Fixed in Apache Tomcat 6.0.33

Moderate: Multiple weaknesses in HTTP DIGEST authentication CVE-2011-1184

Note: Mitre elected to break this issue down into multiple issues and have allocated the following additional references to parts of this issue: CVE-2011-5062, CVE-2011-5063 and CVE-2011-5064. The Apache Tomcat security team will continue to treat this as a single issue using the reference CVE-2011-1184.

The implementation of HTTP DIGEST authentication was discovered to have several weaknesses:

• replay attacks were permitted
• server nonces were not checked
• client nonce counts were not checked
• qop values were not checked
• realm values were not checked
• the server secret was hard-coded to a known string

The result of these weaknesses is that DIGEST authentication was only as secure as BASIC authentication.

This was fixed in revision 1158180.

This was identified by the Tomcat security team on 16 March 2011 and made public on 26 September 2011.

Affects: 6.0.0-6.0.32

Low: Information disclosure CVE-2011-2204

When using the MemoryUserDatabase (based on tomcat-users.xml) and creating users via JMX, an exception during the user creation process may trigger an error message in the JMX client that includes the user’s password. This error message is also written to the Tomcat logs. User passwords are visible to administrators with JMX access and/or administrators with read access to the tomcat-users.xml file. Users that do not have these permissions but are able to read log files may be able to discover a user’s password.

This was fixed in revision 1140071.

This was identified by Polina Genova on 14 June 2011 and made public on 27 June 2011.

Affects: 6.0.0-6.0.32

Low: Information disclosure CVE-2011-2526

Tomcat provides support for sendfile with the HTTP NIO and HTTP APR connectors. sendfile is used automatically for content served via the DefaultServlet and deployed web applications may use it directly via setting request attributes. These request attributes were not validated. When running under a security manager, this lack of validation allowed a malicious web application to do one or more of the following that would normally be prevented by a security manager:

• return files to users that the security manager should make inaccessible
• terminate (via a crash) the JVM

Additionally, these vulnerabilities only occur when all of the following are true:

• untrusted web applications are being used
• the SecurityManager is used to limit the untrusted web applications
• the HTTP NIO or HTTP APR connector is used
• sendfile is enabled for the connector (this is the default)

This was fixed in revision 1146703.

This was identified by the Tomcat security team on 7 July 2011 and made public on 13 July 2011.

Affects: 6.0.0-6.0.32

Important: Information disclosure CVE-2011-2729

Due to a bug in the capabilities code, jsvc (the service wrapper for Linux that is part of the Commons Daemon project) does not drop capabilities allowing the application to access files and directories owned by superuser. This vulnerability only occurs when all of the following are true:

• Tomcat is running on a Linux operating system
• jsvc was compiled with libcap
• -user parameter is used

Affected Tomcat versions shipped with source files for jsvc that included this vulnerability.

This was fixed in revision 1153824.

This was identified by Wilfried Weissmann on 20 July 2011 and made public on 12 August 2011.

Affects: 6.0.30-6.0.32