Fixed in Apache Tomcat 6.0.36

Important: Denial of service CVE-2012-2733

The checks that limited the permitted size of request headers were implemented too late in the request parsing process for the HTTP NIO connector. This enabled a malicious user to trigger an OutOfMemoryError by sending a single request with very large headers.

This was fixed in revision 1356208.

This was reported by Josh Spiewak to the Tomcat security team on 4 June 2012 and made public on 5 November 2012.

Affects: 6.0.0-6.0.35

Moderate: DIGEST authentication weakness CVE-2012-3439

Three weaknesses in Tomcat’s implementation of DIGEST authentication were identified and resolved:

1. Tomcat tracked client rather than server nonces and nonce count.
2. When a session ID was present, authentication was bypassed.
3. The user name and password were not checked before when indicating that a nonce was stale.

These issues reduced the security of DIGEST authentication making replay attacks possible in some circumstances.

This was fixed in revision 1380829.

The first issue was reported by Tilmann Kuhn to the Tomcat security team on 19 July 2012. The second and third issues were discovered by the Tomcat security team during the resulting code review. All three issues were made public on 5 November 2012.

Affects: 6.0.0-6.0.35

Important: Bypass of security constraints CVE-2012-3546

When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending /j_security_check to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate().

This was fixed in revision 1381035.

This issue was identified by the Tomcat security team on 13 July 2012 and made public on 4 December 2012.

Affects: 6.0.0-6.0.35

Important: Bypass of CSRF prevention filter CVE-2012-4431

The CSRF prevention filter could be bypassed if a request was made to a protected resource without a session identifier present in the request.

This was fixed in revision 1394456.

This issue was identified by the Tomcat security team on 8 September 2012 and made public on 4 December 2012.

Affects: 6.0.30-6.0.35

Important: Denial of service CVE-2012-4534

When using the NIO connector with sendfile and HTTPS enabled, if a client breaks the connection while reading the response an infinite loop is entered leading to a denial of service. This was originally reported as bug 52858.

This was fixed in revision 1372035.

The security implications of this bug were reported to the Tomcat security team by Arun Neelicattu of the Red Hat Security Response Team on 3 October 2012 and made public on 4 December 2012.

Affects: 6.0.0-6.0.35