-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0003 Title: Multiple vulnerabilities in Apache Tomcat Version history: 16.01.2012 Initial publication Summary ======= The Apache Tomcat security team disclosed two vulnerabilities in their product. Fixes are available. The vulnerabilities allow unauthorized disclosure of information and disruption of service. + CVE-2011-3375 Apache Tomcat Information disclosure [5] CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:N/A:N) Remote: Yes Credibility: Vendor Confirmed Impact: Allows unauthorized disclosure of information + CVE-2012-0022 Apache Tomcat Denial of Service CVSS v2 Base Score: 5.0 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:N/A:P) Remote: Yes Credibility: Vendor Confirmed Impact: Allows disruption of service Original description ==================== + CVE-2011-3375 Apache Tomcat Information disclosure [5] For performance reasons, information parsed from a request is often cached in two places: the internal request object and the internal processor object. These objects are not recycled at exactly the same time. When certain errors occur that needed to be added to the access log, the access logging process triggers the re-population of the request object after it has been recycled. However, the request object was not recycled before being used for the next request. That lead to information leakage (e.g. remote IP address, HTTP headers) from the previous request to the next request. The issue was resolved be ensuring that the request and response objects were recycled after being re-populated to generate the necessary access log entries. + CVE-2012-0022 Apache Tomcat Denial of Service Analysis of the recent hash collision vulnerability identified unrelated inefficiencies with Apache Tomcat's handling of large numbers of parameters and parameter values. These inefficiencies could allow an attacker, via a specially crafted request, to cause large amounts of CPU to be used which in turn could create a denial of service. The issue was addressed by modifying the Tomcat parameter handling code to efficiently process large numbers of parameters and parameter values. Vulnerable systems ================== CVE-2011-3375 Apache Tomcat Information disclosure Versions Affected: - - Tomcat 7.0.0 to 7.0.21 - - Tomcat 6.0.30 to 6.0.33 - - Earlier versions are not affected + CVE-2012-0022 Apache Tomcat Denial of Service Versions Affected: - - Tomcat 7.0.0 to 7.0.22 - - Tomcat 6.0.0 to 6.0.33 - - Tomcat 5.5.0 to 5.5.34 - - Earlier, unsupported versions may also be affected What can you do? ================ Updates are available. [2][3][4] What to tell your users? ======================== N/A More information ================ [1] http://tomcat.apache.org/security.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html [4] http://tomcat.apache.org/security-5.html [5] https://issues.apache.org/bugzilla/show_bug.cgi?id=51872 [6] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPFaLiOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4Metw//X73Qg5mI gTaWwA+dykGq5pw5kEDe3yg4F+PZLIwUrRbaYNq4nSZ3nadplvyunNV5fNSISHnk RLU1mcExQUk8k5386OthGsUgsNLClsU0fjn+gwN63sAd3oq7F+aqFB6iqHz8Bjf7 EqBtsTG88SUzlC+YwNd1oqSEBvT2JVppfcJibJDBphsqFsmQVf3u9w0RDE1j16DF 5GHdbaAFboRz58xNr7lGsCYXrrYMpivR5zKTdq7IDfQTtgEOhXb38DvwfNiscxwt pJZkii+mJCxKxWEyWrujUFM/Y9qS6eABMEp2TSh45cNj9yDr+N4XzkDUj14ar0ss dByRsgVnxKwIlSQPCAtyzUQvxCju1+fqfPGBR9mBk025HNu1+MhfqUC1qeCUVvA6 9PgTP+op7yHY8i7+COXbB4L1KOVqHKzkbmHik8ZarIQ/IT4fY2LHULbe8dOn08dk 99FLkZjWs+S+yCLEDEnFS1wDJbqvliBCgGJHcSXiyJLeUb50wGLYfr5wz68rybbx veSpINWMQef+NDz3pDB/uoBhMZe8kdffpcDWw5zoGUJAA4O/EMYqpcnE6pH5ZKl6 3qFiQ3RMQDdCKqVdxjdGaiOULsFEpYzsMT+f0BLegm1Ko4rAj3cO1wkt+NcNFB7P TP9+601Zjdrxm+iMuFzjovYsrdXGEstnouU= =Q4Sp -----END PGP SIGNATURE-----