rhsa-2011_1780
Vulnerability from csaf_redhat
Published
2011-12-05 17:39
Modified
2024-11-05 17:39
Summary
Red Hat Security Advisory: tomcat6 security and bug fix update
Notes
Topic
Updated tomcat6 packages that fix several security issues and one bug are
now available for Red Hat Enterprise Linux 6.
The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.
Details
Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.
APR (Apache Portable Runtime) as mentioned in the CVE-2011-3190 and
CVE-2011-2526 descriptions does not refer to APR provided by the apr
packages. It refers to the implementation of APR provided by the Tomcat
Native library, which provides support for using APR with Tomcat. This
library is not shipped with Red Hat Enterprise Linux 6. This update
includes fixes for users who have elected to use APR with Tomcat by taking
the Tomcat Native library from a different product. Such a configuration is
not supported by Red Hat, however.
Multiple flaws were found in the way Tomcat handled HTTP DIGEST
authentication. These flaws weakened the Tomcat HTTP DIGEST authentication
implementation, subjecting it to some of the weaknesses of HTTP BASIC
authentication, for example, allowing remote attackers to perform session
replay attacks. (CVE-2011-1184)
A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor)
and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ
Protocol) connectors processed certain POST requests. An attacker could
send a specially-crafted request that would cause the connector to treat
the message body as a new request. This allows arbitrary AJP messages to be
injected, possibly allowing an attacker to bypass a web application's
authentication checks and gain access to information they would otherwise
be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler)
connector is used by default when the APR libraries are not present. The JK
connector is not affected by this flaw. (CVE-2011-3190)
A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception
occurred when creating a new user with a JMX client, that user's password
was logged to Tomcat log files. Note: By default, only administrators have
access to such log files. (CVE-2011-2204)
A flaw was found in the way Tomcat handled sendfile request attributes when
using the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web
application running on a Tomcat instance could use this flaw to bypass
security manager restrictions and gain access to files it would otherwise
be unable to access, or possibly terminate the Java Virtual Machine (JVM).
The HTTP blocking IO (BIO) connector, which is not vulnerable to this
issue, is used by default in Red Hat Enterprise Linux 6. (CVE-2011-2526)
Red Hat would like to thank the Apache Tomcat project for reporting the
CVE-2011-2526 issue.
This update also fixes the following bug:
* Previously, in certain cases, if "LANG=fr_FR" or "LANG=fr_FR.UTF-8" was
set as an environment variable or in "/etc/sysconfig/tomcat6" on 64-bit
PowerPC systems, Tomcat may have failed to start correctly. With this
update, Tomcat works as expected when LANG is set to "fr_FR" or
"fr_FR.UTF-8". (BZ#748807)
Users of Tomcat should upgrade to these updated packages, which contain
backported patches to correct these issues. Tomcat must be restarted for
this update to take effect.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ "document": { "aggregate_severity": { "namespace": "https://access.redhat.com/security/updates/classification/", "text": "Moderate" }, "category": "csaf_security_advisory", "csaf_version": "2.0", "distribution": { "text": "Copyright \u00a9 Red Hat, Inc. All rights reserved.", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "summary", "text": "Updated tomcat6 packages that fix several security issues and one bug are\nnow available for Red Hat Enterprise Linux 6.\n\nThe Red Hat Security Response Team has rated this update as having moderate\nsecurity impact. Common Vulnerability Scoring System (CVSS) base scores,\nwhich give detailed severity ratings, are available for each vulnerability\nfrom the CVE links in the References section.", "title": "Topic" }, { "category": "general", "text": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nAPR (Apache Portable Runtime) as mentioned in the CVE-2011-3190 and\nCVE-2011-2526 descriptions does not refer to APR provided by the apr\npackages. It refers to the implementation of APR provided by the Tomcat\nNative library, which provides support for using APR with Tomcat. This\nlibrary is not shipped with Red Hat Enterprise Linux 6. This update\nincludes fixes for users who have elected to use APR with Tomcat by taking\nthe Tomcat Native library from a different product. Such a configuration is\nnot supported by Red Hat, however.\n\nMultiple flaws were found in the way Tomcat handled HTTP DIGEST\nauthentication. These flaws weakened the Tomcat HTTP DIGEST authentication\nimplementation, subjecting it to some of the weaknesses of HTTP BASIC\nauthentication, for example, allowing remote attackers to perform session\nreplay attacks. (CVE-2011-1184)\n\nA flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor)\nand APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ\nProtocol) connectors processed certain POST requests. An attacker could\nsend a specially-crafted request that would cause the connector to treat\nthe message body as a new request. This allows arbitrary AJP messages to be\ninjected, possibly allowing an attacker to bypass a web application\u0027s\nauthentication checks and gain access to information they would otherwise\nbe unable to access. The JK (org.apache.jk.server.JkCoyoteHandler)\nconnector is used by default when the APR libraries are not present. The JK\nconnector is not affected by this flaw. (CVE-2011-3190)\n\nA flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception\noccurred when creating a new user with a JMX client, that user\u0027s password\nwas logged to Tomcat log files. Note: By default, only administrators have\naccess to such log files. (CVE-2011-2204)\n\nA flaw was found in the way Tomcat handled sendfile request attributes when\nusing the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web\napplication running on a Tomcat instance could use this flaw to bypass\nsecurity manager restrictions and gain access to files it would otherwise\nbe unable to access, or possibly terminate the Java Virtual Machine (JVM).\nThe HTTP blocking IO (BIO) connector, which is not vulnerable to this\nissue, is used by default in Red Hat Enterprise Linux 6. (CVE-2011-2526)\n\nRed Hat would like to thank the Apache Tomcat project for reporting the\nCVE-2011-2526 issue.\n\nThis update also fixes the following bug:\n\n* Previously, in certain cases, if \"LANG=fr_FR\" or \"LANG=fr_FR.UTF-8\" was\nset as an environment variable or in \"/etc/sysconfig/tomcat6\" on 64-bit\nPowerPC systems, Tomcat may have failed to start correctly. With this\nupdate, Tomcat works as expected when LANG is set to \"fr_FR\" or\n\"fr_FR.UTF-8\". (BZ#748807)\n\nUsers of Tomcat should upgrade to these updated packages, which contain\nbackported patches to correct these issues. Tomcat must be restarted for\nthis update to take effect.", "title": "Details" }, { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://access.redhat.com/security/team/contact/", "issuing_authority": "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", "name": "Red Hat Product Security", "namespace": "https://www.redhat.com" }, "references": [ { "category": "self", "summary": "https://access.redhat.com/errata/RHSA-2011:1780", "url": "https://access.redhat.com/errata/RHSA-2011:1780" }, { "category": "external", "summary": "https://access.redhat.com/security/updates/classification/#moderate", "url": "https://access.redhat.com/security/updates/classification/#moderate" }, { "category": "external", "summary": "http://tomcat.apache.org/security-6.html", "url": "http://tomcat.apache.org/security-6.html" }, { "category": "external", "summary": "https://access.redhat.com/support/offerings/production/soc.html", "url": "https://access.redhat.com/support/offerings/production/soc.html" }, { "category": "external", "summary": "717013", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=717013" }, { "category": "external", "summary": "720948", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=720948" }, { "category": "external", "summary": "734868", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=734868" }, { "category": "external", "summary": "741401", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=741401" }, { "category": "self", "summary": "Canonical URL", "url": "https://security.access.redhat.com/data/csaf/v2/advisories/2011/rhsa-2011_1780.json" } ], "title": "Red Hat Security Advisory: tomcat6 security and bug fix update", "tracking": { "current_release_date": "2024-11-05T17:39:17+00:00", "generator": { "date": "2024-11-05T17:39:17+00:00", "engine": { "name": "Red Hat SDEngine", "version": "4.1.1" } }, "id": "RHSA-2011:1780", "initial_release_date": "2011-12-05T17:39:00+00:00", "revision_history": [ { "date": "2011-12-05T17:39:00+00:00", "number": "1", "summary": "Initial version" }, { "date": "2011-12-05T17:46:42+00:00", "number": "2", "summary": "Last updated version" }, { "date": "2024-11-05T17:39:17+00:00", "number": "3", "summary": "Last generated version" } ], "status": "final", "version": "3" } }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Red Hat Enterprise Linux Server (v. 6)", "product": { "name": "Red Hat Enterprise Linux Server (v. 6)", "product_id": "6Server-6.1.z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:6::server" } } }, { "category": "product_name", "name": "Red Hat Enterprise Linux Server Optional (v. 6)", "product": { "name": "Red Hat Enterprise Linux Server Optional (v. 6)", "product_id": "6Server-optional-6.1.z", "product_identification_helper": { "cpe": "cpe:/o:redhat:enterprise_linux:6::server" } } } ], "category": "product_family", "name": "Red Hat Enterprise Linux" }, { "branches": [ { "category": "product_version", "name": "tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "product": { "name": "tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "product_id": "tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat6-admin-webapps@6.0.24-35.el6_1?arch=noarch" } } }, { "category": "product_version", "name": "tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "product": { "name": "tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "product_id": "tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat6-docs-webapp@6.0.24-35.el6_1?arch=noarch" } } }, { "category": "product_version", "name": "tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "product": { "name": "tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "product_id": "tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat6-javadoc@6.0.24-35.el6_1?arch=noarch" } } }, { "category": "product_version", "name": "tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "product": { "name": "tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "product_id": "tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat6-webapps@6.0.24-35.el6_1?arch=noarch" } } }, { "category": "product_version", "name": "tomcat6-lib-0:6.0.24-35.el6_1.noarch", "product": { "name": "tomcat6-lib-0:6.0.24-35.el6_1.noarch", "product_id": "tomcat6-lib-0:6.0.24-35.el6_1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat6-lib@6.0.24-35.el6_1?arch=noarch" } } }, { "category": "product_version", "name": "tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "product": { "name": "tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "product_id": "tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat6-jsp-2.1-api@6.0.24-35.el6_1?arch=noarch" } } }, { "category": "product_version", "name": "tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "product": { "name": "tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "product_id": "tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat6-servlet-2.5-api@6.0.24-35.el6_1?arch=noarch" } } }, { "category": "product_version", "name": "tomcat6-0:6.0.24-35.el6_1.noarch", "product": { "name": "tomcat6-0:6.0.24-35.el6_1.noarch", "product_id": "tomcat6-0:6.0.24-35.el6_1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat6@6.0.24-35.el6_1?arch=noarch" } } }, { "category": "product_version", "name": "tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "product": { "name": "tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "product_id": "tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat6-el-2.1-api@6.0.24-35.el6_1?arch=noarch" } } } ], "category": "architecture", "name": "noarch" }, { "branches": [ { "category": "product_version", "name": "tomcat6-0:6.0.24-35.el6_1.src", "product": { "name": "tomcat6-0:6.0.24-35.el6_1.src", "product_id": "tomcat6-0:6.0.24-35.el6_1.src", "product_identification_helper": { "purl": "pkg:rpm/redhat/tomcat6@6.0.24-35.el6_1?arch=src" } } } ], "category": "architecture", "name": "src" } ], "category": "vendor", "name": "Red Hat" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "tomcat6-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", "product_id": "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-0:6.0.24-35.el6_1.src as a component of Red Hat Enterprise Linux Server (v. 6)", "product_id": "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src" }, "product_reference": "tomcat6-0:6.0.24-35.el6_1.src", "relates_to_product_reference": "6Server-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", "product_id": "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", "product_id": "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", "product_id": "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-javadoc-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", "product_id": "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", "product_id": "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-lib-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", "product_id": "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-lib-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", "product_id": "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-webapps-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", "product_id": "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)", "product_id": "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-optional-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-0:6.0.24-35.el6_1.src as a component of Red Hat Enterprise Linux Server Optional (v. 6)", "product_id": "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src" }, "product_reference": "tomcat6-0:6.0.24-35.el6_1.src", "relates_to_product_reference": "6Server-optional-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)", "product_id": "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-optional-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)", "product_id": "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-optional-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)", "product_id": "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-optional-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-javadoc-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)", "product_id": "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-optional-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)", "product_id": "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-optional-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-lib-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)", "product_id": "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-lib-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-optional-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)", "product_id": "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-optional-6.1.z" }, { "category": "default_component_of", "full_product_name": { "name": "tomcat6-webapps-0:6.0.24-35.el6_1.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 6)", "product_id": "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" }, "product_reference": "tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "relates_to_product_reference": "6Server-optional-6.1.z" } ] }, "vulnerabilities": [ { "cve": "CVE-2011-1184", "discovery_date": "2011-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "741401" } ], "notes": [ { "category": "description", "text": "The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: Multiple weaknesses in HTTP DIGEST authentication", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2011-1184" }, { "category": "external", "summary": "RHBZ#741401", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=741401" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2011-1184", "url": "https://www.cve.org/CVERecord?id=CVE-2011-1184" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-1184", "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-1184" } ], "release_date": "2011-09-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2011-12-05T17:39:00+00:00", "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/kb/docs/DOC-11259", "product_ids": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2011:1780" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0" }, "products": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: Multiple weaknesses in HTTP DIGEST authentication" }, { "cve": "CVE-2011-2204", "discovery_date": "2011-06-27T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "717013" } ], "notes": [ { "category": "description", "text": "Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: password disclosure vulnerability", "title": "Vulnerability summary" }, { "category": "other", "text": "The Red Hat Security Response Team has rated this issue as having low security\nimpact, a future update may address this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2011-2204" }, { "category": "external", "summary": "RHBZ#717013", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=717013" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2011-2204", "url": "https://www.cve.org/CVERecord?id=CVE-2011-2204" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-2204", "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2204" } ], "release_date": "2011-06-27T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2011-12-05T17:39:00+00:00", "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/kb/docs/DOC-11259", "product_ids": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2011:1780" } ], "scores": [ { "cvss_v2": { "accessComplexity": "HIGH", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "NONE", "baseScore": 2.1, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N", "version": "2.0" }, "products": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "tomcat: password disclosure vulnerability" }, { "acknowledgments": [ { "names": [ "Apache Tomcat project" ] } ], "cve": "CVE-2011-2526", "discovery_date": "2011-07-12T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "720948" } ], "notes": [ { "category": "description", "text": "Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.19, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: security manager restrictions bypass", "title": "Vulnerability summary" }, { "category": "other", "text": "The Red Hat Security Response Team has rated this issue as having low security\nimpact, a future update may address this flaw.", "title": "Statement" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2011-2526" }, { "category": "external", "summary": "RHBZ#720948", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=720948" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2011-2526", "url": "https://www.cve.org/CVERecord?id=CVE-2011-2526" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-2526", "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-2526" } ], "release_date": "2011-07-13T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2011-12-05T17:39:00+00:00", "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/kb/docs/DOC-11259", "product_ids": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2011:1780" } ], "scores": [ { "cvss_v2": { "accessComplexity": "HIGH", "accessVector": "LOCAL", "authentication": "NONE", "availabilityImpact": "PARTIAL", "baseScore": 2.6, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:L/AC:H/Au:N/C:P/I:N/A:P", "version": "2.0" }, "products": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ] } ], "threats": [ { "category": "impact", "details": "Low" } ], "title": "tomcat: security manager restrictions bypass" }, { "cve": "CVE-2011-3190", "discovery_date": "2011-08-29T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "734868" } ], "notes": [ { "category": "description", "text": "Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: authentication bypass and information disclosure", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2011-3190" }, { "category": "external", "summary": "RHBZ#734868", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=734868" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2011-3190", "url": "https://www.cve.org/CVERecord?id=CVE-2011-3190" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-3190", "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-3190" } ], "release_date": "2011-08-20T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2011-12-05T17:39:00+00:00", "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/kb/docs/DOC-11259", "product_ids": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2011:1780" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 5.8, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N", "version": "2.0" }, "products": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: authentication bypass and information disclosure" }, { "cve": "CVE-2011-5062", "discovery_date": "2011-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "741401" } ], "notes": [ { "category": "description", "text": "The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: Multiple weaknesses in HTTP DIGEST authentication", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2011-5062" }, { "category": "external", "summary": "RHBZ#741401", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=741401" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2011-5062", "url": "https://www.cve.org/CVERecord?id=CVE-2011-5062" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-5062", "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5062" } ], "release_date": "2011-09-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2011-12-05T17:39:00+00:00", "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/kb/docs/DOC-11259", "product_ids": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2011:1780" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0" }, "products": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: Multiple weaknesses in HTTP DIGEST authentication" }, { "cve": "CVE-2011-5063", "discovery_date": "2011-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "741401" } ], "notes": [ { "category": "description", "text": "The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: Multiple weaknesses in HTTP DIGEST authentication", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2011-5063" }, { "category": "external", "summary": "RHBZ#741401", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=741401" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2011-5063", "url": "https://www.cve.org/CVERecord?id=CVE-2011-5063" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-5063", "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5063" } ], "release_date": "2011-09-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2011-12-05T17:39:00+00:00", "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/kb/docs/DOC-11259", "product_ids": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2011:1780" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0" }, "products": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: Multiple weaknesses in HTTP DIGEST authentication" }, { "cve": "CVE-2011-5064", "discovery_date": "2011-09-26T00:00:00+00:00", "ids": [ { "system_name": "Red Hat Bugzilla ID", "text": "741401" } ], "notes": [ { "category": "description", "text": "DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.", "title": "Vulnerability description" }, { "category": "summary", "text": "tomcat: Multiple weaknesses in HTTP DIGEST authentication", "title": "Vulnerability summary" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product\u0027s status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "fixed": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://access.redhat.com/security/cve/CVE-2011-5064" }, { "category": "external", "summary": "RHBZ#741401", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=741401" }, { "category": "external", "summary": "https://www.cve.org/CVERecord?id=CVE-2011-5064", "url": "https://www.cve.org/CVERecord?id=CVE-2011-5064" }, { "category": "external", "summary": "https://nvd.nist.gov/vuln/detail/CVE-2011-5064", "url": "https://nvd.nist.gov/vuln/detail/CVE-2011-5064" } ], "release_date": "2011-09-26T00:00:00+00:00", "remediations": [ { "category": "vendor_fix", "date": "2011-12-05T17:39:00+00:00", "details": "Before applying this update, make sure all previously-released errata\nrelevant to your system have been applied.\n\nThis update is available via the Red Hat Network. Details on how to\nuse the Red Hat Network to apply this update are available at\nhttps://access.redhat.com/kb/docs/DOC-11259", "product_ids": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ], "restart_required": { "category": "none" }, "url": "https://access.redhat.com/errata/RHSA-2011:1780" } ], "scores": [ { "cvss_v2": { "accessComplexity": "MEDIUM", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 4.3, "confidentialityImpact": "PARTIAL", "integrityImpact": "NONE", "vectorString": "AV:N/AC:M/Au:N/C:P/I:N/A:N", "version": "2.0" }, "products": [ "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-0:6.0.24-35.el6_1.src", "6Server-optional-6.1.z:tomcat6-admin-webapps-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-docs-webapp-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-el-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-javadoc-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-jsp-2.1-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-lib-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-servlet-2.5-api-0:6.0.24-35.el6_1.noarch", "6Server-optional-6.1.z:tomcat6-webapps-0:6.0.24-35.el6_1.noarch" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ], "title": "tomcat: Multiple weaknesses in HTTP DIGEST authentication" } ] }
Loading...
Loading...
Sightings
Author | Source | Type | Date |
---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.