You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@geronimo.apache.org by David Jencks <da...@yahoo.com> on 2011/09/26 18:05:56 UTC
Fwd: [SECURITY] CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST authentication
To deal with this in geronimo, I think the 2.1.x can just use the updated tomcat code, but for 2.2.x and trunk we've copied the digest auth code into a jaspi like authenticator that will need to be updated. While I could do this it might be better if someone else became more familiar with the code. Any volunteers?
thanks
david jencks
Begin forwarded message:
> From: Mark Thomas <ma...@apache.org>
> Date: September 26, 2011 4:08:30 AM PDT
> To: Tomcat Users List <us...@tomcat.apache.org>
> Cc: Tomcat Developers List <de...@tomcat.apache.org>, Tomcat Announce List <an...@tomcat.apache.org>, announce@apache.org, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
> Subject: [SECURITY] CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST authentication
> Reply-To: "Tomcat Developers List" <de...@tomcat.apache.org>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST
> authentication
>
> Severity: Moderate
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> - - Tomcat 7.0.0 to 7.0.11
> - - Tomcat 6.0.0 to 6.0.32
> - - Tomcat 5.5.0 to 5.5.33
> - - Earlier, unsupported versions may also be affected
>
> Description:
> The implementation of HTTP DIGEST authentication was discovered to
> have several weaknesses:
> - - replay attacks were permitted
> - - server nonces were not checked
> - - client nonce counts were not checked
> - - qop values were not checked
> - - realm values were not checked
> - - the server secret was hard-coded to a known string
> The result of these weaknesses is that DIGEST authentication was only
> as secure as BASIC authentication.
>
> Mitigation:
> Users of Tomcat 7.0.x should upgrade to 7.0.12 or later
> Users of Tomcat 6.0.x should upgrade to 6.0.33 or later
> Users of Tomcat 5.5.x should upgrade to 5.5.34 or later
>
> Credit:
> This issue was identified by the Apache Tomcat security team
>
> References:
> http://tomcat.apache.org/security.html
> http://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-6.html
> http://tomcat.apache.org/security-5.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJOgF0tAAoJEBDAHFovYFnnv70QALdoVwivDt9bXBEpMgjJ0/NY
> kadCFsA/X+O8TEKTRx/85B54Spgv8dGJFiPMettdbfjFuq7ADsRiAbxsZQ3dEIfJ
> esrWfPJRTpXhjKU1OOLmoDvoueAD0pD7/qvl8o9bFowxGXLWqvO/elFe+4AH2YjZ
> ux9tWOlWn46Q7ffaNOzRebjPVIQ3ebB+FH9ToZAdNfFFIZbtxYRMV02wRfHWq+fU
> kTJ+hKF0XOpzyIut3zkmE00ZuvGAPLdnZcMKq9m/X/dt/niP2nT8H28Xx1Zu8sW+
> CUE7CRse4pI6fGuXVrOAk1akyN/hkiSPxDNsDnHxALTNmjr1Z+DAs7QT5IKc3EDv
> NeSXAnxKfIJ83jcjam1bEf38UN1uYatP/u6XJCVpnOr0UjJ9wtO+QgSV/93eiyD7
> YCpVcmKay/jvWmLPp7MRB+h6FGhJNw5OA5k7IWJePBXC39p6tpac3vsOKx1OGU38
> QKUglIro/TtZo7gmfeG8lD3lI493l25+3E/vBiSrbfSHua3bmyFQikQMhy2ZPYIt
> 4wEfdaW4hUBJHpxkDaotuTTN8ATzQLtDNTGei2u76ZXQiOjTLUDGam++6fR+kfZU
> gloAy8ZIS702hoXg/ypFPtcyIx435dOgxtGIbOedmDUsy1ErGTCAksrOyn2yZl3v
> +Ew0bAULNmXwKQeMyDj0
> =u/Ai
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
Re: [SECURITY] CVE-2011-1184 Apache Tomcat - Multiple weaknesses in
HTTP DIGEST authentication
Posted by Ivan <xh...@gmail.com>.
I will take a look at it later, just have some other issues on hand now.
2011/9/27 David Jencks <da...@yahoo.com>
> To deal with this in geronimo, I think the 2.1.x can just use the updated
> tomcat code, but for 2.2.x and trunk we've copied the digest auth code into
> a jaspi like authenticator that will need to be updated. While I could do
> this it might be better if someone else became more familiar with the code.
> Any volunteers?
>
> thanks
> david jencks
>
>
> Begin forwarded message:
>
> *From: *Mark Thomas <ma...@apache.org>
> *Date: *September 26, 2011 4:08:30 AM PDT
> *To: *Tomcat Users List <us...@tomcat.apache.org>
> *Cc: *Tomcat Developers List <de...@tomcat.apache.org>, Tomcat Announce List
> <an...@tomcat.apache.org>, announce@apache.org,
> full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
> *Subject: **[SECURITY] CVE-2011-1184 Apache Tomcat - Multiple weaknesses
> in HTTP DIGEST authentication*
> *Reply-To: *"Tomcat Developers List" <de...@tomcat.apache.org>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> CVE-2011-1184 Apache Tomcat - Multiple weaknesses in HTTP DIGEST
> authentication
>
> Severity: Moderate
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> - - Tomcat 7.0.0 to 7.0.11
> - - Tomcat 6.0.0 to 6.0.32
> - - Tomcat 5.5.0 to 5.5.33
> - - Earlier, unsupported versions may also be affected
>
> Description:
> The implementation of HTTP DIGEST authentication was discovered to
> have several weaknesses:
> - - replay attacks were permitted
> - - server nonces were not checked
> - - client nonce counts were not checked
> - - qop values were not checked
> - - realm values were not checked
> - - the server secret was hard-coded to a known string
> The result of these weaknesses is that DIGEST authentication was only
> as secure as BASIC authentication.
>
> Mitigation:
> Users of Tomcat 7.0.x should upgrade to 7.0.12 or later
> Users of Tomcat 6.0.x should upgrade to 6.0.33 or later
> Users of Tomcat 5.5.x should upgrade to 5.5.34 or later
>
> Credit:
> This issue was identified by the Apache Tomcat security team
>
> References:
> http://tomcat.apache.org/security.html
> http://tomcat.apache.org/security-7.html
> http://tomcat.apache.org/security-6.html
> http://tomcat.apache.org/security-5.html
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iQIcBAEBAgAGBQJOgF0tAAoJEBDAHFovYFnnv70QALdoVwivDt9bXBEpMgjJ0/NY
> kadCFsA/X+O8TEKTRx/85B54Spgv8dGJFiPMettdbfjFuq7ADsRiAbxsZQ3dEIfJ
> esrWfPJRTpXhjKU1OOLmoDvoueAD0pD7/qvl8o9bFowxGXLWqvO/elFe+4AH2YjZ
> ux9tWOlWn46Q7ffaNOzRebjPVIQ3ebB+FH9ToZAdNfFFIZbtxYRMV02wRfHWq+fU
> kTJ+hKF0XOpzyIut3zkmE00ZuvGAPLdnZcMKq9m/X/dt/niP2nT8H28Xx1Zu8sW+
> CUE7CRse4pI6fGuXVrOAk1akyN/hkiSPxDNsDnHxALTNmjr1Z+DAs7QT5IKc3EDv
> NeSXAnxKfIJ83jcjam1bEf38UN1uYatP/u6XJCVpnOr0UjJ9wtO+QgSV/93eiyD7
> YCpVcmKay/jvWmLPp7MRB+h6FGhJNw5OA5k7IWJePBXC39p6tpac3vsOKx1OGU38
> QKUglIro/TtZo7gmfeG8lD3lI493l25+3E/vBiSrbfSHua3bmyFQikQMhy2ZPYIt
> 4wEfdaW4hUBJHpxkDaotuTTN8ATzQLtDNTGei2u76ZXQiOjTLUDGam++6fR+kfZU
> gloAy8ZIS702hoXg/ypFPtcyIx435dOgxtGIbOedmDUsy1ErGTCAksrOyn2yZl3v
> +Ew0bAULNmXwKQeMyDj0
> =u/Ai
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>
>
--
Ivan