Skip to navigation

Security Advisory Moderate: tomcat5 security and bug fix update

Advisory: RHSA-2012:0680-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-05-21
Last updated on: 2012-05-21
Affected Products: JBoss Enterprise Web Server v1 EL5
JBoss Enterprise Web Server v1 EL6
CVEs (cve.mitre.org): CVE-2011-1184
CVE-2011-2204
CVE-2011-2526
CVE-2011-3190
CVE-2011-4858
CVE-2011-5062
CVE-2011-5063
CVE-2011-5064
CVE-2012-0022

Details

Updated tomcat5 packages that fix multiple security issues and two bugs are
now available for JBoss Enterprise Web Server 1.0.2 for Red Hat
Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.

JBoss Enterprise Web Server includes the Tomcat Native library, providing
Apache Portable Runtime (APR) support for Tomcat. References in this text
to APR refer to the Tomcat Native implementation, not any other apr
package.

This update includes bug fixes as documented in JBPAPP-4873 and
JBPAPP-6133. It also resolves the following security issues:

Multiple flaws were found in the way Tomcat handled HTTP DIGEST
authentication. These flaws weakened the Tomcat HTTP DIGEST authentication
implementation, subjecting it to some of the weaknesses of HTTP BASIC
authentication, for example, allowing remote attackers to perform session
replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063,
CVE-2011-5064)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor)
and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ
Protocol) connectors processed certain POST requests. An attacker could
send a specially-crafted request that would cause the connector to treat
the message body as a new request. This allows arbitrary AJP messages to be
injected, possibly allowing an attacker to bypass a web application's
authentication checks and gain access to information they would otherwise
be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler)
connector is used by default when the APR libraries are not present. The JK
connector is not affected by this flaw. (CVE-2011-3190)

It was found that the Java hashCode() method implementation was susceptible
to predictable hash collisions. A remote attacker could use this flaw to
cause Tomcat to use an excessive amount of CPU time by sending an HTTP
request with a large number of parameters whose names map to the same hash
value. This update introduces a limit on the number of parameters processed
per request to mitigate this issue. The default limit is 512 for parameters
and 128 for headers. These defaults can be changed by setting the
org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2011-4858)

It was found that Tomcat did not handle large numbers of parameters and
large parameter values efficiently. A remote attacker could make Tomcat use
an excessive amount of CPU time by sending an HTTP request containing a
large number of parameters or large parameter values. This update
introduces limits on the number of parameters and headers processed per
request to address this issue. Refer to the CVE-2011-4858 description for
information about the org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2012-0022)

A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception
occurred when creating a new user with a JMX client, that user's password
was logged to Tomcat log files. Note: By default, only administrators have
access to such log files. (CVE-2011-2204)

A flaw was found in the way Tomcat handled sendfile request attributes
when using the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious
web application running on a Tomcat instance could use this flaw to bypass
security manager restrictions and gain access to files it would otherwise
be unable to access, or possibly terminate the Java Virtual Machine (JVM).
The HTTP NIO connector is used by default in JBoss Enterprise Web Server.
(CVE-2011-2526)

Red Hat would like to thank oCERT for reporting CVE-2011-4858, and the
Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges
Julian Wälde and Alexander Klink as the original reporters of
CVE-2011-4858.

Users of Tomcat should upgrade to these updated packages, which resolve
these issues. Tomcat must be restarted for this update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Web Server v1 EL5

SRPMS:
tomcat5-5.5.33-27_patch_07.ep5.el5.src.rpm
File outdated by:  RHSA-2013:0872
    MD5: ef22e35a674851d064599162d472cecd
SHA-256: edb794db5398c5b3f54fc047539321390de69f65c743221aad8bbac73cb56a63
 
IA-32:
tomcat5-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: f2bcbca03af69fead8c89d487707c488
SHA-256: db383ee16eeb8961e30b0a97cbf83da3eef703cd6eacf480524535c8ba9352e8
tomcat5-admin-webapps-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: d985d2bff50ac394561bfeb421494be5
SHA-256: a6634d921ada1cbe9ce9a975fb64b4effb0004eeae1c506213dc3bb975d63696
tomcat5-common-lib-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 1cf4881ba0f87e988832a5b66e11f665
SHA-256: 23431a20e2b636307be595fb7c05e16261365fc4f88b7765bf3f93300b5c772a
tomcat5-jasper-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 805651471eb6f9103beb1e92a989337a
SHA-256: 4762ec1bba9b262ecb6e17c68a1ca12853828fe3636c2c1f7dbbb8cf0ad0c0cb
tomcat5-jasper-eclipse-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: a09a406772db85eb2deda5a03446bfdf
SHA-256: 200fdecb8c4608942ede828bb4f6b746603bdf9eae991ce054384bd874ce92eb
tomcat5-jasper-javadoc-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: fda3bcebfa10bc2dbfd32006a0cf666c
SHA-256: 08c25a7e305966f9a5eb3b7d21c870789bbb4b74a26d3f1d20cfaa2a6c7019f0
tomcat5-jsp-2.0-api-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 1b9f45172a3fcfa5d0af15b9dd2d85bc
SHA-256: 7fa5924fd5960562d9c0a0f0504c5027c1124aa8c95d1b3bbeff59ccab9a4f8e
tomcat5-jsp-2.0-api-javadoc-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: f07621190dd9b827c6b05f3f3dfcd462
SHA-256: ece8c8433366115cf343b4ee57b8dbc0845d1d66a20cf438da1eb0d371b826bc
tomcat5-parent-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 12bc33b72560b30137a32b07e35f6d7a
SHA-256: b3c7a0cc810ade06ebcdec4fa20fdb5e18a507e7bd45638e443aa552b3238b74
tomcat5-server-lib-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 143dc0bc5cf769c157573135e84b720d
SHA-256: 73319d51f1e0fba4498d580bfa3a0ac16085eb3b4e297bd15afc1775e8cbddcc
tomcat5-servlet-2.4-api-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 4f577300ad5629a8754cf0af10236b4a
SHA-256: 396a9e6c17a8c099cc7b36ba03c1b011fa0e26b602af794c44d44e70ad1533e6
tomcat5-servlet-2.4-api-javadoc-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 7dcf8444c269efa2df59a321bd1edb80
SHA-256: 549ae60c7927c99bbadafd3bd39157c45a81f9359e4f7da4fed894f99f12ec50
tomcat5-webapps-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 99a806436fb96540762a7ad7efe030f5
SHA-256: 6b1d65688a1a9c21e41da9a406c1f0855df313858c110de5dd8fc4b4a3ee9024
 
x86_64:
tomcat5-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: f2bcbca03af69fead8c89d487707c488
SHA-256: db383ee16eeb8961e30b0a97cbf83da3eef703cd6eacf480524535c8ba9352e8
tomcat5-admin-webapps-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: d985d2bff50ac394561bfeb421494be5
SHA-256: a6634d921ada1cbe9ce9a975fb64b4effb0004eeae1c506213dc3bb975d63696
tomcat5-common-lib-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 1cf4881ba0f87e988832a5b66e11f665
SHA-256: 23431a20e2b636307be595fb7c05e16261365fc4f88b7765bf3f93300b5c772a
tomcat5-jasper-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 805651471eb6f9103beb1e92a989337a
SHA-256: 4762ec1bba9b262ecb6e17c68a1ca12853828fe3636c2c1f7dbbb8cf0ad0c0cb
tomcat5-jasper-eclipse-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: a09a406772db85eb2deda5a03446bfdf
SHA-256: 200fdecb8c4608942ede828bb4f6b746603bdf9eae991ce054384bd874ce92eb
tomcat5-jasper-javadoc-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: fda3bcebfa10bc2dbfd32006a0cf666c
SHA-256: 08c25a7e305966f9a5eb3b7d21c870789bbb4b74a26d3f1d20cfaa2a6c7019f0
tomcat5-jsp-2.0-api-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 1b9f45172a3fcfa5d0af15b9dd2d85bc
SHA-256: 7fa5924fd5960562d9c0a0f0504c5027c1124aa8c95d1b3bbeff59ccab9a4f8e
tomcat5-jsp-2.0-api-javadoc-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: f07621190dd9b827c6b05f3f3dfcd462
SHA-256: ece8c8433366115cf343b4ee57b8dbc0845d1d66a20cf438da1eb0d371b826bc
tomcat5-parent-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 12bc33b72560b30137a32b07e35f6d7a
SHA-256: b3c7a0cc810ade06ebcdec4fa20fdb5e18a507e7bd45638e443aa552b3238b74
tomcat5-server-lib-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 143dc0bc5cf769c157573135e84b720d
SHA-256: 73319d51f1e0fba4498d580bfa3a0ac16085eb3b4e297bd15afc1775e8cbddcc
tomcat5-servlet-2.4-api-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 4f577300ad5629a8754cf0af10236b4a
SHA-256: 396a9e6c17a8c099cc7b36ba03c1b011fa0e26b602af794c44d44e70ad1533e6
tomcat5-servlet-2.4-api-javadoc-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 7dcf8444c269efa2df59a321bd1edb80
SHA-256: 549ae60c7927c99bbadafd3bd39157c45a81f9359e4f7da4fed894f99f12ec50
tomcat5-webapps-5.5.33-27_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 99a806436fb96540762a7ad7efe030f5
SHA-256: 6b1d65688a1a9c21e41da9a406c1f0855df313858c110de5dd8fc4b4a3ee9024
 
JBoss Enterprise Web Server v1 EL6

SRPMS:
tomcat5-5.5.33-28_patch_07.ep5.el6.src.rpm
File outdated by:  RHSA-2013:0872
    MD5: a121372afd754db94af09a073dea3663
SHA-256: db96c159afdc93318c0ef96771a43462f933c9b31f6f296409eee6444fdf69c4
 
IA-32:
tomcat5-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: aa9dca439a7b399c11422d42b4cf3fe2
SHA-256: fc080633eee56719c0f1531840ad12ed1806ad4ae829c9a445d5fd782bc197b3
tomcat5-admin-webapps-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 3cfba0a77ed94339f3e0e5bfad5566db
SHA-256: 75e4a2df63e7f18d1a8eefc0dee8654b108ab64115e2c1522a64b8033f9aecbb
tomcat5-common-lib-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 53d7ecfac762feedc8a7646f64a0fb10
SHA-256: 968d01f40c9a4a85a31d8ccb1893bbe8df555bf0de5d64f486faa2bc3c27c37b
tomcat5-jasper-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 23bc05668e29f271fe4ca23136a45679
SHA-256: 0bcd99b17564277aecdaf53abf7be98b8e931613001e7e8370570f9dba701bce
tomcat5-jasper-eclipse-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: ae096f2858155888970dbf166fa1922c
SHA-256: c3244de16ed10875e6396a53d4d64cc6a130581df5a52c10236c357b11ddf2df
tomcat5-jasper-javadoc-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: c9f51abcc0a54c8f9123cb87a5d2065e
SHA-256: 000ea0f9cde5b4d97ab563fd3de89276dc364a0e69ec7906a04f10ff4dbc5598
tomcat5-jsp-2.0-api-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: f9f2b8de9309c7703fcce2d180c300dc
SHA-256: eb6e84101e7d4164ad2d605e387462928ed2caf9e749ab536bbd47edab101f02
tomcat5-jsp-2.0-api-javadoc-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 38945ac15b77469fc2684778250d3a9c
SHA-256: 3ccac8fca98045b7bf757973b8859e1ada89109c54ddb7bcc0c628fe2dc3d1f6
tomcat5-parent-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 13d7389f1f0136ddf7a94634f9ef3b8d
SHA-256: 6b7ee1b753777234f22977c4ccc1c17975e9853a8fb26cd9db7e674e30071ce7
tomcat5-server-lib-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 4e948287bad4ce5074d637c0e8851887
SHA-256: 1fea60a8184dddc0dc5e98993bf047d988b4555860b7b36e57f2b9ee5e10b874
tomcat5-servlet-2.4-api-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: d582ba6ef5e46eb22ea0649d9db0718f
SHA-256: 6d8acb09c22d336c38547be8b1262e0c9dc060e3f35fa7ba0f499b1bd4f02b06
tomcat5-servlet-2.4-api-javadoc-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: bb3c925623f6ed0e6b33d3985026b0cf
SHA-256: d87fc62fe6969a332112bf93ca0a5e4ceb32f34cc2b7e39940722e1e536547b3
tomcat5-webapps-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: d2f16618fe46ae3df31022680680dffd
SHA-256: 95e2732ead72b6d1e258d6fde5963504c7f504a701872838531cc4b2e59a5353
 
x86_64:
tomcat5-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: aa9dca439a7b399c11422d42b4cf3fe2
SHA-256: fc080633eee56719c0f1531840ad12ed1806ad4ae829c9a445d5fd782bc197b3
tomcat5-admin-webapps-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 3cfba0a77ed94339f3e0e5bfad5566db
SHA-256: 75e4a2df63e7f18d1a8eefc0dee8654b108ab64115e2c1522a64b8033f9aecbb
tomcat5-common-lib-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 53d7ecfac762feedc8a7646f64a0fb10
SHA-256: 968d01f40c9a4a85a31d8ccb1893bbe8df555bf0de5d64f486faa2bc3c27c37b
tomcat5-jasper-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 23bc05668e29f271fe4ca23136a45679
SHA-256: 0bcd99b17564277aecdaf53abf7be98b8e931613001e7e8370570f9dba701bce
tomcat5-jasper-eclipse-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: ae096f2858155888970dbf166fa1922c
SHA-256: c3244de16ed10875e6396a53d4d64cc6a130581df5a52c10236c357b11ddf2df
tomcat5-jasper-javadoc-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: c9f51abcc0a54c8f9123cb87a5d2065e
SHA-256: 000ea0f9cde5b4d97ab563fd3de89276dc364a0e69ec7906a04f10ff4dbc5598
tomcat5-jsp-2.0-api-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: f9f2b8de9309c7703fcce2d180c300dc
SHA-256: eb6e84101e7d4164ad2d605e387462928ed2caf9e749ab536bbd47edab101f02
tomcat5-jsp-2.0-api-javadoc-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 38945ac15b77469fc2684778250d3a9c
SHA-256: 3ccac8fca98045b7bf757973b8859e1ada89109c54ddb7bcc0c628fe2dc3d1f6
tomcat5-parent-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 13d7389f1f0136ddf7a94634f9ef3b8d
SHA-256: 6b7ee1b753777234f22977c4ccc1c17975e9853a8fb26cd9db7e674e30071ce7
tomcat5-server-lib-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 4e948287bad4ce5074d637c0e8851887
SHA-256: 1fea60a8184dddc0dc5e98993bf047d988b4555860b7b36e57f2b9ee5e10b874
tomcat5-servlet-2.4-api-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: d582ba6ef5e46eb22ea0649d9db0718f
SHA-256: 6d8acb09c22d336c38547be8b1262e0c9dc060e3f35fa7ba0f499b1bd4f02b06
tomcat5-servlet-2.4-api-javadoc-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: bb3c925623f6ed0e6b33d3985026b0cf
SHA-256: d87fc62fe6969a332112bf93ca0a5e4ceb32f34cc2b7e39940722e1e536547b3
tomcat5-webapps-5.5.33-28_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: d2f16618fe46ae3df31022680680dffd
SHA-256: 95e2732ead72b6d1e258d6fde5963504c7f504a701872838531cc4b2e59a5353
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

717013 - CVE-2011-2204 tomcat: password disclosure vulnerability
720948 - CVE-2011-2526 tomcat: security manager restrictions bypass
734868 - CVE-2011-3190 tomcat: authentication bypass and information disclosure
741401 - CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weaknesses in HTTP DIGEST authentication
750521 - CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003)
783359 - CVE-2012-0022 tomcat: large number of parameters DoS


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/