-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - Tomcat 7.0.0 to 7.0.29 - - Tomcat 6.0.0 to 6.0.35 - - Tomcat 5.5.0 to 5.5.35 - - Earlier, unsupported versions may also be affected Description: Three weaknesses in Tomcat's implementation of DIGEST authentication were identified and resolved: 1. Tomcat tracked client rather than server nonces and nonce count. 2. When a session ID was present, authentication was bypassed. 3. The user name and password were not checked before when indicating that a nonce was stale. These issues reduced the security of DIGEST authentication making replay attacks possible in some circumstances. Mitigation: Users of affected versions should apply one of the following mitigations: - - Tomcat 7.0.x users should upgrade to 7.0.30 or later - - Tomcat 6.0.x users should upgrade to 6.0.36 or later - - Tomcat 5.5.x users should upgrade to 5.5.36 or later Credit: The first issue was identified by Tilmann Kuhn. The second and third issues were identified by the Tomcat security team during the code review resulting from the first issue. References: http://tomcat.apache.org/security.html http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-5.html -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQmEReAAoJEBDAHFovYFnnZxwP/2AZNEbwqQXw+7JYHOgjzr7T DyNJFlOSA0AwsflhvCQFJ75qyFgYzYjmyCVJGl/GniBkdnYwLS/wPGrBED3bn1lw 9nXMDLjXToLl4o7qv52gyIlvv60YJs6DW2YzqT7R0WtjF5lTx+JxatUmibFGp826 T+CNwMdGbZUTf57O9JnWnzaiTimC42+5d8q/o6JPmKGWrLrKM8QuS+LtIDckn6o3 FJNly5Sfcc8CAVj3dblRAwVXc6+a0U/A9cLGPDUoEAWHnPfq3VwbMlc90xuKMJno R1huGGxxbp7tOL2qOrI1Tl2ro3ofnVkzdLKOxp5DjSt8+fmPJttOztt8zTCtLNYd 2qFOHxwNrM0tL8RAviQbF1G+sVJtZPO9QrS5EwPTi36nCdZaKWEfhNAtLZ7WRDQ7 0Yxcce+EVjsEJdGNtFOe7CvKTwoRx50OflQeQj9ho3xqJuu6kwKzDUah2Hqlv0Pk 9cTIB5jI/gosvK42KXxq6tKPn+ieHNoL+w58bFAlqBoejQ82E9f4PRV+FFs4mMrt aq5EA/rN3WmorZpTVvecLfyHDg7O4lfWnSvZV6sEWZZyUdKxV7O/IbvHYkfbBg1/ ypZyjcQRZ9VovbDWLdbvy5hb7NMFijGaWeK1ZPVQRMO7DJ7ny61CCa5Rm/2XYDKp 8+W6GnYLC/a4LopbH53O =ANZP -----END PGP SIGNATURE-----