Apache Tomcat Lets Remote Users Conduct DIGEST Authentication Replay Attacks
SecurityTracker Alert ID: 1027728|
SecurityTracker URL: http://securitytracker.com/id/1027728
CVE-2012-5885, CVE-2012-5886, CVE-2012-5887
(Links to External Site)
Updated: Dec 5 2012|
Original Entry Date: Nov 6 2012
User access via network|
Fix Available: Yes Vendor Confirmed: Yes |
Version(s): 5.5.0 to 5.5.35, 6.0.0 to 6.0.35, 7.0.0 to 7.0.29|
A vulnerability was reported in Apache Tomcat. A remote user can conduct DIGEST authentication replay attacks.|
The DIGEST authentication implementation does not properly check server nonces and nonce count, does not perform authentication when a session ID is present, and does not check user name and password in certain cases. As a result, a remote user can conduct DIGEST authentication replay attacks in certain cases.
Tilmann Kuhn reported one of these vulnerabilities.
A remote user can conduct DIGEST authentication replay attacks.|
The vendor has issued a fix (5.5.36, 6.0.36, 7.0.30).|
The vendor's advisory is available at:
Vendor URL: tomcat.apache.org/ (Links to External Site)
|Underlying OS: Linux (Any), UNIX (Any), Windows (Any)|
This archive entry has one or more follow-up message(s) listed below.|
Source Message Contents
Subject: [Full-disclosure] [SECURITY] CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses|
-----BEGIN PGP SIGNED MESSAGE-----
CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses
Vendor: The Apache Software Foundation
- - Tomcat 7.0.0 to 7.0.29
- - Tomcat 6.0.0 to 6.0.35
- - Tomcat 5.5.0 to 5.5.35
- - Earlier, unsupported versions may also be affected
Three weaknesses in Tomcat's implementation of DIGEST authentication
were identified and resolved:
1. Tomcat tracked client rather than server nonces and nonce count.
2. When a session ID was present, authentication was bypassed.
3. The user name and password were not checked before when indicating
that a nonce was stale.
These issues reduced the security of DIGEST authentication making
replay attacks possible in some circumstances.
Users of affected versions should apply one of the following mitigations:
- - Tomcat 7.0.x users should upgrade to 7.0.30 or later
- - Tomcat 6.0.x users should upgrade to 6.0.36 or later
- - Tomcat 5.5.x users should upgrade to 5.5.36 or later
The first issue was identified by Tilmann Kuhn. The second and third
issues were identified by the Tomcat security team during the code
review resulting from the first issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/