Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 442014 (CVE-2012-2733) - <www-servers/tomcat-{6.0.36,7.0.32}: multiple vulnerabilities (CVE-2012-{2733,3546,4431,4534,5885,5886,5887})
Summary: <www-servers/tomcat-{6.0.36,7.0.32}: multiple vulnerabilities (CVE-2012-{2733...
Status: RESOLVED FIXED
Alias: CVE-2012-2733
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/51138/
Whiteboard: B3 [glsa]
Keywords:
Depends on: 428002 446146 446152
Blocks:
  Show dependency tree
 
Reported: 2012-11-06 10:39 UTC by Agostino Sarubbo
Modified: 2014-12-15 00:45 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-11-06 10:39:39 UTC
From https://secunia.com/advisories/51138/ :

Description
A weakness and a vulnerability have been reported in Apache Tomcat, which can be exploited by 
malicious people to bypass certain security restrictions and cause a DoS (Denial of Service).

1) An error within the "parseHeaders()" function (InternalNioInputBuffer.java) when parsing request 
headers does not properly verify the permitted size and can be exploited to trigger an 
OutOfMemoryError exception via specially crafted headers.

This vulnerability is reported in versions 6.0.0-6.0.35 and 7.0.0-7.0.27.

2) An error within DIGEST authentication mechanism does not properly check server nonces.

This weakness is reported in versions 5.5.0-5.5.35, 6.0.0-6.0.35, and 7.0.0-7.0.29.


Solution
Update to version 5.5.36, 6.0.36, or 7.0.30.

Provided and/or discovered by
1) The vendor credits Josh Spiewak.
2) The vendor credits Tilmann Kuhn.

Original Advisory
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.30
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.36
http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.36
Comment 1 Sean Amoss gentoo-dev Security 2012-11-10 18:42:59 UTC
@java, are these ebuilds okay to stabilize?
=www-servers/tomcat-6.0.36
=www-servers/tomcat-7.0.30 (or we can stabilize 7.0.32)
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2012-11-18 23:59:31 UTC
CVE-2012-5887 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5887):
  The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x
  before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly
  check for stale nonce values in conjunction with enforcement of proper
  credentials, which makes it easier for remote attackers to bypass intended
  access restrictions by sniffing the network for valid requests.

CVE-2012-5886 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5886):
  The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x
  before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 caches information
  about the authenticated user within the session state, which makes it easier
  for remote attackers to bypass authentication via vectors related to the
  session ID.

CVE-2012-5885 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5885):
  The replay-countermeasure functionality in the HTTP Digest Access
  Authentication implementation in Apache Tomcat 5.5.x before 5.5.36, 6.x
  before 6.0.36, and 7.x before 7.0.30 tracks cnonce (aka client nonce) values
  instead of nonce (aka server nonce) and nc (aka nonce-count) values, which
  makes it easier for remote attackers to bypass intended access restrictions
  by sniffing the network for valid requests, a different vulnerability than
  CVE-2011-1184.

CVE-2012-2733 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-2733):
  java/org/apache/coyote/http11/InternalNioInputBuffer.java in the HTTP NIO
  connector in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28 does not
  properly restrict the request-header size, which allows remote attackers to
  cause a denial of service (memory consumption) via a large amount of header
  data.
Comment 3 Sean Amoss gentoo-dev Security 2012-11-19 00:00:46 UTC
CVE-2012-3439 was rejected in favor of CVE-2012-{5885,5886,5887}
Comment 4 Agostino Sarubbo gentoo-dev 2012-12-04 19:54:06 UTC
From full-disclosure:

CVE-2012-4534 Apache Tomcat denial of service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.0 to 7.0.27
- Tomcat 6.0.0 to 6.0.35

Description:
When using the NIO connector with sendfile and HTTPS enabled, if a
client breaks the connection while reading the response an infinite loop
is entered leading to a denial of service. This was originally reported
as https://issues.apache.org/bugzilla/show_bug.cgi?id=52858.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Tomcat 7.0.x users should upgrade to 7.0.28 or later
- Tomcat 6.0.x users should upgrade to 6.0.36 or later
Comment 5 Agostino Sarubbo gentoo-dev 2012-12-04 19:58:19 UTC
CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.0 to 7.0.31
- Tomcat 6.0.0 to 6.0.35

Description:
The CSRF prevention filter could be bypassed if a request was made to a
protected resource without a session identifier present in the request.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Tomcat 7.0.x users should upgrade to 7.0.32 or later
- Tomcat 6.0.x users should upgrade to 6.0.36 or later


CVE-2012-3546 Apache Tomcat Bypass of security constraints

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.0 to 7.0.29
- Tomcat 6.0.0 to 6.0.35
Earlier unsupported versions may also be affected

Description:
When using FORM authentication it was possible to bypass the security
constraint checks in the FORM authenticator by appending
"/j_security_check" to the end of the URL if some other component (such
as the Single-Sign-On valve) had called request.setUserPrincipal()
before the call to FormAuthenticator#authenticate().

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Tomcat 7.0.x users should upgrade to 7.0.30 or later
- Tomcat 6.0.x users should upgrade to 6.0.36 or later
Comment 6 Agostino Sarubbo gentoo-dev 2012-12-06 13:54:45 UTC
@security:

stabilization done, old removed, please vote
Comment 7 Sean Amoss gentoo-dev Security 2012-12-06 16:08:45 UTC
GLSA vote: yes.
Comment 8 Stefan Behte (RETIRED) gentoo-dev Security 2012-12-16 22:03:46 UTC
Yes. GLSA request created.
Comment 9 GLSAMaker/CVETool Bot gentoo-dev 2012-12-23 00:38:52 UTC
CVE-2012-4534 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4534):
  org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before
  6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction
  with sendfile and HTTPS, allows remote attackers to cause a denial of
  service (infinite loop) by terminating the connection during the reading of
  a response.

CVE-2012-4431 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-4431):
  org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x
  before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the
  cross-site request forgery (CSRF) protection mechanism via a request that
  lacks a session identifier.

CVE-2012-3546 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-3546):
  org/apache/catalina/realm/RealmBase.java in Apache Tomcat 6.x before 6.0.36
  and 7.x before 7.0.30, when FORM authentication is used, allows remote
  attackers to bypass security-constraint checks by leveraging a previous
  setUserPrincipal call and then placing /j_security_check at the end of a
  URI.
Comment 10 GLSAMaker/CVETool Bot gentoo-dev 2014-12-15 00:45:01 UTC
This issue was resolved and addressed in
 GLSA 201412-29 at http://security.gentoo.org/glsa/glsa-201412-29.xml
by GLSA coordinator Sean Amoss (ackle).