Bug 741401 (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064) - CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weaknesses in HTTP DIGEST authentication
Summary: CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weak...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
: 781909 781911 781912 (view as bug list)
Depends On: 738503 738504 738505 738506 738507 741406 741407 744983 744984 802291
Blocks: 741415 795277 810065
TreeView+ depends on / blocked
 
Reported: 2011-09-26 18:08 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:47 UTC (History)
16 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-06-15 06:27:25 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2011:1780 normal SHIPPED_LIVE Moderate: tomcat6 security and bug fix update 2011-12-05 22:46:42 UTC
Red Hat Product Errata RHSA-2011:1845 normal SHIPPED_LIVE Moderate: tomcat5 security update 2011-12-20 22:21:27 UTC
Red Hat Bugzilla 758931 None None None Never
Red Hat Bugzilla 794382 None None None Never
Red Hat Product Errata RHSA-2012:0041 normal SHIPPED_LIVE Moderate: jbossweb security update 2012-01-19 22:21:56 UTC
Red Hat Product Errata RHSA-2012:0074 normal SHIPPED_LIVE Important: jbossweb security update 2012-02-01 04:03:17 UTC
Red Hat Product Errata RHSA-2012:0075 normal SHIPPED_LIVE Important: jbossweb security update 2012-02-01 04:03:13 UTC
Red Hat Product Errata RHSA-2012:0076 normal SHIPPED_LIVE Important: jbossweb security update 2012-02-01 04:03:06 UTC
Red Hat Product Errata RHSA-2012:0077 normal SHIPPED_LIVE Important: jbossweb security update 2012-02-01 04:03:02 UTC
Red Hat Product Errata RHSA-2012:0078 normal SHIPPED_LIVE Important: JBoss Communications Platform 5.1.3 update 2012-02-01 04:02:57 UTC
Red Hat Product Errata RHSA-2012:0091 normal SHIPPED_LIVE Important: JBoss Enterprise Portal Platform 4.3 CP07 update 2012-02-03 03:19:04 UTC
Red Hat Product Errata RHSA-2012:0325 normal SHIPPED_LIVE Important: jbossweb security update 2012-02-22 10:10:34 UTC
Red Hat Product Errata RHSA-2012:0679 normal SHIPPED_LIVE Moderate: tomcat5 security and bug fix update 2012-05-21 20:28:06 UTC
Red Hat Product Errata RHSA-2012:0680 normal SHIPPED_LIVE Moderate: tomcat5 security and bug fix update 2012-05-21 20:27:56 UTC
Red Hat Product Errata RHSA-2012:0681 normal SHIPPED_LIVE Moderate: tomcat6 security and bug fix update 2012-05-21 20:38:23 UTC
Red Hat Product Errata RHSA-2012:0682 normal SHIPPED_LIVE Moderate: tomcat6 security and bug fix update 2012-05-21 20:48:57 UTC

Internal Links: 758931 794382

Description Jan Lieskovsky 2011-09-26 18:08:38 UTC
Multiple security flaws were found in the Apache Tomcat HTTP DIGEST (RFC 2069) Authentication implementation:
* it was possible to perform session reply attacks,
* server generated nonce-values were not checked,
* count of client generated nonce-values were not checked,
* quality of protection (qop) values were not checked,
* realms values were not checked,
* a known, hard-coded string was used as server secret.

References:
[1] http://tomcat.apache.org/security-5.html
[2] http://tomcat.apache.org/security-6.html
[3] http://www.securityfocus.com/archive/1/519818/30/0/threaded

Relevant upstream patches:
[4] http://svn.apache.org/viewvc?view=revision&revision=1158180
    (for Tomcat 6 version),
[5] http://svn.apache.org/viewvc?view=revision&revision=1159309
    (for Tomcat 5 version).

Comment 1 Jan Lieskovsky 2011-09-26 18:11:59 UTC
This issue affects the version of the tomcat5 package, as shipped with Red Hat Enterprise Linux 5.

This issue affects the versions of the tomcat5 package, as shipped with Fedora release of 14 and 15.

--

This issue affects the version of the tomcat6 package, as shipped with Red Hat Enterprise Linux 6.

This issue affects the versions of the tomcat6 package, as shipped with Fedora release of 14 and 15.

Comment 2 Jan Lieskovsky 2011-09-26 18:14:16 UTC
Created tomcat6 tracking bugs for this issue

Affects: fedora-all [bug 741407]

Comment 3 Jan Lieskovsky 2011-09-26 18:14:26 UTC
Created tomcat5 tracking bugs for this issue

Affects: fedora-all [bug 741406]

Comment 7 errata-xmlrpc 2011-12-05 17:49:13 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2011:1780 https://rhn.redhat.com/errata/RHSA-2011-1780.html

Comment 8 errata-xmlrpc 2011-12-20 17:26:10 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5

Via RHSA-2011:1845 https://rhn.redhat.com/errata/RHSA-2011-1845.html

Comment 9 Kurt Seifried 2012-01-15 02:54:15 UTC
CVE has split these issues up:

======================================================
Name: CVE-2011-1184
related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.

======================================================
Name: CVE-2011-5062
bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.

======================================================
Name: CVE-2011-5063
does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.

======================================================
Name: CVE-2011-5064

DigestAuthenticator.java in the HTTP Digest Access Authentication implementation uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.

Comment 10 David Jorm 2012-01-16 11:52:58 UTC
*** Bug 781909 has been marked as a duplicate of this bug. ***

Comment 11 David Jorm 2012-01-16 11:53:43 UTC
*** Bug 781911 has been marked as a duplicate of this bug. ***

Comment 12 David Jorm 2012-01-16 11:54:07 UTC
*** Bug 781912 has been marked as a duplicate of this bug. ***

Comment 13 errata-xmlrpc 2012-01-19 17:22:23 UTC
This issue has been addressed in following products:

   JBoss Enterprise Application Platform 4.3.0 CP10

Via RHSA-2012:0041 https://rhn.redhat.com/errata/RHSA-2012-0041.html

Comment 14 errata-xmlrpc 2012-01-31 23:04:15 UTC
This issue has been addressed in following products:

  JBoss Communications Platform 5.1.3

Via RHSA-2012:0078 https://rhn.redhat.com/errata/RHSA-2012-0078.html

Comment 15 errata-xmlrpc 2012-01-31 23:06:36 UTC
This issue has been addressed in following products:

   JBoss Enterprise Web Platform 5.1.2

Via RHSA-2012:0077 https://rhn.redhat.com/errata/RHSA-2012-0077.html

Comment 16 errata-xmlrpc 2012-01-31 23:06:59 UTC
This issue has been addressed in following products:

  JBEWP 5 for RHEL 6
  JBEWP 5 for RHEL 4
  JBEWP 5 for RHEL 5

Via RHSA-2012:0076 https://rhn.redhat.com/errata/RHSA-2012-0076.html

Comment 17 errata-xmlrpc 2012-01-31 23:07:20 UTC
This issue has been addressed in following products:

  JBoss Enterprise Application Platform 5.1.2

Via RHSA-2012:0075 https://rhn.redhat.com/errata/RHSA-2012-0075.html

Comment 18 errata-xmlrpc 2012-01-31 23:07:42 UTC
This issue has been addressed in following products:

  JBEAP 5 for RHEL 6
  JBEAP 5 for RHEL 4
  JBEAP 5 for RHEL 5

Via RHSA-2012:0074 https://rhn.redhat.com/errata/RHSA-2012-0074.html

Comment 19 errata-xmlrpc 2012-02-02 22:20:09 UTC
This issue has been addressed in following products:

  JBoss Enterprise Portal Platform 4.3 CP07

Via RHSA-2012:0091 https://rhn.redhat.com/errata/RHSA-2012-0091.html

Comment 20 errata-xmlrpc 2012-02-22 05:11:13 UTC
This issue has been addressed in following products:

JBoss Enterprise BRMS Platform 5.2.0, JBoss Enterprise Portal Platform 5.2.0 and JBoss Enterprise SOA Platform 5.2.0

Via RHSA-2012:0325 https://rhn.redhat.com/errata/RHSA-2012-0325.html

Comment 21 Coty Sutherland 2012-05-01 16:45:12 UTC
Are we making any kind of progress on this for EWS 1.0.2 (tomcat 6.0.32)?

Comment 22 David Jorm 2012-05-02 00:00:48 UTC
(In reply to comment #21)
> Are we making any kind of progress on this for EWS 1.0.2 (tomcat 6.0.32)?

An erratum for EWS 1.0.2 is in progress. It is currently awaiting QE.

Comment 23 errata-xmlrpc 2012-05-21 16:33:08 UTC
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:0680 https://rhn.redhat.com/errata/RHSA-2012-0680.html

Comment 24 errata-xmlrpc 2012-05-21 16:34:19 UTC
This issue has been addressed in following products:

  JBEWS 1.0

Via RHSA-2012:0679 https://rhn.redhat.com/errata/RHSA-2012-0679.html

Comment 25 errata-xmlrpc 2012-05-21 16:41:23 UTC
This issue has been addressed in following products:

  JBEWS 1.0

Via RHSA-2012:0681 https://rhn.redhat.com/errata/RHSA-2012-0681.html

Comment 26 errata-xmlrpc 2012-05-21 16:52:42 UTC
This issue has been addressed in following products:

  JBEWS 1.0 for RHEL 5
  JBEWS 1.0 for RHEL 6

Via RHSA-2012:0682 https://rhn.redhat.com/errata/RHSA-2012-0682.html


Note You need to log in before you can comment on or make changes to this bug.