Fixed in Apache Tomcat 7.0.12


**Important: Information disclosure** [CVE-2011-1475](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1475>) Changes introduced to the HTTP BIO connector to support Servlet 3.0 asynchronous requests did not fully account for HTTP pipelining. As a result, when using HTTP pipelining a range of unexpected behaviours occurred including the mixing up of responses between requests. While the mix-up in responses was only observed between requests from the same user, a mix-up of responses for requests from different users may also be possible. This was fixed in revisions [1086349](<https://svn.apache.org/viewvc?view=rev&rev=1086349>) and [1086352](<https://svn.apache.org/viewvc?view=rev&rev=1086352>). (Note: HTTP pipelined requests are still likely to fail with the HTTP BIO connector but will do so in a secure manner.) This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar 2011. Affects: 7.0.0-7.0.11 **Moderate: Multiple weaknesses in HTTP DIGEST authentication** [CVE-2011-1184](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184>) Note: Mitre elected to break this issue down into multiple issues and have allocated the following additional references to parts of this issue: [CVE-2011-5062](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5062>), [CVE-2011-5063](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5063>) and [CVE-2011-5064](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5064>). The Apache Tomcat security team will continue to treat this as a single issue using the reference [CVE-2011-1184](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1184>). The implementation of HTTP DIGEST authentication was discovered to have several weaknesses: * replay attacks were permitted * server nonces were not checked * client nonce counts were not checked * qop values were not checked * realm values were not checked * the server secret was hard-coded to a known string The result of these weaknesses is that DIGEST authentication was only as secure as BASIC authentication. This was fixed in [revision 1087655](<https://svn.apache.org/viewvc?view=rev&rev=1087655>). This was identified by the Tomcat security team on 16 March 2011 and made public on 26 September 2011. Affects: 7.0.0-7.0.11 **Important: Security constraint bypass** [CVE-2011-1183](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1183>) A regression in the fix for CVE-2011-1088 meant that security constraints were ignored when no login configuration was present in the web.xml and the web application was marked as meta-data complete. This was fixed in [revision 1087643](<https://svn.apache.org/viewvc?view=rev&rev=1087643>). This was identified by the Tomcat security team on 17 March 2011 and made public on 6 April 2011. Affects: 7.0.11

Affected Software

CPE Name Name Version
apache tomcat 7.0.0
apache tomcat 7.0.11
apache tomcat 7.0.11