Fixed in Apache Tomcat 7.0.30

Important: Denial of service CVE-2012-3544

When processing a request submitted using the chunked transfer encoding, Tomcat ignored but did not limit any extensions that were included. This allows a client to perform a limited DOS by streaming an unlimited amount of data to the server.

This was fixed in revisions 1378702 and 1378921.

This issue was reported to the Tomcat security team on 10 November 2011 and made public on 10 May 2013.

Affects: 7.0.0-7.0.29

Moderate: DIGEST authentication weakness CVE-2012-3439

Three weaknesses in Tomcat’s implementation of DIGEST authentication were identified and resolved:

1. Tomcat tracked client rather than server nonces and nonce count.
2. When a session ID was present, authentication was bypassed.
3. The user name and password were not checked before when indicating that a nonce was stale.

These issues reduced the security of DIGEST authentication making replay attacks possible in some circumstances.

This was fixed in revision 1377807.

The first issue was reported by Tilmann Kuhn to the Tomcat security team on 19 July 2012. The second and third issues were discovered by the Tomcat security team during the resulting code review. All three issues were made public on 5 November 2012.

Affects: 7.0.0-7.0.29

Important: Bypass of security constraints CVE-2012-3546

When using FORM authentication it was possible to bypass the security constraint checks in the FORM authenticator by appending /j_security_check to the end of the URL if some other component (such as the Single-Sign-On valve) had called request.setUserPrincipal() before the call to FormAuthenticator#authenticate().

This was fixed in revision 1377892.

This issue was identified by the Tomcat security team on 13 July 2012 and made public on 4 December 2012.

Affects: 7.0.0-7.0.29