SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat Lets Remote Users Conduct DIGEST Authentication Replay Attacks
SecurityTracker Alert ID:  1027728
SecurityTracker URL:  http://securitytracker.com/id/1027728
CVE Reference:   CVE-2012-5885, CVE-2012-5886, CVE-2012-5887   (Links to External Site)
Updated:  Dec 5 2012
Original Entry Date:  Nov 6 2012
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5.5.0 to 5.5.35, 6.0.0 to 6.0.35, 7.0.0 to 7.0.29
Description:   A vulnerability was reported in Apache Tomcat. A remote user can conduct DIGEST authentication replay attacks.

The DIGEST authentication implementation does not properly check server nonces and nonce count, does not perform authentication when a session ID is present, and does not check user name and password in certain cases. As a result, a remote user can conduct DIGEST authentication replay attacks in certain cases.

Tilmann Kuhn reported one of these vulnerabilities.

Impact:   A remote user can conduct DIGEST authentication replay attacks.
Solution:   The vendor has issued a fix (5.5.36, 6.0.36, 7.0.30).

The vendor's advisory is available at:

http://tomcat.apache.org/security-7.html

Vendor URL:  tomcat.apache.org/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Feb 20 2013 (Red Hat Issues Fix) Apache Tomcat Lets Remote Users Conduct DIGEST Authentication Replay Attacks
Red Hat has issued a fix for JBoss Enterprise Web Server.
Feb 20 2013 (Red Hat Issues Fix) Apache Tomcat Lets Remote Users Conduct DIGEST Authentication Replay Attacks
Red Hat has issued a fix for JBoss Enterprise Web Server for Red Hat Enterprise Linux 5 and 6.
Feb 20 2013 (Oracle Issues Fix for Solaris) Apache Tomcat Lets Remote Users Conduct DIGEST Authentication Replay Attacks
Oracle has issued a fix for Solaris 11.1.
Jul 2 2013 (Red Hat Issues Fix for JBoss) Apache Tomcat Lets Remote Users Conduct DIGEST Authentication Replay Attacks
Red Hat has issued a fix for JBoss BRMS.
Apr 3 2014 (Oracle Issues Fix for Solaris) Apache Tomcat Lets Remote Users Conduct DIGEST Authentication Replay Attacks
Oracle has issued a fix for Solaris 9, 10, and 11.1.



 Source Message Contents

Subject:  [Full-disclosure] [SECURITY] CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- - Tomcat 7.0.0 to 7.0.29
- - Tomcat 6.0.0 to 6.0.35
- - Tomcat 5.5.0 to 5.5.35
- - Earlier, unsupported versions may also be affected

Description:
Three weaknesses in Tomcat's implementation of DIGEST authentication
were identified and resolved:
1. Tomcat tracked client rather than server nonces and nonce count.
2. When a session ID was present, authentication was bypassed.
3. The user name and password were not checked before when indicating
   that a nonce was stale.
These issues reduced the security of DIGEST authentication making
replay attacks possible in some circumstances.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- - Tomcat 7.0.x users should upgrade to 7.0.30 or later
- - Tomcat 6.0.x users should upgrade to 6.0.36 or later
- - Tomcat 5.5.x users should upgrade to 5.5.36 or later

Credit:
The first issue was identified by Tilmann Kuhn. The second and third
issues were identified by the Tomcat security team during the code
review resulting from the first issue.

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-5.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQmEReAAoJEBDAHFovYFnnZxwP/2AZNEbwqQXw+7JYHOgjzr7T
DyNJFlOSA0AwsflhvCQFJ75qyFgYzYjmyCVJGl/GniBkdnYwLS/wPGrBED3bn1lw
9nXMDLjXToLl4o7qv52gyIlvv60YJs6DW2YzqT7R0WtjF5lTx+JxatUmibFGp826
T+CNwMdGbZUTf57O9JnWnzaiTimC42+5d8q/o6JPmKGWrLrKM8QuS+LtIDckn6o3
FJNly5Sfcc8CAVj3dblRAwVXc6+a0U/A9cLGPDUoEAWHnPfq3VwbMlc90xuKMJno
R1huGGxxbp7tOL2qOrI1Tl2ro3ofnVkzdLKOxp5DjSt8+fmPJttOztt8zTCtLNYd
2qFOHxwNrM0tL8RAviQbF1G+sVJtZPO9QrS5EwPTi36nCdZaKWEfhNAtLZ7WRDQ7
0Yxcce+EVjsEJdGNtFOe7CvKTwoRx50OflQeQj9ho3xqJuu6kwKzDUah2Hqlv0Pk
9cTIB5jI/gosvK42KXxq6tKPn+ieHNoL+w58bFAlqBoejQ82E9f4PRV+FFs4mMrt
aq5EA/rN3WmorZpTVvecLfyHDg7O4lfWnSvZV6sEWZZyUdKxV7O/IbvHYkfbBg1/
ypZyjcQRZ9VovbDWLdbvy5hb7NMFijGaWeK1ZPVQRMO7DJ7ny61CCa5Rm/2XYDKp
8+W6GnYLC/a4LopbH53O
=ANZP
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC