Fixed in Apache Tomcat 7.0.12

Important: Information disclosure CVE-2011-1475

Changes introduced to the HTTP BIO connector to support Servlet 3.0 asynchronous requests did not fully account for HTTP pipelining. As a result, when using HTTP pipelining a range of unexpected behaviours occurred including the mixing up of responses between requests. While the mix-up in responses was only observed between requests from the same user, a mix-up of responses for requests from different users may also be possible.

This was fixed in revisions 1086349 and 1086352. (Note: HTTP pipelined requests are still likely to fail with the HTTP BIO connector but will do so in a secure manner.)

This was reported publicly on the Tomcat Bugzilla issue tracker on 22 Mar 2011.

Affects: 7.0.0-7.0.11

Moderate: Multiple weaknesses in HTTP DIGEST authentication CVE-2011-1184

Note: Mitre elected to break this issue down into multiple issues and have allocated the following additional references to parts of this issue: CVE-2011-5062, CVE-2011-5063 and CVE-2011-5064. The Apache Tomcat security team will continue to treat this as a single issue using the reference CVE-2011-1184.

The implementation of HTTP DIGEST authentication was discovered to have several weaknesses:

• replay attacks were permitted
• server nonces were not checked
• client nonce counts were not checked
• qop values were not checked
• realm values were not checked
• the server secret was hard-coded to a known string

The result of these weaknesses is that DIGEST authentication was only as secure as BASIC authentication.

This was fixed in revision 1087655.

This was identified by the Tomcat security team on 16 March 2011 and made public on 26 September 2011.

Affects: 7.0.0-7.0.11

Important: Security constraint bypass CVE-2011-1183

A regression in the fix for CVE-2011-1088 meant that security constraints were ignored when no login configuration was present in the web.xml and the web application was marked as meta-data complete.

This was fixed in revision 1087643.

This was identified by the Tomcat security team on 17 March 2011 and made public on 6 April 2011.

Affects: 7.0.11