Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 373987 (CVE-2011-2204) - <www-servers/tomcat-{5.5.34,6.0.33,7.0.17}: Password disclosure (CVE-2011-2204)
Summary: <www-servers/tomcat-{5.5.34,6.0.33,7.0.17}: Password disclosure (CVE-2011-2204)
Alias: CVE-2011-2204
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [glsa]
Depends on: 388131 395933
Blocks: 322979
  Show dependency tree
Reported: 2011-07-04 05:29 UTC by Tim Sammut (RETIRED)
Modified: 2012-06-24 14:12 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2011-07-04 05:29:05 UTC
Low: Information disclosure CVE-2011-2204

When using the MemoryUserDatabase (based on tomcat-users.xml) and creating users via JMX, an exception during the user creation process may trigger an error message in the JMX client that includes the user's password. This error message is also written to the Tomcat logs. User passwords are visible to administrators with JMX access and/or administrators with read access to the tomcat-users.xml file. Users that do not have these permissions but are able to read log files may be able to discover a user's password.

The 7.x commit is at $URL.
Comment 1 Tim Sammut (RETIRED) gentoo-dev 2011-07-04 05:30:26 UTC
Sorry for the bugspam, more commits for 6.x and 5.x.

  - 6.0.x:
  - 5.5.x:
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2011-07-09 20:49:50 UTC
CVE-2011-2204 (
  Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17,
  when the MemoryUserDatabase is used, creates log entries containing
  passwords upon encountering errors in JMX user creation, which allows local
  users to obtain sensitive information by reading a log file.
Comment 3 Tobias Heinlein (RETIRED) gentoo-dev 2011-10-22 17:58:24 UTC
For the stable request, please view bug 386213.
Comment 4 Miroslav Šulc gentoo-dev 2011-12-24 20:32:28 UTC
tomcat 5.5.x has been removed from the main tree because it's heading its eol in 2012-09-30 and it's unmaintained on our side (all the effort goes to 6.x and 7.x releases). tomcat 5.5.x has been moved to java-overlay for those that still need it.
Comment 5 Tim Sammut (RETIRED) gentoo-dev 2012-03-13 21:56:57 UTC
Thanks, folks. GLSA Vote: no.
Comment 6 Sean Amoss (RETIRED) gentoo-dev Security 2012-03-23 13:27:26 UTC
On existing GLSA request.
Comment 7 Miroslav Šulc gentoo-dev 2012-03-25 20:23:25 UTC
no affected version in the tree anymore
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2012-06-24 14:12:47 UTC
This issue was resolved and addressed in
 GLSA 201206-24 at
by GLSA coordinator Tobias Heinlein (keytoaster).