Skip to navigation

Security Advisory Moderate: tomcat6 security and bug fix update

Advisory: RHSA-2012:0682-1
Type: Security Advisory
Severity: Moderate
Issued on: 2012-05-21
Last updated on: 2012-05-21
Affected Products: JBoss Enterprise Web Server v1 EL5
JBoss Enterprise Web Server v1 EL6
CVEs (cve.mitre.org): CVE-2011-1184
CVE-2011-2204
CVE-2011-2526
CVE-2011-3190
CVE-2011-3375
CVE-2011-4858
CVE-2011-5062
CVE-2011-5063
CVE-2011-5064
CVE-2012-0022

Details

Updated tomcat6 packages that fix multiple security issues and three bugs
are now available for JBoss Enterprise Web Server 1.0.2 for Red Hat
Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Apache Tomcat is a servlet container.

JBoss Enterprise Web Server includes the Tomcat Native library, providing
Apache Portable Runtime (APR) support for Tomcat. References in this text
to APR refer to the Tomcat Native implementation, not any other apr
package.

This update fixes the JBPAPP-4873, JBPAPP-6133, and JBPAPP-6852 bugs. It
also resolves the following security issues:

Multiple flaws weakened the Tomcat HTTP DIGEST authentication
implementation, subjecting it to some of the weaknesses of HTTP BASIC
authentication, for example, allowing remote attackers to perform session
replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063,
CVE-2011-5064)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor)
and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ
Protocol) connectors processed certain POST requests. An attacker could
send a specially-crafted request that would cause the connector to treat
the message body as a new request. This allows arbitrary AJP messages to be
injected, possibly allowing an attacker to bypass a web application's
authentication checks and gain access to information they would otherwise
be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler)
connector is used by default when the APR libraries are not present. The JK
connector is not affected by this flaw. (CVE-2011-3190)

A flaw in the way Tomcat recycled objects that contain data from user
requests (such as IP addresses and HTTP headers) when certain errors
occurred. If a user sent a request that caused an error to be logged,
Tomcat would return a reply to the next request (which could be sent by a
different user) with data from the first user's request, leading to
information disclosure. Under certain conditions, a remote attacker could
leverage this flaw to hijack sessions. (CVE-2011-3375)

The Java hashCode() method implementation was susceptible to predictable
hash collisions. A remote attacker could use this flaw to cause Tomcat to
use an excessive amount of CPU time by sending an HTTP request with a large
number of parameters whose names map to the same hash value. This update
introduces a limit on the number of parameters processed per request to
mitigate this issue. The default limit is 512 for parameters and 128 for
headers. These defaults can be changed by setting the
org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2011-4858)

Tomcat did not handle large numbers of parameters and large parameter
values efficiently. A remote attacker could make Tomcat use an excessive
amount of CPU time by sending an HTTP request containing a large number of
parameters or large parameter values. This update introduces limits on the
number of parameters and headers processed per request to address this
issue. Refer to the CVE-2011-4858 description for information about the
org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2012-0022)

A flaw in the Tomcat MemoryUserDatabase. If a runtime exception occurred
when creating a new user with a JMX client, that user's password was logged
to Tomcat log files. Note: By default, only administrators have access to
such log files. (CVE-2011-2204)

A flaw in the way Tomcat handled sendfile request attributes when using the
HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web application
running on a Tomcat instance could use this flaw to bypass security manager
restrictions and gain access to files it would otherwise be unable to
access, or possibly terminate the Java Virtual Machine (JVM). The HTTP NIO
connector is used by default in JBoss Enterprise Web Server.
(CVE-2011-2526)

Red Hat would like to thank oCERT for reporting CVE-2011-4858, and the
Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges
Julian Wälde and Alexander Klink as the original reporters of
CVE-2011-4858.


Solution

Users of Tomcat should upgrade to these updated packages, which
resolve these issues. Tomcat must be restarted for this update to take
effect.

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Web Server v1 EL5

SRPMS:
tomcat6-6.0.32-24_patch_07.ep5.el5.src.rpm
File outdated by:  RHSA-2013:0872
    MD5: b81fb6241530493b27c0f9bf1a622beb
SHA-256: dc40d1d7fc3b29b43b3d65fa395227dcc3c43641c270489eccb9c2c6f89ff87d
 
IA-32:
tomcat6-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: f2b0a5e63aa0cdf49203beca9f6cc11e
SHA-256: d1110e78fe8448f3c3cd889ba9946750b19c4be806d5d880ff63bdb107d90732
tomcat6-admin-webapps-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 17bd875b5fd17bbf29c8e6db0d8c154f
SHA-256: ab0b7da353e866b4f397636412ffdfb090dfb81ec27d5db3d2cfe2dc28820280
tomcat6-docs-webapp-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 43cf70b8e6b7bce1f676f0e81e448fb3
SHA-256: 1e3195983fb8d6af11d3f806aeeadc19c8bfbc66a259f2c21f691c2357a5eecc
tomcat6-el-1.0-api-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: f228c15a84c0f5b9d71f7e2dd84e2ff3
SHA-256: 3b2841951eb776ac621173f92f2650758f3746bfbe0cc9630bcb9b1729ee1297
tomcat6-javadoc-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 89c7b38cf5c6dd8b2136ec817b9f12df
SHA-256: 8743286b5e87524e76502bc6e8160043b471686471a3e0b6c89471dfae421407
tomcat6-jsp-2.1-api-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 56ef6f87718f56fd3f91fa69d5672dfe
SHA-256: 330f9308da23cbf3e5a3fa83f337f11e89eee7675eb327d69e13b75e83693e44
tomcat6-lib-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: aebcc9b1a10d582d7c8de16c63e8ced6
SHA-256: a46ada6de6794535f03870662a6095f7504f944f5fb3f157e27ec8cbb3bcb206
tomcat6-log4j-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 7fbb8936005cf4b8b3123792e6d6a59f
SHA-256: feb48b9f808d190914d78a5e4bd73d497dbfaa7679d03df3ba622274ed4404d3
tomcat6-servlet-2.5-api-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: afbc7035afabfbf2a5975918e0c6531f
SHA-256: f1afdc12ac8923e795e00ce46f0b4ec8d137a01389f671d9f7ff9dc64b16ea97
tomcat6-webapps-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 40800cc5e6b6733f402334d1a0c2a972
SHA-256: c72d3bd98504e8c7ba4802d9402d1cd6e88fce13cca4dcb36b86cc29755c62c9
 
x86_64:
tomcat6-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: f2b0a5e63aa0cdf49203beca9f6cc11e
SHA-256: d1110e78fe8448f3c3cd889ba9946750b19c4be806d5d880ff63bdb107d90732
tomcat6-admin-webapps-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 17bd875b5fd17bbf29c8e6db0d8c154f
SHA-256: ab0b7da353e866b4f397636412ffdfb090dfb81ec27d5db3d2cfe2dc28820280
tomcat6-docs-webapp-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 43cf70b8e6b7bce1f676f0e81e448fb3
SHA-256: 1e3195983fb8d6af11d3f806aeeadc19c8bfbc66a259f2c21f691c2357a5eecc
tomcat6-el-1.0-api-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: f228c15a84c0f5b9d71f7e2dd84e2ff3
SHA-256: 3b2841951eb776ac621173f92f2650758f3746bfbe0cc9630bcb9b1729ee1297
tomcat6-javadoc-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 89c7b38cf5c6dd8b2136ec817b9f12df
SHA-256: 8743286b5e87524e76502bc6e8160043b471686471a3e0b6c89471dfae421407
tomcat6-jsp-2.1-api-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 56ef6f87718f56fd3f91fa69d5672dfe
SHA-256: 330f9308da23cbf3e5a3fa83f337f11e89eee7675eb327d69e13b75e83693e44
tomcat6-lib-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: aebcc9b1a10d582d7c8de16c63e8ced6
SHA-256: a46ada6de6794535f03870662a6095f7504f944f5fb3f157e27ec8cbb3bcb206
tomcat6-log4j-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 7fbb8936005cf4b8b3123792e6d6a59f
SHA-256: feb48b9f808d190914d78a5e4bd73d497dbfaa7679d03df3ba622274ed4404d3
tomcat6-servlet-2.5-api-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: afbc7035afabfbf2a5975918e0c6531f
SHA-256: f1afdc12ac8923e795e00ce46f0b4ec8d137a01389f671d9f7ff9dc64b16ea97
tomcat6-webapps-6.0.32-24_patch_07.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 40800cc5e6b6733f402334d1a0c2a972
SHA-256: c72d3bd98504e8c7ba4802d9402d1cd6e88fce13cca4dcb36b86cc29755c62c9
 
JBoss Enterprise Web Server v1 EL6

SRPMS:
tomcat6-6.0.32-24_patch_07.ep5.el6.src.rpm
File outdated by:  RHSA-2013:0872
    MD5: 7db3795678a226494b06f745da4d7c42
SHA-256: 070a758e99638ae4373007e8fd3609f8b80ffb60305287f29bec13aa9fb55de7
 
IA-32:
tomcat6-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 883a7c3d582a7ee7381e279015fa4778
SHA-256: 87ffd7d21d91505253c306661baf3aa289af9a95e55dbdd4029b0a9abf9beddb
tomcat6-admin-webapps-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 2654a907e4547450b343b40896350fe1
SHA-256: ea0c40be0e468b42b38dc492ca08f3fe5226bb3270d3d74eb197a1dc71616059
tomcat6-docs-webapp-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 901091b0077181ccb1dc4cbe302e1a35
SHA-256: 889396e150cbb25fd243330dc4cb632c47eb72dedaaf7b8bfafa8d521e752558
tomcat6-el-1.0-api-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: bea4ab062edd7801858ccfa546057023
SHA-256: d03d4b64937cc72757bbcf37e409a24fab1408d535d01b2e4bd548793cd96db6
tomcat6-javadoc-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 9e7389fa4d88c912496001bb3c59452d
SHA-256: dba3d966e520c22d564805dd1516dda4526b2ecda3bb129e2a6d70a63b4d141d
tomcat6-jsp-2.1-api-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: e9c665c3df7455c74a776d4109af60c1
SHA-256: 18cd536880b62a4c23222eb85bdd228531982b817663e79cd2c452e5d7375f7a
tomcat6-lib-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 5699ca5384db08d65bf4a78c922e152c
SHA-256: 8e13ae25f253c4ac4d673af3642aff1448f922c3dc75bf0270d5e2d6f737ff69
tomcat6-log4j-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 5eb7f6ccc6990acef0c6419a58fa4dfa
SHA-256: c2f8bc9604f170d7d16620b86f07647b1cd4faa3b1cbdc85a7d9da9bb18bd762
tomcat6-servlet-2.5-api-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 70e0671b33a3a73d12c3024409db7896
SHA-256: c8b0810c45bf1f831f811e18ee794fb5c75725892ce5c1c94dbce0f2574cb031
tomcat6-webapps-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: c896f0309bb924db1db9744ebbe5c45e
SHA-256: a9201b63bf6a5b3e51dce8e6f250ffbc9135b3878ee52c69900102d32120315b
 
x86_64:
tomcat6-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 883a7c3d582a7ee7381e279015fa4778
SHA-256: 87ffd7d21d91505253c306661baf3aa289af9a95e55dbdd4029b0a9abf9beddb
tomcat6-admin-webapps-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 2654a907e4547450b343b40896350fe1
SHA-256: ea0c40be0e468b42b38dc492ca08f3fe5226bb3270d3d74eb197a1dc71616059
tomcat6-docs-webapp-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 901091b0077181ccb1dc4cbe302e1a35
SHA-256: 889396e150cbb25fd243330dc4cb632c47eb72dedaaf7b8bfafa8d521e752558
tomcat6-el-1.0-api-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: bea4ab062edd7801858ccfa546057023
SHA-256: d03d4b64937cc72757bbcf37e409a24fab1408d535d01b2e4bd548793cd96db6
tomcat6-javadoc-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 9e7389fa4d88c912496001bb3c59452d
SHA-256: dba3d966e520c22d564805dd1516dda4526b2ecda3bb129e2a6d70a63b4d141d
tomcat6-jsp-2.1-api-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: e9c665c3df7455c74a776d4109af60c1
SHA-256: 18cd536880b62a4c23222eb85bdd228531982b817663e79cd2c452e5d7375f7a
tomcat6-lib-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 5699ca5384db08d65bf4a78c922e152c
SHA-256: 8e13ae25f253c4ac4d673af3642aff1448f922c3dc75bf0270d5e2d6f737ff69
tomcat6-log4j-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 5eb7f6ccc6990acef0c6419a58fa4dfa
SHA-256: c2f8bc9604f170d7d16620b86f07647b1cd4faa3b1cbdc85a7d9da9bb18bd762
tomcat6-servlet-2.5-api-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 70e0671b33a3a73d12c3024409db7896
SHA-256: c8b0810c45bf1f831f811e18ee794fb5c75725892ce5c1c94dbce0f2574cb031
tomcat6-webapps-6.0.32-24_patch_07.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: c896f0309bb924db1db9744ebbe5c45e
SHA-256: a9201b63bf6a5b3e51dce8e6f250ffbc9135b3878ee52c69900102d32120315b
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

717013 - CVE-2011-2204 tomcat: password disclosure vulnerability
720948 - CVE-2011-2526 tomcat: security manager restrictions bypass
734868 - CVE-2011-3190 tomcat: authentication bypass and information disclosure
741401 - CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weaknesses in HTTP DIGEST authentication
750521 - CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003)
782624 - CVE-2011-3375 tomcat: information disclosure due to improper response and request object recycling
783359 - CVE-2012-0022 tomcat: large number of parameters DoS


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/