RHEL 5 / 6 : JBoss Web Server (RHSA-2012:0682)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote Red Hat host is missing one or more security updates.

Description :

Updated tomcat6 packages that fix multiple security issues and three
bugs are now available for JBoss Enterprise Web Server 1.0.2 for Red
Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having
moderate security impact. Common Vulnerability Scoring System (CVSS)
base scores, which give detailed severity ratings, are available for
each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container.

JBoss Enterprise Web Server includes the Tomcat Native library,
providing Apache Portable Runtime (APR) support for Tomcat. References
in this text to APR refer to the Tomcat Native implementation, not any
other apr package.

This update fixes the JBPAPP-4873, JBPAPP-6133, and JBPAPP-6852 bugs.
It also resolves the following security issues :

Multiple flaws weakened the Tomcat HTTP DIGEST authentication
implementation, subjecting it to some of the weaknesses of HTTP BASIC
authentication, for example, allowing remote attackers to perform
session replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063,
CVE-2011-5064)

A flaw was found in the way the Coyote
(org.apache.coyote.ajp.AjpProcessor) and APR
(org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ
Protocol) connectors processed certain POST requests. An attacker
could send a specially crafted request that would cause the connector
to treat the message body as a new request. This allows arbitrary AJP
messages to be injected, possibly allowing an attacker to bypass a web
application's authentication checks and gain access to information
they would otherwise be unable to access. The JK
(org.apache.jk.server.JkCoyoteHandler) connector is used by default
when the APR libraries are not present. The JK connector is not
affected by this flaw. (CVE-2011-3190)

A flaw in the way Tomcat recycled objects that contain data from user
requests (such as IP addresses and HTTP headers) when certain errors
occurred. If a user sent a request that caused an error to be logged,
Tomcat would return a reply to the next request (which could be sent
by a different user) with data from the first user's request, leading
to information disclosure. Under certain conditions, a remote attacker
could leverage this flaw to hijack sessions. (CVE-2011-3375)

The Java hashCode() method implementation was susceptible to
predictable hash collisions. A remote attacker could use this flaw to
cause Tomcat to use an excessive amount of CPU time by sending an HTTP
request with a large number of parameters whose names map to the same
hash value. This update introduces a limit on the number of parameters
processed per request to mitigate this issue. The default limit is 512
for parameters and 128 for headers. These defaults can be changed by
setting the org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2011-4858)

Tomcat did not handle large numbers of parameters and large parameter
values efficiently. A remote attacker could make Tomcat use an
excessive amount of CPU time by sending an HTTP request containing a
large number of parameters or large parameter values. This update
introduces limits on the number of parameters and headers processed
per request to address this issue. Refer to the CVE-2011-4858
description for information about the
org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2012-0022)

A flaw in the Tomcat MemoryUserDatabase. If a runtime exception
occurred when creating a new user with a JMX client, that user's
password was logged to Tomcat log files. Note: By default, only
administrators have access to such log files. (CVE-2011-2204)

A flaw in the way Tomcat handled sendfile request attributes when
using the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious
web application running on a Tomcat instance could use this flaw to
bypass security manager restrictions and gain access to files it would
otherwise be unable to access, or possibly terminate the Java Virtual
Machine (JVM). The HTTP NIO connector is used by default in JBoss
Enterprise Web Server. (CVE-2011-2526)

Red Hat would like to thank oCERT for reporting CVE-2011-4858, and the
Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges
Julian Walde and Alexander Klink as the original reporters of
CVE-2011-4858.

See also :

http://tomcat.apache.org/security-6.html
https://issues.jboss.org/browse/JBPAPP-4873
https://issues.jboss.org/browse/JBPAPP-6133
https://issues.jboss.org/browse/JBPAPP-6852
https://access.redhat.com/errata/RHSA-2012:0682.html
https://www.redhat.com/security/data/cve/CVE-2011-2526.html
https://www.redhat.com/security/data/cve/CVE-2011-3190.html
https://www.redhat.com/security/data/cve/CVE-2011-1184.html
https://www.redhat.com/security/data/cve/CVE-2011-2204.html
https://www.redhat.com/security/data/cve/CVE-2011-5062.html
https://www.redhat.com/security/data/cve/CVE-2011-5063.html
https://www.redhat.com/security/data/cve/CVE-2011-5064.html
https://www.redhat.com/security/data/cve/CVE-2011-4858.html
https://www.redhat.com/security/data/cve/CVE-2012-0022.html
https://www.redhat.com/security/data/cve/CVE-2011-3375.html

Solution :

Update the affected packages.

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now