ID 134ACAA2-51EF-11E2-8E34-0022156E8794 Type freebsd Reporter FreeBSD Modified 2017-03-18T00:00:00
Description
The Apache Software Foundation reports:
When using the NIO connector with sendfile and HTTPS enabled, if a
client breaks the connection while reading the response an infinite loop
is entered leading to a denial of service.
{"result": {"cve": [{"id": "CVE-2012-4534", "type": "cve", "title": "CVE-2012-4534", "description": "org/apache/tomcat/util/net/NioEndpoint.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the NIO connector is used in conjunction with sendfile and HTTPS, allows remote attackers to cause a denial of service (infinite loop) by terminating the connection during the reading of a response.", "published": "2012-12-19T06:55:54", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4534", "cvelist": ["CVE-2012-4534"], "lastseen": "2017-09-19T13:38:25"}], "nessus": [{"id": "FREEBSD_PKG_134ACAA251EF11E28E340022156E8794.NASL", "type": "nessus", "title": "FreeBSD : tomcat -- denial of service (134acaa2-51ef-11e2-8e34-0022156e8794)", "description": "The Apache Software Foundation reports :\n\nWhen using the NIO connector with sendfile and HTTPS enabled, if a client breaks the connection while reading the response an infinite loop is entered leading to a denial of service.", "published": "2012-12-31T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63364", "cvelist": ["CVE-2012-4534"], "lastseen": "2018-07-01T14:21:31"}, {"id": "OPENSUSE-2013-24.NASL", "type": "nessus", "title": "openSUSE Security Update : tomcat (openSUSE-SU-2013:0170-1)", "description": "- fix bnc#794548 - denial of service (CVE-2012-4534)\n\n - tomcat-CVE-2012-4534.patch fixes apache#53138, apache#52858 http://svn.apache.org/viewvc?view=rev&rev=1340218", "published": "2014-06-13T00:00:00", "cvss": {"score": 2.6, "vector": "AV:NETWORK/AC:HIGH/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74942", "cvelist": ["CVE-2012-4534"], "lastseen": "2018-07-01T14:20:24"}, {"id": "TOMCAT_7_0_28.NASL", "type": "nessus", "title": "Apache Tomcat 7.0.x < 7.0.28 Multiple DoS", "description": "According to its self-reported version number, the instance of Apache Tomcat 7.0 listening on the remote host is prior to 7.0.28. It is, therefore, affected by the following vulnerabilities :\n\n - A flaw exists within the parseHeaders() function that allows an attacker, via a crafted header, to cause a remote denial of service. (CVE-2012-2733)\n\n - An error exists related to the 'NIO' connector when HTTPS and 'sendfile' are enabled that can force the application into an infinite loop. (CVE-2012-4534)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "published": "2012-11-21T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=62985", "cvelist": ["CVE-2012-2733", "CVE-2012-4534"], "lastseen": "2018-07-01T13:42:06"}, {"id": "OPENSUSE-2013-23.NASL", "type": "nessus", "title": "openSUSE Security Update : tomcat6 (openSUSE-SU-2013:0161-1)", "description": "- fix bnc#794548 - denial of service (CVE-2012-4534)\n\n - apache-tomcat-CVE-2012-4534.patch fixes apache#53138, apache#52858 http://svn.apache.org/viewvc?view=rev&rev=1372035\n\n - fix a minor issue in apache-tomcat-CVE-2012-4431.patch use the already initialized session variable instead of an another call req.getSesssion()", "published": "2014-06-13T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=74938", "cvelist": ["CVE-2012-4431", "CVE-2012-4534"], "lastseen": "2018-07-21T07:55:57"}, {"id": "VMWARE_VCENTER_VMSA-2013-0006.NASL", "type": "nessus", "title": "VMware Security Updates for vCenter Server (VMSA-2013-0006)", "description": "The version of VMware vCenter installed on the remote host is 5.1 prior to update 1. It therefore is potentially affected by the following vulnerabilities :\n\n - When deployed in an environment that uses Active Directory with anonymous LDAP binding enabled, VMware vCenter doesn't properly handle login credentials.\n (CVE-2013-3107)\n\n - The bundled version of Oracle JRE is earlier than 1.6.0_37 and thus, is affected by multiple security issues.\n\n - The bundled version of Apache Tomcat is affected by multiple issues. (CVE-2012-2733, CVE-2012-4534)", "published": "2013-04-30T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=66274", "cvelist": ["CVE-2012-2733", "CVE-2013-3107", "CVE-2012-4534"], "lastseen": "2018-07-01T13:43:28"}, {"id": "UBUNTU_USN-1685-1.NASL", "type": "nessus", "title": "Ubuntu 10.04 LTS / 11.10 / 12.04 LTS / 12.10 : tomcat6, tomcat7 vulnerabilities (USN-1685-1)", "description": "It was discovered that Tomcat incorrectly performed certain security constraint checks in the FORM authenticator. A remote attacker could possibly use this flaw with a specially crafted URI to bypass security constraint checks. This issue only affected Ubuntu 10.04 LTS, Ubuntu 11.10 and Ubuntu 12.04 LTS. (CVE-2012-3546)\n\nIt was discovered that Tomcat incorrectly handled requests that lack a session identifier. A remote attacker could possibly use this flaw to bypass the cross-site request forgery protection. (CVE-2012-4431)\n\nIt was discovered that Tomcat incorrectly handled sendfile and HTTPS when the NIO connector is used. A remote attacker could use this flaw to cause Tomcat to stop responsing, resulting in a denial of service.\nThis issue only affected Ubuntu 10.04 LTS, Ubuntu 11.10 and Ubuntu 12.04 LTS. (CVE-2012-4534).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2013-01-15T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=63535", "cvelist": ["CVE-2012-4431", "CVE-2012-3546", "CVE-2012-4534"], "lastseen": "2018-07-01T13:47:04"}, {"id": "SL_20130311_TOMCAT6_ON_SL6_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : tomcat6 on SL6.x (noarch)", "description": "It was found that when an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending '/j_security_check' to the end of a URL. A remote attacker with an authenticated session on an affected application could use this flaw to circumvent authorization controls, and thereby access resources not permitted by the roles associated with their authenticated session.\n(CVE-2012-3546)\n\nA flaw was found in the way Tomcat handled sendfile operations when using the HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker could use this flaw to cause a denial of service (infinite loop). The HTTP blocking IO (BIO) connector, which is not vulnerable to this issue, is used by default in Scientific Linux 6.\n(CVE-2012-4534)\n\nMultiple weaknesses were found in the Tomcat DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887)\n\nTomcat must be restarted for this update to take effect.", "published": "2013-03-13T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=65243", "cvelist": ["CVE-2012-5887", "CVE-2012-3546", "CVE-2012-5886", "CVE-2012-4534", "CVE-2012-5885"], "lastseen": "2018-07-01T14:28:50"}, {"id": "REDHAT-RHSA-2013-0623.NASL", "type": "nessus", "title": "RHEL 6 : tomcat6 (RHSA-2013:0623)", "description": "Updated tomcat6 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nApache Tomcat is a servlet container.\n\nIt was found that when an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending '/j_security_check' to the end of a URL. A remote attacker with an authenticated session on an affected application could use this flaw to circumvent authorization controls, and thereby access resources not permitted by the roles associated with their authenticated session.\n(CVE-2012-3546)\n\nA flaw was found in the way Tomcat handled sendfile operations when using the HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker could use this flaw to cause a denial of service (infinite loop). The HTTP blocking IO (BIO) connector, which is not vulnerable to this issue, is used by default in Red Hat Enterprise Linux 6.\n(CVE-2012-4534)\n\nMultiple weaknesses were found in the Tomcat DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887)\n\nUsers of Tomcat should upgrade to these updated packages, which correct these issues. Tomcat must be restarted for this update to take effect.", "published": "2013-03-12T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=65201", "cvelist": ["CVE-2012-5887", "CVE-2012-3546", "CVE-2012-5886", "CVE-2012-4534", "CVE-2012-5885"], "lastseen": "2018-07-01T13:53:54"}, {"id": "CENTOS_RHSA-2013-0623.NASL", "type": "nessus", "title": "CentOS 6 : tomcat6 (CESA-2013:0623)", "description": "Updated tomcat6 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nApache Tomcat is a servlet container.\n\nIt was found that when an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending '/j_security_check' to the end of a URL. A remote attacker with an authenticated session on an affected application could use this flaw to circumvent authorization controls, and thereby access resources not permitted by the roles associated with their authenticated session.\n(CVE-2012-3546)\n\nA flaw was found in the way Tomcat handled sendfile operations when using the HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker could use this flaw to cause a denial of service (infinite loop). The HTTP blocking IO (BIO) connector, which is not vulnerable to this issue, is used by default in Red Hat Enterprise Linux 6.\n(CVE-2012-4534)\n\nMultiple weaknesses were found in the Tomcat DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887)\n\nUsers of Tomcat should upgrade to these updated packages, which correct these issues. Tomcat must be restarted for this update to take effect.", "published": "2013-03-13T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=65225", "cvelist": ["CVE-2012-5887", "CVE-2012-3546", "CVE-2012-5886", "CVE-2012-4534", "CVE-2012-5885"], "lastseen": "2018-07-04T05:28:20"}, {"id": "ORACLELINUX_ELSA-2013-0623.NASL", "type": "nessus", "title": "Oracle Linux 6 : tomcat6 (ELSA-2013-0623)", "description": "From Red Hat Security Advisory 2013:0623 :\n\nUpdated tomcat6 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nApache Tomcat is a servlet container.\n\nIt was found that when an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending '/j_security_check' to the end of a URL. A remote attacker with an authenticated session on an affected application could use this flaw to circumvent authorization controls, and thereby access resources not permitted by the roles associated with their authenticated session.\n(CVE-2012-3546)\n\nA flaw was found in the way Tomcat handled sendfile operations when using the HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker could use this flaw to cause a denial of service (infinite loop). The HTTP blocking IO (BIO) connector, which is not vulnerable to this issue, is used by default in Red Hat Enterprise Linux 6.\n(CVE-2012-4534)\n\nMultiple weaknesses were found in the Tomcat DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886, CVE-2012-5887)\n\nUsers of Tomcat should upgrade to these updated packages, which correct these issues. Tomcat must be restarted for this update to take effect.", "published": "2013-07-12T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=68786", "cvelist": ["CVE-2012-5887", "CVE-2012-3546", "CVE-2012-5886", "CVE-2012-4534", "CVE-2012-5885"], "lastseen": "2018-07-21T08:34:24"}], "openvas": [{"id": "OPENVAS:103873", "type": "openvas", "title": "VMware Security Updates for vCenter Server (VMSA-2013-0006)", "description": "VMware has updated vCenter Server to address multiple security\nvulnerabilities.", "published": "2014-01-09T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=103873", "cvelist": ["CVE-2012-2733", "CVE-2013-3107", "CVE-2012-4534"], "lastseen": "2017-07-25T10:48:41"}, {"id": "OPENVAS:841274", "type": "openvas", "title": "Ubuntu Update for tomcat7 USN-1685-1", "description": "Check for the Version of tomcat7", "published": "2013-01-15T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=841274", "cvelist": ["CVE-2012-4431", "CVE-2012-3546", "CVE-2012-4534"], "lastseen": "2018-01-26T11:09:37"}, {"id": "OPENVAS:1361412562310841274", "type": "openvas", "title": "Ubuntu Update for tomcat7 USN-1685-1", "description": "Check for the Version of tomcat7", "published": "2013-01-15T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310841274", "cvelist": ["CVE-2012-4431", "CVE-2012-3546", "CVE-2012-4534"], "lastseen": "2018-04-30T13:58:18"}, {"id": "OPENVAS:1361412562310103873", "type": "openvas", "title": "VMware Security Updates for vCenter Server (VMSA-2013-0006)", "description": "VMware has updated vCenter Server to address multiple security\nvulnerabilities.", "published": "2014-01-09T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310103873", "cvelist": ["CVE-2012-2733", "CVE-2013-3107", "CVE-2012-4534"], "lastseen": "2018-04-06T11:11:55"}, {"id": "OPENVAS:870958", "type": "openvas", "title": "RedHat Update for tomcat6 RHSA-2013:0623-01", "description": "Check for the Version of tomcat6", "published": "2013-03-12T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=870958", "cvelist": ["CVE-2012-5887", "CVE-2012-3546", "CVE-2012-5886", "CVE-2012-4534", "CVE-2012-5885"], "lastseen": "2018-01-26T11:10:02"}, {"id": "OPENVAS:1361412562310870958", "type": "openvas", "title": "RedHat Update for tomcat6 RHSA-2013:0623-01", "description": "Check for the Version of tomcat6", "published": "2013-03-12T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310870958", "cvelist": ["CVE-2012-5887", "CVE-2012-3546", "CVE-2012-5886", "CVE-2012-4534", "CVE-2012-5885"], "lastseen": "2018-04-06T11:22:45"}, {"id": "OPENVAS:1361412562310864957", "type": "openvas", "title": "Fedora Update for tomcat FEDORA-2012-20151", "description": "Check for the Version of tomcat", "published": "2012-12-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310864957", "cvelist": ["CVE-2012-3439", "CVE-2012-4431", "CVE-2012-2733", "CVE-2012-3546", "CVE-2012-4534"], "lastseen": "2018-04-06T11:17:46"}, {"id": "OPENVAS:864957", "type": "openvas", "title": "Fedora Update for tomcat FEDORA-2012-20151", "description": "Check for the Version of tomcat", "published": "2012-12-26T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=864957", "cvelist": ["CVE-2012-3439", "CVE-2012-4431", "CVE-2012-2733", "CVE-2012-3546", "CVE-2012-4534"], "lastseen": "2018-01-06T13:06:53"}, {"id": "OPENVAS:881689", "type": "openvas", "title": "CentOS Update for tomcat6 CESA-2013:0623 centos6 ", "description": "Check for the Version of tomcat6", "published": "2013-03-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=881689", "cvelist": ["CVE-2012-5887", "CVE-2012-3546", "CVE-2012-5886", "CVE-2012-4534", "CVE-2012-5885"], "lastseen": "2018-01-22T13:09:36"}, {"id": "OPENVAS:1361412562310881689", "type": "openvas", "title": "CentOS Update for tomcat6 CESA-2013:0623 centos6 ", "description": "Check for the Version of tomcat6", "published": "2013-03-15T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310881689", "cvelist": ["CVE-2012-5887", "CVE-2012-3546", "CVE-2012-5886", "CVE-2012-4534", "CVE-2012-5885"], "lastseen": "2018-04-06T11:20:59"}], "ubuntu": [{"id": "USN-1685-1", "type": "ubuntu", "title": "Tomcat vulnerabilities", "description": "It was discovered that Tomcat incorrectly performed certain security constraint checks in the FORM authenticator. A remote attacker could possibly use this flaw with a specially-crafted URI to bypass security constraint checks. This issue only affected Ubuntu 10.04 LTS, Ubuntu 11.10 and Ubuntu 12.04 LTS. (CVE-2012-3546)\n\nIt was discovered that Tomcat incorrectly handled requests that lack a session identifier. A remote attacker could possibly use this flaw to bypass the cross-site request forgery protection. (CVE-2012-4431)\n\nIt was discovered that Tomcat incorrectly handled sendfile and HTTPS when the NIO connector is used. A remote attacker could use this flaw to cause Tomcat to stop responsing, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS, Ubuntu 11.10 and Ubuntu 12.04 LTS. (CVE-2012-4534)", "published": "2013-01-14T00:00:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://usn.ubuntu.com/1685-1/", "cvelist": ["CVE-2012-4431", "CVE-2012-3546", "CVE-2012-4534"], "lastseen": "2018-03-29T18:20:19"}], "thn": [{"id": "THN:109F3CE2A5819B3E1345F63EBB346D6C", "type": "thn", "title": "Apache Tomcat Multiple Critical Vulnerabilities", "description": " \n\n\nSome critical vulnerabilities have been reported in Apache Tomcat, which can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service) attack. These vulnerabilities affect Apache Tomcat 6.x and Apache Tomcat 7.x .\n\n \n\n\n**Apache Tomcat vulnerabilities**\n\n * [CVE-2012-4534](<https://mail-archives.apache.org/mod_mbox/tomcat-announce/201212.mbox/%3C50BE535A.9000600@apache.org%3E>) Apache Tomcat denial of service\n * [CVE-2012-3546](<https://mail-archives.apache.org/mod_mbox/tomcat-announce/201212.mbox/%3C50BE5367.6090809@apache.org%3E>) Apache Tomcat Bypass of security constraints\n * [CVE-2012-4431](<https://mail-archives.apache.org/mod_mbox/tomcat-announce/201212.mbox/%3C50BE536F.6000705@apache.org%3E>) Apache Tomcat Bypass of CSRF prevention filter\n\n \n\n\n[](<http://4.bp.blogspot.com/-0qdwDlCWUCs/UL-H7JHOG1I/AAAAAAAAOhg/7BPoAXuqTh0/s1600/apache-tomcat-7.png>)\n\n \n\n\nAccording to CVE-2012-4431 , The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request.\n\n \n\n\nCVE-2012-4534, DOS includes vulnerabilities ranging from excessive resource consumption (e.g. causing a system to use a lot of memory) to crashing an application or an entire system.\n\n \n\n\nWhereas, CVE-2012-3546 - where malicious users or people can bypass certain security mechanisms of the application. The actual impact varies significantly depending on the design and purpose of the affected application.\n\n \n\n\nIf you are affected, Please update your Tomcat to a fixed version i.e \n\n * Tomcat 7.x: Update to version 7.0.32.\n * Tomcat 6.x: Update to version 6.0.36.\n", "published": "2012-12-05T06:45:00", "cvss": {"score": 4.3, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://thehackernews.com/2012/12/apache-tomcat-multiple-critical.html", "cvelist": ["CVE-2012-4431", "CVE-2012-3546", "CVE-2012-4534"], "lastseen": "2017-01-08T18:01:28"}], "redhat": [{"id": "RHSA-2013:0623", "type": "redhat", "title": "(RHSA-2013:0623) Important: tomcat6 security update", "description": "Apache Tomcat is a servlet container.\n\nIt was found that when an application used FORM authentication, along with\nanother component that calls request.setUserPrincipal() before the call to\nFormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was\npossible to bypass the security constraint checks in the FORM authenticator\nby appending \"/j_security_check\" to the end of a URL. A remote attacker\nwith an authenticated session on an affected application could use this\nflaw to circumvent authorization controls, and thereby access resources not\npermitted by the roles associated with their authenticated session.\n(CVE-2012-3546)\n\nA flaw was found in the way Tomcat handled sendfile operations when using\nthe HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker\ncould use this flaw to cause a denial of service (infinite loop). The HTTP\nblocking IO (BIO) connector, which is not vulnerable to this issue, is used\nby default in Red Hat Enterprise Linux 6. (CVE-2012-4534)\n\nMultiple weaknesses were found in the Tomcat DIGEST authentication\nimplementation, effectively reducing the security normally provided by\nDIGEST authentication. A remote attacker could use these flaws to perform\nreplay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886,\nCVE-2012-5887)\n\nUsers of Tomcat should upgrade to these updated packages, which correct\nthese issues. Tomcat must be restarted for this update to take effect.\n", "published": "2013-03-11T04:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2013:0623", "cvelist": ["CVE-2012-3546", "CVE-2012-4534", "CVE-2012-5885", "CVE-2012-5886", "CVE-2012-5887"], "lastseen": "2018-06-12T21:10:16"}, {"id": "RHSA-2013:0266", "type": "redhat", "title": "(RHSA-2013:0266) Moderate: tomcat6 security update", "description": "Apache Tomcat is a servlet container.\n\nIt was found that sending a request without a session identifier to a\nprotected resource could bypass the Cross-Site Request Forgery (CSRF)\nprevention filter. A remote attacker could use this flaw to perform\nCSRF attacks against applications that rely on the CSRF prevention filter\nand do not contain internal mitigation for CSRF. (CVE-2012-4431)\n\nA flaw was found in the way Tomcat handled sendfile operations when using\nthe HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker\ncould use this flaw to cause a denial of service (infinite loop). The HTTP\nNIO connector is used by default in JBoss Enterprise Web Server. The Apache\nPortable Runtime (APR) connector from the Tomcat Native library was not\naffected by this flaw. (CVE-2012-4534)\n\nMultiple weaknesses were found in the Tomcat DIGEST authentication\nimplementation, effectively reducing the security normally provided by\nDIGEST authentication. A remote attacker could use these flaws to perform\nreplay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886,\nCVE-2012-5887)\n\nA denial of service flaw was found in the way the Tomcat HTTP NIO connector\nenforced limits on the permitted size of request headers. A remote attacker\ncould use this flaw to trigger an OutOfMemoryError by sending a\nspecially-crafted request with very large headers. The HTTP NIO connector\nis used by default in JBoss Enterprise Web Server. The APR connector from\nthe Tomcat Native library was not affected by this flaw. (CVE-2012-2733)\n\nWarning: Before applying the update, back up your existing JBoss Enterprise\nWeb Server installation (including all applications and configuration\nfiles).\n\nUsers of Tomcat should upgrade to these updated packages, which resolve\nthese issues. Tomcat must be restarted for this update to take effect.", "published": "2013-02-20T01:29:27", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2013:0266", "cvelist": ["CVE-2012-2733", "CVE-2012-4431", "CVE-2012-4534", "CVE-2012-5885", "CVE-2012-5886", "CVE-2012-5887"], "lastseen": "2018-06-06T23:50:39"}, {"id": "RHSA-2013:0265", "type": "redhat", "title": "(RHSA-2013:0265) Moderate: tomcat6 security update", "description": "Apache Tomcat is a servlet container.\n\nIt was found that sending a request without a session identifier to a\nprotected resource could bypass the Cross-Site Request Forgery (CSRF)\nprevention filter. A remote attacker could use this flaw to perform\nCSRF attacks against applications that rely on the CSRF prevention filter\nand do not contain internal mitigation for CSRF. (CVE-2012-4431)\n\nA flaw was found in the way Tomcat handled sendfile operations when using\nthe HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker\ncould use this flaw to cause a denial of service (infinite loop). The HTTP\nNIO connector is used by default in JBoss Enterprise Web Server. The Apache\nPortable Runtime (APR) connector from the Tomcat Native library was not\naffected by this flaw. (CVE-2012-4534)\n\nMultiple weaknesses were found in the Tomcat DIGEST authentication\nimplementation, effectively reducing the security normally provided by\nDIGEST authentication. A remote attacker could use these flaws to perform\nreplay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886,\nCVE-2012-5887)\n\nA denial of service flaw was found in the way the Tomcat HTTP NIO connector\nenforced limits on the permitted size of request headers. A remote attacker\ncould use this flaw to trigger an OutOfMemoryError by sending a\nspecially-crafted request with very large headers. The HTTP NIO connector\nis used by default in JBoss Enterprise Web Server. The APR connector from\nthe Tomcat Native library was not affected by this flaw. (CVE-2012-2733)\n\nWarning: Before applying the update, back up your existing JBoss Enterprise\nWeb Server installation (including all applications and configuration\nfiles).\n\nAll users of JBoss Enterprise Web Server 2.0.0 as provided from the Red Hat\nCustomer Portal are advised to apply this update.", "published": "2013-02-20T01:28:50", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:PARTIAL/"}, "href": "https://access.redhat.com/errata/RHSA-2013:0265", "cvelist": ["CVE-2012-2733", "CVE-2012-4431", "CVE-2012-4534", "CVE-2012-5885", "CVE-2012-5886", "CVE-2012-5887"], "lastseen": "2018-06-06T23:50:12"}], "centos": [{"id": "CESA-2013:0623", "type": "centos", "title": "tomcat6 security update", "description": "**CentOS Errata and Security Advisory** CESA-2013:0623\n\n\nApache Tomcat is a servlet container.\n\nIt was found that when an application used FORM authentication, along with\nanother component that calls request.setUserPrincipal() before the call to\nFormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was\npossible to bypass the security constraint checks in the FORM authenticator\nby appending \"/j_security_check\" to the end of a URL. A remote attacker\nwith an authenticated session on an affected application could use this\nflaw to circumvent authorization controls, and thereby access resources not\npermitted by the roles associated with their authenticated session.\n(CVE-2012-3546)\n\nA flaw was found in the way Tomcat handled sendfile operations when using\nthe HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker\ncould use this flaw to cause a denial of service (infinite loop). The HTTP\nblocking IO (BIO) connector, which is not vulnerable to this issue, is used\nby default in Red Hat Enterprise Linux 6. (CVE-2012-4534)\n\nMultiple weaknesses were found in the Tomcat DIGEST authentication\nimplementation, effectively reducing the security normally provided by\nDIGEST authentication. A remote attacker could use these flaws to perform\nreplay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886,\nCVE-2012-5887)\n\nUsers of Tomcat should upgrade to these updated packages, which correct\nthese issues. Tomcat must be restarted for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2013-March/019640.html\n\n**Affected packages:**\ntomcat6\ntomcat6-admin-webapps\ntomcat6-docs-webapp\ntomcat6-el-2.1-api\ntomcat6-javadoc\ntomcat6-jsp-2.1-api\ntomcat6-lib\ntomcat6-servlet-2.5-api\ntomcat6-webapps\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2013-0623.html", "published": "2013-03-12T05:31:44", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2013-March/019640.html", "cvelist": ["CVE-2012-5887", "CVE-2012-3546", "CVE-2012-5886", "CVE-2012-4534", "CVE-2012-5885"], "lastseen": "2017-10-03T18:26:32"}], "oraclelinux": [{"id": "ELSA-2013-0623", "type": "oraclelinux", "title": "tomcat6 security update", "description": "[0:6.0.24-52]\n- Related: rhbz 882010 rhbz 883692 rhbz 883705\n- Javadoc generation did not work. Using targetrhel-6.4.Z-noarch-candidate\n- to avoid building on ppc64, ppc, and x390x.\n[0:6.0.24-50]\n- Resolves: rhbz 882010 CVE-2012-3439 CVE-2012-5885 CVE-2012-5886 CVE-2012-5887\n- three DIGEST authentication issues\n- Resolves: rhbz 883692 CVE-2012-4534 Denial of service when using\n- SSL NIO sendfile\n- Resolves: rhbz 883705 CVE-2012-3546 Bypass of Realm security constraints", "published": "2013-03-11T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://linux.oracle.com/errata/ELSA-2013-0623.html", "cvelist": ["CVE-2012-3439", "CVE-2012-5887", "CVE-2012-3546", "CVE-2012-5886", "CVE-2012-4534", "CVE-2012-5885"], "lastseen": "2016-09-04T11:16:19"}], "atlassian": [{"id": "ATLASSIAN:CONFCLOUD-29345", "type": "atlassian", "title": "Upgrade bundled Tomcat to 6.0.37", "description": "{panel:bgColor=#e7f4fa}\n *NOTE:* This suggestion is for *Confluence Cloud*. Using *Confluence Server*? [See the corresponding suggestion|http://jira.atlassian.com/browse/CONFSERVER-29345].\n {panel}\n\nCustomer related a security flaw in Tomcat 6.0.35 and requests that we upgrade the bundled version.", "published": "2013-05-21T00:23:31", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://jira.atlassian.com/browse/CONFCLOUD-29345", "cvelist": ["CVE-2012-3544", "CVE-2012-3439", "CVE-2012-2071", "CVE-2013-2071", "CVE-2012-4431", "CVE-2012-2733", "CVE-2013-2067", "CVE-2012-3546", "CVE-2012-4534"], "lastseen": "2017-04-02T10:17:24"}, {"id": "ATLASSIAN:CONFSERVER-29345", "type": "atlassian", "title": "Upgrade bundled Tomcat to 6.0.37", "description": "{panel:bgColor=#e7f4fa}\n *NOTE:* This suggestion is for *Confluence Server*. Using *Confluence Cloud*? [See the corresponding suggestion|http://jira.atlassian.com/browse/CONFCLOUD-29345].\n {panel}\n\nCustomer related a security flaw in Tomcat 6.0.35 and requests that we upgrade the bundled version.", "published": "2013-05-21T00:23:31", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://jira.atlassian.com/browse/CONFSERVER-29345", "cvelist": ["CVE-2012-3544", "CVE-2012-3439", "CVE-2012-2071", "CVE-2013-2071", "CVE-2012-4431", "CVE-2012-2733", "CVE-2013-2067", "CVE-2012-3546", "CVE-2012-4534"], "lastseen": "2017-04-02T10:17:25"}, {"id": "ATLASSIAN:CONF-29345", "type": "atlassian", "title": "Upgrade bundled Tomcat to 6.0.37", "description": "Customer related a security flaw in Tomcat 6.0.35 and requests that we upgrade the bundled version.", "published": "2013-05-21T00:23:31", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://jira.atlassian.com/browse/CONF-29345", "cvelist": ["CVE-2012-3544", "CVE-2012-3439", "CVE-2012-2071", "CVE-2013-2071", "CVE-2012-4431", "CVE-2012-2733", "CVE-2013-2067", "CVE-2012-3546", "CVE-2012-4534"], "lastseen": "2017-03-22T18:16:54"}], "vmware": [{"id": "VMSA-2013-0006", "type": "vmware", "title": "VMware security updates for vCenter Server", "description": "a. vCenter Server AD anonymous LDAP binding credential by-pass \n \nvCenter Server when deployed in an environment that uses Active Directory (AD) with anonymous LDAP binding enabled doesn't properly handle login credentials. In this environment, authenticating to vCenter Server with a valid user name and a blank password may be successful even if a non-blank password is required for the account. \nThe issue is present on vCenter Server 5.1, 5.1a and 5.1b if AD anonymous LDAP binding is enabled. The issue is addressed in vCenter Server 5.1 Update 1 by removing the possibility to authenticate using blank passwords. This change in the authentication mechanism is present regardless if anonymous binding is enabled or not. \n**Workaround** \nThe workaround is to discontinue the use of AD anonymous LDAP binding if it is enabled in your environment. AD anonymous LDAP binding is not enabled by default. The TechNet article listed in the references section explains how to check for anonymous binding (look for \"anonymous binding\" in the article: anonymous binding is enabled if the seventh bit of the dsHeuristics attribute is set to 2) \n \nThe Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2013-3107 to this issue. \nColumn 4 of the following table lists the action required to remediate the vulnerability in each release, if a solution is available. \n\n", "published": "2013-04-25T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.vmware.com/security/advisories/VMSA-2013-0006.html", "cvelist": ["CVE-2013-3080", "CVE-2012-5887", "CVE-2012-4431", "CVE-2012-2733", "CVE-2013-3079", "CVE-2013-3107", "CVE-2012-3546", "CVE-2012-5886", "CVE-2012-4534", "CVE-2012-5885"], "lastseen": "2016-09-04T11:19:40"}], "gentoo": [{"id": "GLSA-201412-29", "type": "gentoo", "title": "Apache Tomcat: Multiple vulnerabilities", "description": "### Background\n\nApache Tomcat is a Servlet-3.0/JSP-2.2 Container.\n\n### Description\n\nMultiple vulnerabilities have been discovered in Tomcat. Please review the CVE identifiers referenced below for details. \n\n### Impact\n\nA remote attacker may be able to cause a Denial of Service condition as well as obtain sensitive information, bypass protection mechanisms and authentication restrictions. \n\n### Workaround\n\nThere is no known workaround at this time.\n\n### Resolution\n\nAll Tomcat 6.0.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/tomcat-6.0.41\"\n \n\nAll Tomcat 7.0.x users should upgrade to the latest version:\n \n \n # emerge --sync\n # emerge --ask --oneshot --verbose \">=www-servers/tomcat-7.0.56\"", "published": "2014-12-15T00:00:00", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://security.gentoo.org/glsa/201412-29", "cvelist": ["CVE-2012-3544", "CVE-2013-2071", "CVE-2012-5887", "CVE-2014-0099", "CVE-2014-0119", "CVE-2013-4322", "CVE-2012-4431", "CVE-2012-2733", "CVE-2014-0050", "CVE-2013-2067", "CVE-2013-4286", "CVE-2013-4590", "CVE-2014-0096", "CVE-2014-0075", "CVE-2012-3546", "CVE-2012-5886", "CVE-2014-0033", "CVE-2012-4534", "CVE-2012-5885"], "lastseen": "2016-09-06T19:46:52"}]}}
