geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David Jencks <david_jen...@yahoo.com>
Subject Fwd: [SECURITY] CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST authentication
Date Mon, 26 Sep 2011 16:05:56 GMT
To deal with this in geronimo, I think the 2.1.x can just use the updated tomcat code, but
for 2.2.x and trunk we've copied the digest auth code into a jaspi like authenticator that
will need to be updated.  While I could do this it might be better if someone else became
more familiar with the code.  Any volunteers?

thanks
david jencks


Begin forwarded message:

> From: Mark Thomas <markt@apache.org>
> Date: September 26, 2011 4:08:30 AM PDT
> To: Tomcat Users List <users@tomcat.apache.org>
> Cc: Tomcat Developers List <dev@tomcat.apache.org>, Tomcat Announce List <announce@tomcat.apache.org>,
announce@apache.org, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
> Subject: [SECURITY] CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST
authentication
> Reply-To: "Tomcat Developers List" <dev@tomcat.apache.org>
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST
> authentication
> 
> Severity: Moderate
> 
> Vendor: The Apache Software Foundation
> 
> Versions Affected:
> - - Tomcat 7.0.0 to 7.0.11
> - - Tomcat 6.0.0 to 6.0.32
> - - Tomcat 5.5.0 to 5.5.33
> - - Earlier, unsupported versions may also be affected
> 
> Description:
> The implementation of HTTP DIGEST authentication was discovered to
> have several weaknesses:
> - - replay attacks were permitted
> - - server nonces were not checked
> - - client nonce counts were not checked
> - - qop values were not checked
> - - realm values were not checked
> - - the server secret was hard-coded to a known string
> The result of these weaknesses is that DIGEST authentication was only
> as secure as BASIC authentication.
> 
> Mitigation:
> Users of Tomcat 7.0.x should upgrade to 7.0.12 or later
> Users of Tomcat 6.0.x should upgrade to 6.0.33 or later
> Users of Tomcat 5.5.x should upgrade to 5.5.34 or later
> 
> Credit:
> This issue was identified by the Apache Tomcat security team
> 
> References:
> http://tomcat.apache.org/security.html
> http://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-6.html
> http://tomcat.apache.org/security-5.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iQIcBAEBAgAGBQJOgF0tAAoJEBDAHFovYFnnv70QALdoVwivDt9bXBEpMgjJ0/NY
> kadCFsA/X+O8TEKTRx/85B54Spgv8dGJFiPMettdbfjFuq7ADsRiAbxsZQ3dEIfJ
> esrWfPJRTpXhjKU1OOLmoDvoueAD0pD7/qvl8o9bFowxGXLWqvO/elFe+4AH2YjZ
> ux9tWOlWn46Q7ffaNOzRebjPVIQ3ebB+FH9ToZAdNfFFIZbtxYRMV02wRfHWq+fU
> kTJ+hKF0XOpzyIut3zkmE00ZuvGAPLdnZcMKq9m/X/dt/niP2nT8H28Xx1Zu8sW+
> CUE7CRse4pI6fGuXVrOAk1akyN/hkiSPxDNsDnHxALTNmjr1Z+DAs7QT5IKc3EDv
> NeSXAnxKfIJ83jcjam1bEf38UN1uYatP/u6XJCVpnOr0UjJ9wtO+QgSV/93eiyD7
> YCpVcmKay/jvWmLPp7MRB+h6FGhJNw5OA5k7IWJePBXC39p6tpac3vsOKx1OGU38
> QKUglIro/TtZo7gmfeG8lD3lI493l25+3E/vBiSrbfSHua3bmyFQikQMhy2ZPYIt
> 4wEfdaW4hUBJHpxkDaotuTTN8ATzQLtDNTGei2u76ZXQiOjTLUDGam++6fR+kfZU
> gloAy8ZIS702hoXg/ypFPtcyIx435dOgxtGIbOedmDUsy1ErGTCAksrOyn2yZl3v
> +Ew0bAULNmXwKQeMyDj0
> =u/Ai
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 


Mime
View raw message