781912 – CVE-2011-5064 tomcat: Hard-coded server secret eases bypass of cryptographic protection mechanisms

Bug 781912 - CVE-2011-5064 tomcat: Hard-coded server secret eases bypass of cryptographic protection mechanisms

Summary: CVE-2011-5064 tomcat: Hard-coded server secret eases bypass of cryptographic ...

Keywords:
Status:	CLOSED DUPLICATE of bug 741401
Alias:	None
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2012-01-16 04:51 UTC by David Jorm
Modified:	2019-09-29 12:49 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2012-01-16 11:54:06 UTC

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description David Jorm 2012-01-16 04:51:26 UTC

DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string.

References:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5064

Comment 1 David Jorm 2012-01-16 11:54:06 UTC


*** This bug has been marked as a duplicate of bug 741401 ***

Note You need to log in before you can comment on or make changes to this bug.