-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Reference: CERT-EU Security Advisory 2012-0133

Title: Apache Tomcat Denial of Service & DIGEST authentication weaknesses

Version history:
21.11.2012 Initial publication

Summary
=======
The Apache Tomcat security team issued new releases for Apache Tomcat to fix two security issues: Denial of Service for Tomcat 6.x and DIGEST authentication weaknesses for Tomcat 7.x and 5.5.x.

CVE numbers: CVE-2012-2733, CVE-2012-3439

Vulnerable systems
==================
Tomcat 7.0.0 to 7.0.29
Tomcat 6.0.0 to 6.0.35
Tomcat 5.5.0 to 5.5.35

Original Details
================
The checks that limited the permitted size of request headers were implemented too late in the request parsing process for the HTTP NIO connector. This enabled a malicious user to trigger an OutOfMemoryError by sending a single request with very large headers. (CVE-2012-2733)

Three weaknesses in Tomcat's implementation of DIGEST authentication were identified and resolved:

- - Tomcat tracked client rather than server nonces and nonce count.
- - When a session ID was present, authentication was bypassed.
- - The user name and password were not checked before when indicating that a nonce was stale.

These issues reduced the security of DIGEST authentication making replay attacks possible in some circumstances. (CVE-2012-3439)


What can you do?
================
Users of affected versions should apply one of the following mitigations:
Tomcat 7.0.x users should upgrade to 7.0.30 or later
Tomcat 6.0.x users should upgrade to 6.0.36 or later
Tomcat 5.5.x users should upgrade to 5.5.36 or later


What to tell your users?
========================
N/A

More information
================
[1] http://tomcat.apache.org/security.html
[2] http://tomcat.apache.org/security-7.html
[3] http://tomcat.apache.org/security-6.html
[4] http://tomcat.apache.org/security-5.html
[5] http://cve.mitre.org/


Best regards,

CERT-EU Pre-configuration Team (http://cert.europa.eu)
Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu
PGP KeyID 0x46AC4383
FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383
Privacy Statement:
http://cert.europa.eu/cert/plainedition/en/cert_privacy.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQIcBAEBAgAGBQJQrKOxAAoJEPpzpNLI8SVojFYQAK8XqvtsG1++DNVL26W3pIXj
sdRHWVT/RqOY2EBnvbCMPmBHs2wjvDTAwrYQBt2uLBU6ZToBYk45KGEaZyMGMhLb
KBi3PEnbp37Lst6LGwZKkZ/4gIqqHgiB1Y8LLOA6EiSNi0f/wKRB8c0S2U325FyM
AyXAAvoK4Ve6o1XzPbggu318rdsCiSQzVH8ROpdoL41REGmL2wFtUXu+YtXY6g0K
TAU4KlhLS2uu3JGMvNfiCZgSIzbb43iAj36+wTdRan4Foh5t3p934Y0vjAG9/9Oi
OgdwzDSkLBXQf2WVj/WGP/8uhyWCUzGRZnEHZxWu9h1Rj3XIDixnqPyZGBKb8XqU
jDzeIvN+mjWU/7Q/ANnOH/SfxAENufhP5hyHJ1MDhurRXGjCAaxU1USVmG4xxsyt
DU6IGU3pgbhfLXjR5u3C1iBp7G57mct1nuBBZLV/IXU751Caq5DbuvfNRYqqxZe/
VfXkJtGz/4pCAJKeSYCmAavW2MWm/tJdY/0Y7adhHzHEX11CyxQ1KTA8vZmYrZLD
sGxasr7hR7U0/QsSoLKpmEvJTCZnopWCt1wdO3czFHU3FqveQRo/+b/8A4F0rmgY
FokL+On7vGZRB7Hwfzg0xEl9Q/EY+SV9PhAvRntILXZD2C4MFwBYTDHVqzJMghiV
4SGjX88WcBcqHycdohU1
=x4/u
-----END PGP SIGNATURE-----