Bug 741401 (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064)
Summary: | CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weaknesses in HTTP DIGEST authentication | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | awnuk, cfu, csutherl, devrim, djorm, dknox, dwalluck, extras-orphan, jclere, jdennis, jpazdziora, pcheung, sochotni, SpikeFedora, tromey, weli |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2012-06-15 06:27:25 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 738503, 738504, 738505, 738506, 738507, 741406, 741407, 744983, 744984, 802291 | ||
Bug Blocks: | 741415, 795277, 810065 |
Description
Jan Lieskovsky
2011-09-26 18:08:38 UTC
This issue affects the version of the tomcat5 package, as shipped with Red Hat Enterprise Linux 5. This issue affects the versions of the tomcat5 package, as shipped with Fedora release of 14 and 15. -- This issue affects the version of the tomcat6 package, as shipped with Red Hat Enterprise Linux 6. This issue affects the versions of the tomcat6 package, as shipped with Fedora release of 14 and 15. Created tomcat6 tracking bugs for this issue Affects: fedora-all [bug 741407] Created tomcat5 tracking bugs for this issue Affects: fedora-all [bug 741406] This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2011:1780 https://rhn.redhat.com/errata/RHSA-2011-1780.html This issue has been addressed in following products: Red Hat Enterprise Linux 5 Via RHSA-2011:1845 https://rhn.redhat.com/errata/RHSA-2011-1845.html CVE has split these issues up: ====================================================== Name: CVE-2011-1184 related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values. ====================================================== Name: CVE-2011-5062 bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184. ====================================================== Name: CVE-2011-5063 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184. ====================================================== Name: CVE-2011-5064 DigestAuthenticator.java in the HTTP Digest Access Authentication implementation uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184. *** Bug 781909 has been marked as a duplicate of this bug. *** *** Bug 781911 has been marked as a duplicate of this bug. *** *** Bug 781912 has been marked as a duplicate of this bug. *** This issue has been addressed in following products: JBoss Enterprise Application Platform 4.3.0 CP10 Via RHSA-2012:0041 https://rhn.redhat.com/errata/RHSA-2012-0041.html This issue has been addressed in following products: JBoss Communications Platform 5.1.3 Via RHSA-2012:0078 https://rhn.redhat.com/errata/RHSA-2012-0078.html This issue has been addressed in following products: JBoss Enterprise Web Platform 5.1.2 Via RHSA-2012:0077 https://rhn.redhat.com/errata/RHSA-2012-0077.html This issue has been addressed in following products: JBEWP 5 for RHEL 6 JBEWP 5 for RHEL 4 JBEWP 5 for RHEL 5 Via RHSA-2012:0076 https://rhn.redhat.com/errata/RHSA-2012-0076.html This issue has been addressed in following products: JBoss Enterprise Application Platform 5.1.2 Via RHSA-2012:0075 https://rhn.redhat.com/errata/RHSA-2012-0075.html This issue has been addressed in following products: JBEAP 5 for RHEL 6 JBEAP 5 for RHEL 4 JBEAP 5 for RHEL 5 Via RHSA-2012:0074 https://rhn.redhat.com/errata/RHSA-2012-0074.html This issue has been addressed in following products: JBoss Enterprise Portal Platform 4.3 CP07 Via RHSA-2012:0091 https://rhn.redhat.com/errata/RHSA-2012-0091.html This issue has been addressed in following products: JBoss Enterprise BRMS Platform 5.2.0, JBoss Enterprise Portal Platform 5.2.0 and JBoss Enterprise SOA Platform 5.2.0 Via RHSA-2012:0325 https://rhn.redhat.com/errata/RHSA-2012-0325.html Are we making any kind of progress on this for EWS 1.0.2 (tomcat 6.0.32)? (In reply to comment #21) > Are we making any kind of progress on this for EWS 1.0.2 (tomcat 6.0.32)? An erratum for EWS 1.0.2 is in progress. It is currently awaiting QE. This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 6 Via RHSA-2012:0680 https://rhn.redhat.com/errata/RHSA-2012-0680.html This issue has been addressed in following products: JBEWS 1.0 Via RHSA-2012:0679 https://rhn.redhat.com/errata/RHSA-2012-0679.html This issue has been addressed in following products: JBEWS 1.0 Via RHSA-2012:0681 https://rhn.redhat.com/errata/RHSA-2012-0681.html This issue has been addressed in following products: JBEWS 1.0 for RHEL 5 JBEWS 1.0 for RHEL 6 Via RHSA-2012:0682 https://rhn.redhat.com/errata/RHSA-2012-0682.html |