====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN448
____________________________________________________________________

DATE                :  08/11/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Apache Tomcat versions prior
                        to 7.0.30, 6.0.36, 5.5.36.

======================================================================
http://mail-archives.apache.org/mod_mbox/tomcat-announce/201211.mbox/%3C5098445F.50406@apache.org%3E
http://mail-archives.apache.org/mod_mbox/tomcat-announce/201211.mbox/%3C5098445A.3020407@apache.org%3E
http://mail-archives.apache.org/mod_mbox/tomcat-announce/201211.mbox/%3C5098E206.10602@apache.org%3E
______________________________________________________________________

CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.29
- - Tomcat 6.0.0 to 6.0.35
- - Tomcat 5.5.0 to 5.5.35
- - Earlier, unsupported versions may also be affected

Description:
Three weaknesses in Tomcat's implementation of DIGEST authentication
were identified and resolved:
1. Tomcat tracked client rather than server nonces and nonce count.
2. When a session ID was present, authentication was bypassed.
3. The user name and password were not checked before when indicating
   that a nonce was stale.
These issues reduced the security of DIGEST authentication making
replay attacks possible in some circumstances.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Tomcat 7.0.x users should upgrade to 7.0.30 or later
- - Tomcat 6.0.x users should upgrade to 6.0.36 or later
- - Tomcat 5.5.x users should upgrade to 5.5.36 or later

Credit:
The first issue was identified by Tilmann Kuhn. The second and third
issues were identified by the Tomcat security team during the code
review resulting from the first issue.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html

___________________________________________________________________

CVE-2012-2733 Apache Tomcat Denial of Service

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.27
- - Tomcat 6.0.0 to 6.0.35

Description:
The checks that limited the permitted size of request headers were
implemented too late in the request parsing process for the HTTP NIO
connector. This enabled a malicious user to trigger an
OutOfMemoryError by sending a single request with very large headers.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Tomcat 7.0.x users should upgrade to 7.0.28 or later
- - Tomcat 6.0.x users should upgrade to 6.0.36 or later

Credit:
This issue was identified by Josh Spiewak.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
_____________________________________________________________

It has been brought to the attention of the Apache Tomcat PMC that the
Tomcat 6.0.36 release announcement below was sent to the Tomcat users
list and the Tomcat developers list but not the Tomcat and ASF announce
lists.

Please accept our apologies if you missed the Apache Tomcat 6.0.36
release announcement due to this oversight.

Mark
on behalf of the Apache Tomcat PMC


-------- Original Message --------
Subject: [ANN] Apache Tomcat 6.0.36 released
From: jean-frederic clere <jfclere@gmail.com>
Reply-To: Tomcat Users List <users@tomcat.apache.org>
To: Tomcat Developers List <dev@tomcat.apache.org>,  Tomcat Users List
<users@tomcat.apache.org>

The Apache Tomcat team announces the immediate availability of Apache
Tomcat 6.0.36 stable.

Apache Tomcat 6.0.36 is primarily a security and bug fix release. All
users of older versions of the Tomcat 6.0 family should upgrade to 6.0.36.


Note that is version has 4 zip binaries: a generic one and three
bundled with Tomcat native binaries for different CPU architectures.

Apache Tomcat 6.0 includes new features over Apache Tomcat 5.5,
including support for the new Servlet 2.5 and JSP 2.1 specifications, a
refactored clustering implementation, advanced IO features, and
improvements in memory usage.

Please refer to the change log for the list of changes:
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html

Downloads:
http://tomcat.apache.org/download-60.cgi

Migration guide from Apache Tomcat 5.5.x:
http://tomcat.apache.org/migration.html

Thank you,

-- The Apache Tomcat Team

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================