session. (CVE-2012-4558)

Cross-site scripting (XSS) flaws were found in the Apache HTTP Server mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could possibly use these flaws to perform XSS attacks if they were able to make the victim's browser generate an HTTP request with a specially crafted Host header. (CVE-2012-3499)

A session fixation flaw was found in the Tomcat FormAuthenticator module. During a narrow window of time, if a remote attacker sent requests while a user was logging in, it could possibly result in the attacker's requests being processed as if they were sent by the user.
(CVE-2013-2067)

A denial of service flaw was found in the way the Tomcat chunked transfer encoding input filter processed CRLF sequences. A remote attacker could use this flaw to send an excessively long request, consuming network bandwidth, CPU, and memory on the Tomcat server.
Chunked transfer encoding is enabled by default. (CVE-2012-3544)

A flaw was found in the way the Tomcat 7 asynchronous context implementation performed request management in certain circumstances.
If an application used AsyncListeners and threw RuntimeExceptions, Tomcat could send a reply that contains information from a different user's request, possibly leading to the disclosure of sensitive information. This issue only affected Tomcat 7. (CVE-2013-2071)

Note: Do not install Red Hat JBoss Web Server 2 on a host which has Red Hat JBoss Web Server 1 installed.

Warning: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).

All users of Red Hat JBoss Web Server 2.0.0 on Red Hat Enterprise Linux 5 are advised to upgrade to Red Hat JBoss Web Server 2.0.1. The JBoss server process must be restarted for this update to take effect.

Tomcat was updated to fix security issues and bug: CVE-2013-1976:
Avoid a potential symlink race during startup of the tomcat server, where a local attacker that gaine access to the tomcat chroot could escalate privileges to root.

CVE-2013-2067:
java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat did not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.

CVE-2012-3544: Tomcat were affected by a chunked transfer encoding extension size denial of service vulnerability.

Also the following bug was fixed :

  - Fix tomcat init scripts generating malformed classpath     (http://youtrack.jetbrains.com/issue/JT-18545)     bnc#804992

Multiple security issues were found in the Tomcat servlet and JSP engine :

  - CVE-2013-2067     FORM authentication associates the most recent request     requiring authentication with the current session. By     repeatedly sending a request for an authenticated     resource while the victim is completing the login form,     an attacker could inject a request that would be     executed using the victim's credentials.

  - CVE-2013-2071     A runtime exception in AsyncListener.onComplete()     prevents the request from being recycled. This may     expose elements of a previous request to a current     request.

  - CVE-2013-4286     Reject requests with multiple content-length headers or     with a content-length header when chunked encoding is     being used.

  - CVE-2013-4322     When processing a request submitted using the chunked     transfer encoding, Tomcat ignored but did not limit any     extensions that were included. This allows a client to     perform a limited denial of service by streaming an     unlimited amount of data to the server.

  - CVE-2014-0050     Multipart requests with a malformed Content-Type header     could trigger an infinite loop causing a denial of     service.

Updated tomcat6 packages fix security vulnerabilities :

It was discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service (CVE-2012-3544).

A frame injection in the Javadoc component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to affect integrity via unknown vectors related to Javadoc (CVE-2013-1571).

A flaw was found in the way the tomcat6 init script handled the tomcat6-initd.log log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root (CVE-2013-1976).

It was discovered that Tomcat incorrectly handled certain authentication requests. A remote attacker could possibly use this flaw to inject a request that would get executed with a victim's credentials (CVE-2013-2067).

Note: With this update, tomcat6-initd.log has been moved from /var/log/tomcat6/ to the /var/log/ directory.

The remote host has a version of Oracle Secure Global Desktop installed that is affected by multiple vulnerabilities :

  - Specially crafted requests sent with chunked transfer     encoding could allow a remote attacker to perform a     'limited' denial of service attack on the Tomcat server.
    (CVE-2012-3544)

  - The Tomcat server is affected by a session fixation     vulnerability in the FORM authenticator. (CVE-2013-2067)

  - The Apache Tomcat AsyncListener method is affected by a     cross-session information disclosure vulnerability when     handling user requests. (CVE-2013-2071)

  - The Administration Console and Workspace Web     Applications subcomponent is affected by an unspecified,     remote vulnerability. (CVE-2014-0419)

The version of JBoss Enterprise Portal Platform on the remote system is affected by the following issues:

  - A flaw in CSRF prevention filter in JBoss Web could allow     remote attackers to bypass the cross-site request forgery     (CSRF) protection mechanism via a request that lacks a     session identifier. (CVE-2012-4431)

  - A flaw that occurs when the COOKIE session tracking     method is used can allow attackers to hijack users'     sessions. (CVE-2012-4529)

  - A flaw that occurs when multiple applications use the     same custom authorization module class name can allow a     local attacker to deploy a malicious application that     overrides the custom authorization modules provided by     other applications. (CVE-2012-4572)

  - The framework does not verify that a specified     cryptographic algorithm is allowed by the     WS-SecurityPolicy AlgorithmSuite definition before     decrypting.  This can allow remote attackers to force     the system to use weaker cryptographic algorithms than     intended and makes it easier to decrypt communications.
    (CVE-2012-5575)

  - A flaw in PicketBox can allow local users to obtain the     admin encryption key by reading the Vault data file.
    (CVE-2013-1921)

  - A session fixation flaw was found in the     FormAuthenticator module. (CVE-2013-2067)

  - A flaw that occurs when a JGroups channel was started     results in the JGroups diagnostics service being enabled     by default with no authentication via IP multicast. A     remote attacker can make use of this flaw to read     diagnostics information. (CVE-2013-2102)

  - A flaw in the StAX parser implementation can allow     remote attackers to cause a denial of service via     crafted XML. (CVE-2013-2160)

  - A flaw in Apache Santuario XML Security can allow     context-dependent attackers to spoof an XML Signature     by using the CanonicalizationMethod parameter to     specify an arbitrary weak algorithm. (CVE-2013-2172)

  - A flaw in JGroup's DiagnosticsHandler can allow remote     attackers to obtain sensitive information and execute     arbitrary code by re-using valid credentials.
    (CVE-2013-4112)

  - A flaw in the manner in which authenticated connections     were cached on the server by remote-naming can allow     remote attackers to hijack sessions by using a remoting     client. (CVE-2013-4128)

  - A flaw in the manner in which connections for EJB     invocations were cached on the server can allow remote     attackers to hijack sessions by using an EJB client.
    (CVE-2013-4213)

Two security issues have been found in the Tomcat servlet and JSP engine :

  - CVE-2012-3544     The input filter for chunked transfer encodings could     trigger high resource consumption through malformed CRLF     sequences, resulting in denial of service.

  - CVE-2013-2067     The FormAuthenticator module was vulnerable to session     fixation.

From Red Hat Security Advisory 2013:0964 :

Updated tomcat6 packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

A session fixation flaw was found in the Tomcat FormAuthenticator module. During a narrow window of time, if a remote attacker sent requests while a user was logging in, it could possibly result in the attacker's requests being processed as if they were sent by the user.
(CVE-2013-2067)

Users of Tomcat are advised to upgrade to these updated packages, which correct this issue. Tomcat must be restarted for this update to take effect.

The version of JBoss Enterprise Application Platform 6.0.1 running on the remote system is vulnerable to the following issues:

  - A man-in-the-middle attack is possible when applications     running on JBoss Web use the COOKIE session tracking     method. The flaw is in the     org.apache.catalina.connector.Response.encodeURL()     method. By making use of this, an attacker could obtain     a user's jsessionid and hijack their session.
    (CVE-2012-4529)

  - If multiple applications used the same custom     authorization module class name, a local attacker could     deploy a malicious application authorization module that     would permit or deny user access. (CVE-2012-4572)

  - XML encryption backwards compatibility attacks could     allow an attacker to force a server to use insecure     legacy cryptosystems. (CVE-2012-5575)

  - A NULL pointer dereference flaw could allow a malicious     OCSP to crash applications performing OCSP verification.
    (CVE-2013-0166)

  - An OpenSSL leaks timing information issue exists that     could allow a remote attacker to retrieve plaintext     from the encrypted packets. (CVE-2013-0169)

  - The JBoss Enterprise Application Platform administrator     password and the sucker password are stored in a world-     readable, auto-install XML file created by the GUI     installer. (CVE-2013-0218)

  - Tomcat incorrectly handles certain authentication     requests. A remote attacker could use this flaw to     inject a request that would get executed with a victim's     credentials. (CVE-2013-2067)

Updated tomcat6 packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

A session fixation flaw was found in the Tomcat FormAuthenticator module. During a narrow window of time, if a remote attacker sent requests while a user was logging in, it could possibly result in the attacker's requests being processed as if they were sent by the user.
(CVE-2013-2067)

Users of Tomcat are advised to upgrade to these updated packages, which correct this issue. Tomcat must be restarted for this update to take effect.

A session fixation flaw was found in the Tomcat FormAuthenticator module. During a narrow window of time, if a remote attacker sent requests while a user was logging in, it could possibly result in the attacker's requests being processed as if they were sent by the user.
(CVE-2013-2067)

Tomcat must be restarted for this update to take effect.

It was discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2012-3544)

It was discovered that Tomcat incorrectly handled certain authentication requests. A remote attacker could possibly use this flaw to inject a request that would get executed with a victim's credentials. This issue only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS, and Ubuntu 12.10. (CVE-2013-2067)

It was discovered that Tomcat sometimes exposed elements of a previous request to the current request. This could allow a remote attacker to possibly obtain sensitive information. This issue only affected Ubuntu 12.10 and Ubuntu 13.04. (CVE-2013-2071).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated JBoss Enterprise Application Platform 6.1.0 packages that fix three security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.

This release serves as a replacement for JBoss Enterprise Application Platform 6.0.1, and includes bug fixes and enhancements. Refer to the 6.1.0 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/

Security fixes :

XML encryption backwards compatibility attacks were found against various frameworks, including Apache CXF. An attacker could force a server to use insecure, legacy cryptosystems, even when secure cryptosystems were enabled on endpoints. By forcing the use of legacy cryptosystems, flaws such as CVE-2011-1096 and CVE-2011-2487 would be exposed, allowing plain text to be recovered from cryptograms and symmetric keys. (CVE-2012-5575)

Note: Automatic checks to prevent CVE-2012-5575 are only run when WS-SecurityPolicy is used to enforce security requirements. It is best practice to use WS-SecurityPolicy to enforce security requirements.

When applications running on JBoss Web used the COOKIE session tracking method, the org.apache.catalina.connector.Response.encodeURL() method returned the URL with the jsessionid appended as a query string parameter when processing the first request of a session. An attacker could possibly exploit this flaw by performing a man-in-the-middle attack to obtain a user's jsessionid and hijack their session, or by extracting the jsessionid from log files. Note that no session tracking method is used by default, one must be configured. (CVE-2012-4529)

If multiple applications used the same custom authorization module class name, and provided their own implementations of it, the first application to be loaded will have its implementation used for all other applications using the same custom authorization module class name. A local attacker could use this flaw to deploy a malicious application that provides implementations of custom authorization modules that permit or deny user access according to rules supplied by the attacker. (CVE-2012-4572)

Red Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky of Ruhr-University Bochum for reporting CVE-2012-5575.
CVE-2012-4572 was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering team.

Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. Refer to the Solution section for further details.

All users of JBoss Enterprise Application Platform 6.0.1 on Red Hat Enterprise Linux 5 are advised to upgrade to these updated packages.
The JBoss server process must be restarted for the update to take effect.

Updated JBoss Enterprise Application Platform 6.1.0 packages that fix three security issues, various bugs, and add enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.

This release serves as a replacement for JBoss Enterprise Application Platform 6.0.1, and includes bug fixes and enhancements. Refer to the 6.1.0 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/

Security fixes :

XML encryption backwards compatibility attacks were found against various frameworks, including Apache CXF. An attacker could force a server to use insecure, legacy cryptosystems, even when secure cryptosystems were enabled on endpoints. By forcing the use of legacy cryptosystems, flaws such as CVE-2011-1096 and CVE-2011-2487 would be exposed, allowing plain text to be recovered from cryptograms and symmetric keys. (CVE-2012-5575)

Note: Automatic checks to prevent CVE-2012-5575 are only run when WS-SecurityPolicy is used to enforce security requirements. It is best practice to use WS-SecurityPolicy to enforce security requirements.

When applications running on JBoss Web used the COOKIE session tracking method, the org.apache.catalina.connector.Response.encodeURL() method returned the URL with the jsessionid appended as a query string parameter when processing the first request of a session. An attacker could possibly exploit this flaw by performing a man-in-the-middle attack to obtain a user's jsessionid and hijack their session, or by extracting the jsessionid from log files. Note that no session tracking method is used by default, one must be configured. (CVE-2012-4529)

If multiple applications used the same custom authorization module class name, and provided their own implementations of it, the first application to be loaded will have its implementation used for all other applications using the same custom authorization module class name. A local attacker could use this flaw to deploy a malicious application that provides implementations of custom authorization modules that permit or deny user access according to rules supplied by the attacker. (CVE-2012-4572)

Red Hat would like to thank Tibor Jager, Kenneth G. Paterson and Juraj Somorovsky of Ruhr-University Bochum for reporting CVE-2012-5575.
CVE-2012-4572 was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering team.

Warning: Before applying this update, back up your existing JBoss Enterprise Application Platform installation and deployed applications. Refer to the Solution section for further details.

All users of JBoss Enterprise Application Platform 6.0.1 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages.
The JBoss server process must be restarted for the update to take effect.

Versions earlier than Apache Tomcat 6.0.37 are potentially affected by multiple vulnerabilities :

  - An error exists related to chunked transfer encoding and extensions that could allow limited denial of service attacks. (CVE-2012-3544)

  - An error exists related to HTML form authentication and session fixation that could allow an attacker to carry out requests using a victim's credentials. (CVE-2013-2067)

According to its self-reported version number, the instance of Apache Tomcat 7.0 listening on the remote host is prior to 7.0.33. It is, therefore, affected by an error related to HTML form authentication and session fixation that allows an attacker to carry out requests using a victim's credentials.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the instance of Apache Tomcat 6.0 listening on the remote host is prior to 6.0.37. It is, therefore, affected by multiple vulnerabilities :

  - An error exists related to chunked transfer encoding     and extensions that allows limited denial of service     attacks. (CVE-2012-3544)

  - An error exists related to HTML form authentication and     session fixation that allows an attacker to carry out     requests using a victim's credentials. (CVE-2013-2067)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
80792	Oracle Solaris Third-Party Patch Update : tomcat (multiple_vulnerabilities_in_tomcat)	Nessus	Solaris Local Security Checks	medium
79982	GLSA-201412-29 : Apache Tomcat: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
76238	RHEL 6 : Red Hat JBoss Web Server 2.0.1 update (Moderate) (RHSA-2013:1012)	Nessus	Red Hat Local Security Checks	medium
76237	RHEL 5 : JBoss Web Server (RHSA-2013:1011)	Nessus	Red Hat Local Security Checks	medium
75107	openSUSE Security Update : tomcat (openSUSE-SU-2013:1307-1)	Nessus	SuSE Local Security Checks	medium
73421	Debian DSA-2897-1 : tomcat7 - security update	Nessus	Debian Local Security Checks	high
72595	Mandriva Linux Security Advisory : tomcat6 (MDVSA-2014:042)	Nessus	Mandriva Local Security Checks	medium
72339	Oracle Secure Global Desktop Multiple Vulnerabilities (January 2014 CPU)	Nessus	Misc.	medium
72237	JBoss Portal 6.1.0 Update (RHSA-2013:1437)	Nessus	Red Hat Local Security Checks	high
68971	Debian DSA-2725-1 : tomcat6 - several vulnerabilities	Nessus	Debian Local Security Checks	medium
68838	Oracle Linux 6 : tomcat6 (ELSA-2013-0964)	Nessus	Oracle Linux Local Security Checks	medium
66971	JBoss Enterprise Application Platform 6.1.0 Update (RHSA-2013:0833)	Nessus	Red Hat Local Security Checks	high
66965	CentOS 6 : tomcat6 (CESA-2013:0964)	Nessus	CentOS Local Security Checks	medium
66952	Scientific Linux Security Update : tomcat6 on SL6.x (noarch) (20130620)	Nessus	Scientific Linux Local Security Checks	medium
66949	RHEL 6 : tomcat6 (RHSA-2013:0964)	Nessus	Red Hat Local Security Checks	medium
66670	Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 : tomcat6, tomcat7 vulnerabilities (USN-1841-1)	Nessus	Ubuntu Local Security Checks	medium
66523	RHEL 5 : JBoss EAP (RHSA-2013:0839)	Nessus	Red Hat Local Security Checks	medium
66522	RHEL 6 : JBoss EAP (RHSA-2013:0834)	Nessus	Red Hat Local Security Checks	medium
800783	Apache Tomcat 6.0.x < 6.0.37 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	medium
66427	Apache Tomcat 7.0.x < 7.0.33 Session Fixation	Nessus	Web Servers	high
66426	Apache Tomcat 6.0.x < 6.0.37 Multiple Vulnerabilities	Nessus	Web Servers	medium

Detections

Analytics

CVE-2013-2067

medium

Tenable Plugins

medium

high

medium

medium

medium

high

medium

medium

high

medium

medium

high

medium

medium

medium

medium

medium

medium

medium

high

medium