mailing list archives
[SECURITY] CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses
From: Mark Thomas <markt () apache org>
Date: Mon, 05 Nov 2012 22:57:35 +0000
-----BEGIN PGP SIGNED MESSAGE-----
CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses
Vendor: The Apache Software Foundation
- - Tomcat 7.0.0 to 7.0.29
- - Tomcat 6.0.0 to 6.0.35
- - Tomcat 5.5.0 to 5.5.35
- - Earlier, unsupported versions may also be affected
Three weaknesses in Tomcat's implementation of DIGEST authentication
were identified and resolved:
1. Tomcat tracked client rather than server nonces and nonce count.
2. When a session ID was present, authentication was bypassed.
3. The user name and password were not checked before when indicating
that a nonce was stale.
These issues reduced the security of DIGEST authentication making
replay attacks possible in some circumstances.
Users of affected versions should apply one of the following mitigations:
- - Tomcat 7.0.x users should upgrade to 7.0.30 or later
- - Tomcat 6.0.x users should upgrade to 6.0.36 or later
- - Tomcat 5.5.x users should upgrade to 5.5.36 or later
The first issue was identified by Tilmann Kuhn. The second and third
issues were identified by the Tomcat security team during the code
review resulting from the first issue.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
-----END PGP SIGNATURE-----
Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia - http://secunia.com/
- [SECURITY] CVE-2012-3439 Apache Tomcat DIGEST authentication weaknesses Mark Thomas (Nov 05)