Bug 883636 (CVE-2012-4431)
| Summary: | CVE-2012-4431 Tomcat/JBoss Web - Bypass of CSRF prevention filter | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Arun Babu Neelicattu <aneelica> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | djorm, erich, grocha, jlieskov, lfuka, pcheung |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Apache Tomcat 7.0.32, Apache Tomcat 6.0.36 | Doc Type: | Bug Fix |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-12-18 00:59:22 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 883675, 883676, 883677, 883678, 883680, 883681, 883682, 883683, 883684, 883685, 883686, 883687, 901240, 909058, 909063, 912962, 921794, 921795, 921798 | ||
| Bug Blocks: | 883657, 906153, 956239, 970481 | ||
|
Description
Arun Babu Neelicattu
2012-12-05 03:28:01 UTC
tomcat-7.0.33-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report. The CSRF prevention filter was introduced in tomcat 6.0.30, as noted in the changelog: http://tomcat.apache.org/tomcat-6.0-doc/changelog.html Red Hat Enterprise Linux 6 ships tomcat 6.0.24, and does not include the CSRF prevention filter. Therefore it is not affected by this flaw. External References: http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.36 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.32 Statement: This issue did not affect the versions of tomcat5 as shipped with Red Hat Enterprise Linux 5 and tomcat6 as shipped with Red Hat Enterprise Linux 6 as they did not include the CSRF prevention filter. This issue has been addressed in following products: JBoss Enterprise Web Server 2.0.0 Via RHSA-2013:0265 https://rhn.redhat.com/errata/RHSA-2013-0265.html This issue has been addressed in following products: JBEWS 2 for RHEL 5 JBEWS 2 for RHEL 6 Via RHSA-2013:0268 https://rhn.redhat.com/errata/RHSA-2013-0268.html This issue has been addressed in following products: JBoss Enterprise Web Server 2.0.0 Via RHSA-2013:0267 https://rhn.redhat.com/errata/RHSA-2013-0267.html This issue has been addressed in following products: JBEWS 2 for RHEL 5 JBEWS 2 for RHEL 6 Via RHSA-2013:0266 https://rhn.redhat.com/errata/RHSA-2013-0266.html This issue has been addressed in following products: JBoss Enterprise Application Platform 6.0.1 Via RHSA-2013:0648 https://rhn.redhat.com/errata/RHSA-2013-0648.html This issue has been addressed in following products: JBEAP 6 for RHEL 5 JBEAP 6 for RHEL 6 Via RHSA-2013:0647 https://rhn.redhat.com/errata/RHSA-2013-0647.html This issue has been addressed in following products: JBoss Data Grid 6.1.0 Via RHSA-2013:0665 https://rhn.redhat.com/errata/RHSA-2013-0665.html This issue has been addressed in following products: Red Hat JBoss Portal 6.1.0 Via RHSA-2013:1437 https://rhn.redhat.com/errata/RHSA-2013-1437.html This issue has been addressed in following products: Red Hat JBoss Operations Network 3.2.0 Via RHSA-2013:1853 https://rhn.redhat.com/errata/RHSA-2013-1853.html |