The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.

The remote Redhat Enterprise Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:0682 advisory.

  - tomcat: Multiple weaknesses in HTTP DIGEST authentication (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063,     CVE-2011-5064)

  - tomcat: password disclosure vulnerability (CVE-2011-2204)

  - tomcat: security manager restrictions bypass (CVE-2011-2526)

  - tomcat: authentication bypass and information disclosure (CVE-2011-3190)

  - tomcat: information disclosure due to improper response and request object recycling (CVE-2011-3375)

  - tomcat: hash table collisions CPU usage DoS (oCERT-2011-003) (CVE-2011-4858)

  - tomcat: large number of parameters DoS (CVE-2012-0022)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:0680 advisory.

  - tomcat: Multiple weaknesses in HTTP DIGEST authentication (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063,     CVE-2011-5064)

  - tomcat: password disclosure vulnerability (CVE-2011-2204)

  - tomcat: security manager restrictions bypass (CVE-2011-2526)

  - tomcat: authentication bypass and information disclosure (CVE-2011-3190)

  - tomcat: hash table collisions CPU usage DoS (oCERT-2011-003) (CVE-2011-4858)

  - tomcat: large number of parameters DoS (CVE-2012-0022)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update fixes a regression in parameter passing (in urldecoding of parameters that contain spaces).

In addition, multiple weaknesses in HTTP DIGESTS are fixed (CVE-2011-1184).

CVE-2011-5062: The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33 and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.

CVE-2011-5063: The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended access restrictions by leveraging the availability of a protection space with weaker authentication or authorization requirements, a different vulnerability than CVE-2011-1184.

CVE-2011-5064: DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.

Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2011-1845 advisory.

    - Resolves: CVE-2011-0013 rhbz 675931
    - Resolves: CVE-2010-3718 rhbz 675931
    - Resolves: CVE-2011-1184 rhbz 744983

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2011:1780 :

Updated tomcat6 packages that fix several security issues and one bug are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

APR (Apache Portable Runtime) as mentioned in the CVE-2011-3190 and CVE-2011-2526 descriptions does not refer to APR provided by the apr packages. It refers to the implementation of APR provided by the Tomcat Native library, which provides support for using APR with Tomcat. This library is not shipped with Red Hat Enterprise Linux 6.
This update includes fixes for users who have elected to use APR with Tomcat by taking the Tomcat Native library from a different product.
Such a configuration is not supported by Red Hat, however.

Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor) and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ Protocol) connectors processed certain POST requests. An attacker could send a specially crafted request that would cause the connector to treat the message body as a new request. This allows arbitrary AJP messages to be injected, possibly allowing an attacker to bypass a web application's authentication checks and gain access to information they would otherwise be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler) connector is used by default when the APR libraries are not present. The JK connector is not affected by this flaw. (CVE-2011-3190)

A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

A flaw was found in the way Tomcat handled sendfile request attributes when using the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web application running on a Tomcat instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). The HTTP blocking IO (BIO) connector, which is not vulnerable to this issue, is used by default in Red Hat Enterprise Linux 6. (CVE-2011-2526)

Red Hat would like to thank the Apache Tomcat project for reporting the CVE-2011-2526 issue.

This update also fixes the following bug :

* Previously, in certain cases, if 'LANG=fr_FR' or 'LANG=fr_FR.UTF-8' was set as an environment variable or in '/etc/sysconfig/tomcat6' on 64-bit PowerPC systems, Tomcat may have failed to start correctly.
With this update, Tomcat works as expected when LANG is set to 'fr_FR' or 'fr_FR.UTF-8'. (BZ#748807)

Users of Tomcat should upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

The remote Redhat Enterprise Linux 5 / 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2012:0074 advisory.

  - tomcat: Multiple weaknesses in HTTP DIGEST authentication (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063,     CVE-2011-5064)

  - tomcat: security manager restrictions bypass (CVE-2011-2526)

  - JBoss Web remote denial of service when surrogate pair character is placed at buffer boundary     (CVE-2011-4610)

  - tomcat: hash table collisions CPU usage DoS (oCERT-2011-003) (CVE-2011-4858)

  - tomcat: large number of parameters DoS (CVE-2012-0022)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Update to tomcat 6.0.35 CVE-2011-1184 multiple weaknesses in HTTP DIGEST authentication

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

It was found that web applications could modify the location of the Tomcat host's work directory. As web applications deployed on Tomcat have read and write access to this directory, a malicious web application could use this flaw to trick Tomcat into giving it read and write access to an arbitrary directory on the file system.
(CVE-2010-3718)

A cross-site scripting (XSS) flaw was found in the Manager application, used for managing web applications on Apache Tomcat. A malicious web application could use this flaw to conduct an XSS attack, leading to arbitrary web script execution with the privileges of victims who are logged into and viewing Manager application web pages. (CVE-2011-0013)

Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184)

A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

Users of Tomcat should upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

APR (Apache Portable Runtime) as mentioned in the CVE-2011-3190 and CVE-2011-2526 descriptions does not refer to APR provided by the apr packages. It refers to the implementation of APR provided by the Tomcat Native library, which provides support for using APR with Tomcat. This library is not shipped with Scientific Linux 6. This update includes fixes for users who have elected to use APR with Tomcat by taking the Tomcat Native library from a different product.

Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor) and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ Protocol) connectors processed certain POST requests. An attacker could send a specially crafted request that would cause the connector to treat the message body as a new request. This allows arbitrary AJP messages to be injected, possibly allowing an attacker to bypass a web application's authentication checks and gain access to information they would otherwise be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler) connector is used by default when the APR libraries are not present. The JK connector is not affected by this flaw. (CVE-2011-3190)

A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

A flaw was found in the way Tomcat handled sendfile request attributes when using the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web application running on a Tomcat instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). The HTTP blocking IO (BIO) connector, which is not vulnerable to this issue, is used by default in Scientific Linux 6. (CVE-2011-2526)

This update also fixes the following bug :

  - Previously, in certain cases, if 'LANG=fr_FR' or     'LANG=fr_FR.UTF-8' was set as an environment variable or     in '/etc/sysconfig/tomcat6' on 64-bit PowerPC systems,     Tomcat may have failed to start correctly. With this     update, Tomcat works as expected when LANG is set to     'fr_FR' or 'fr_FR.UTF-8'.

Users of Tomcat should upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

The remote host is affected by the vulnerability described in GLSA-201206-24 (Apache Tomcat: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache Tomcat. Please       review the CVE identifiers referenced below for details.
  Impact :

    The vulnerabilities allow an attacker to cause a Denial of Service, to       hijack a session, to bypass authentication, to inject webscript, to       enumerate valid usernames, to read, modify and overwrite arbitrary files,       to bypass intended access restrictions, to delete work-directory files,       to discover the server&rsquo;s hostname or IP, to bypass read permissions for       files or HTTP headers, to read or write files outside of the intended       working directory, and to obtain sensitive information by reading a log       file.
  Workaround :

    There is no known workaround at this time.

This update fixes a regression in parameter passing (in urldecoding of parameters that contain spaces).

In addition, multiple weaknesses in HTTP DIGESTS have been fixed (CVE-2011-1184) :

  - The HTTP Digest Access Authentication implementation in     Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33 and     7.x before 7.0.12 does not check qop values, which might     allow remote attackers to bypass intended     integrity-protection requirements via a qop=auth value,     a different vulnerability than CVE-2011-1184.
    (CVE-2011-5062)

  - The HTTP Digest Access Authentication implementation in     Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33,     and 7.x before 7.0.12 does not check realm values, which     might allow remote attackers to bypass intended access     restrictions by leveraging the availability of a     protection space with weaker authentication or     authorization requirements, a different vulnerability     than CVE-2011-1184. (CVE-2011-5063)

  - DigestAuthenticator.java in the HTTP Digest Access     Authentication implementation in Apache Tomcat 5.5.x     before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12     uses Catalina as the hard-coded server secret (aka     private key), which makes it easier for remote attackers     to bypass cryptographic protection mechanisms by     leveraging knowledge of this string, a different     vulnerability than CVE-2011-1184. (CVE-2011-5064)

Several vulnerabilities have been found in Tomcat, a servlet and JSP engine :

  - CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064     The HTTP Digest Access Authentication implementation     performed insufficient countermeasures against replay     attacks.

  - CVE-2011-2204     In rare setups passwords were written into a logfile.

  - CVE-2011-2526     Missing input sanitising in the HTTP APR or HTTP NIO     connectors could lead to denial of service.

  - CVE-2011-3190     AJP requests could be spoofed in some setups.

  - CVE-2011-3375     Incorrect request caching could lead to information     disclosure.

  - CVE-2011-4858 CVE-2012-0022     This update adds countermeasures against a collision     denial of service vulnerability in the Java hashtable     implementation and addresses denial of service     potentials when processing large amounts of requests.

Additional information can be found at

Updated tomcat6 packages that fix several security issues and one bug are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

APR (Apache Portable Runtime) as mentioned in the CVE-2011-3190 and CVE-2011-2526 descriptions does not refer to APR provided by the apr packages. It refers to the implementation of APR provided by the Tomcat Native library, which provides support for using APR with Tomcat. This library is not shipped with Red Hat Enterprise Linux 6.
This update includes fixes for users who have elected to use APR with Tomcat by taking the Tomcat Native library from a different product.
Such a configuration is not supported by Red Hat, however.

Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor) and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ Protocol) connectors processed certain POST requests. An attacker could send a specially crafted request that would cause the connector to treat the message body as a new request. This allows arbitrary AJP messages to be injected, possibly allowing an attacker to bypass a web application's authentication checks and gain access to information they would otherwise be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler) connector is used by default when the APR libraries are not present. The JK connector is not affected by this flaw. (CVE-2011-3190)

A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

A flaw was found in the way Tomcat handled sendfile request attributes when using the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web application running on a Tomcat instance could use this flaw to bypass security manager restrictions and gain access to files it would otherwise be unable to access, or possibly terminate the Java Virtual Machine (JVM). The HTTP blocking IO (BIO) connector, which is not vulnerable to this issue, is used by default in Red Hat Enterprise Linux 6. (CVE-2011-2526)

Red Hat would like to thank the Apache Tomcat project for reporting the CVE-2011-2526 issue.

This update also fixes the following bug :

* Previously, in certain cases, if 'LANG=fr_FR' or 'LANG=fr_FR.UTF-8' was set as an environment variable or in '/etc/sysconfig/tomcat6' on 64-bit PowerPC systems, Tomcat may have failed to start correctly.
With this update, Tomcat works as expected when LANG is set to 'fr_FR' or 'fr_FR.UTF-8'. (BZ#748807)

Users of Tomcat should upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2011:1845 advisory.

  - tomcat: file permission bypass flaw (CVE-2010-3718)

  - tomcat: XSS vulnerability in HTML Manager interface (CVE-2011-0013)

  - tomcat: Multiple weaknesses in HTTP DIGEST authentication (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063,     CVE-2011-5064)

  - tomcat: password disclosure vulnerability (CVE-2011-2204)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated tomcat5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

It was found that web applications could modify the location of the Tomcat host's work directory. As web applications deployed on Tomcat have read and write access to this directory, a malicious web application could use this flaw to trick Tomcat into giving it read and write access to an arbitrary directory on the file system.
(CVE-2010-3718)

A cross-site scripting (XSS) flaw was found in the Manager application, used for managing web applications on Apache Tomcat. A malicious web application could use this flaw to conduct an XSS attack, leading to arbitrary web script execution with the privileges of victims who are logged into and viewing Manager application web pages. (CVE-2011-0013)

Multiple flaws were found in the way Tomcat handled HTTP DIGEST authentication. These flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184)

A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exception occurred when creating a new user with a JMX client, that user's password was logged to Tomcat log files. Note: By default, only administrators have access to such log files. (CVE-2011-2204)

Users of Tomcat should upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

Permission on {basedir} required changing to 0775 from 0765. =

CVE-2011-1184 - rhbz 741407 - Multiple weaknesses in HTTP DIGEST authentica= tion
----------------------------------------------------------------------
-----=

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

It was discovered that Tomcat incorrectly implemented HTTP DIGEST authentication. An attacker could use this flaw to perform a variety of authentication attacks. (CVE-2011-1184)

Polina Genova discovered that Tomcat incorrectly created log entries with passwords when encountering errors during JMX user creation. A local attacker could possibly use this flaw to obtain sensitive information. This issue only affected Ubuntu 10.04 LTS, 10.10 and 11.04. (CVE-2011-2204)

It was discovered that Tomcat incorrectly validated certain request attributes when sendfile is enabled. A local attacker could bypass intended restrictions, or cause the JVM to crash, resulting in a denial of service. (CVE-2011-2526)

It was discovered that Tomcat incorrectly handled certain AJP requests. A remote attacker could use this flaw to spoof requests, bypass authentication, and obtain sensitive information. This issue only affected Ubuntu 10.04 LTS, 10.10 and 11.04. (CVE-2011-3190).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities has been discovered and corrected in tomcat 5.5.x :

The implementation of HTTP DIGEST authentication in tomcat was discovered to have several weaknesses (CVE-2011-1184).

Apache Tomcat, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file (CVE-2011-2204).

Apache Tomcat, when sendfile is enabled for the HTTP APR or HTTP NIO connector, does not validate certain request attributes, which allows local users to bypass intended file access restrictions or cause a denial of service (infinite loop or JVM crash) by leveraging an untrusted web application (CVE-2011-2526).

Certain AJP protocol connector implementations in Apache Tomcat allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request (CVE-2011-3190).

The updated packages have been patched to correct these issues.

According to its self-reported version number, the instance of Apache Tomcat 5.5.x listening on the remote host is prior to 5.5.34. It is, there, affected by multiple vulnerabilities :

  - Several weaknesses were found in the HTTP Digest     authentication implementation. The issues are as     follows: replay attacks are possible, server nonces     are not checked, client nonce counts are not checked,     'quality of protection' (qop) values are not checked,     realm values are not checked and the server secret is     a hard-coded, known string. The effect of these issues     is that Digest authentication is no stronger than Basic     authentication. (CVE-2011-1184, CVE-2011-5062,     CVE-2011-5063, CVE-2011-5064)

  - An error handling issue exists related to the     MemoryUserDatabase that allows user passwords to be     disclosed through log files. (CVE-2011-2204)

  - An input validation error exists that allows a local     attacker to either bypass security or carry out denial     of service attacks when the APR or NIO connectors are     enabled. (CVE-2011-2526)

  - A component that Apache Tomcat relies on called 'jsvc'     contains an error in that it does not drop capabilities     after starting and can allow access to sensitive files     owned by the super user. Note this vulnerability only     affects Linux operating systems and only when 'jsvc' is     compiled with libpcap and the '-user' parameter is     used. (CVE-2011-2729)

  - Specially crafted requests are incorrectly processed by     Tomcat and can cause the server to allow injection of     arbitrary AJP messages. This can lead to authentication     bypass and disclosure of sensitive information. Note     this vulnerability only occurs when the     org.apache.jk.server.JkCoyoteHandler AJP connector is     not used, POST requests are accepted, and the request     body is not processed.(CVE-2011-3190)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the instance of Apache Tomcat 6.0.x listening on the remote host is prior to 6.0.33. It is, therefore, affected by multiple vulnerabilities :

  - Several weaknesses were found in the HTTP Digest     authentication implementation. The issues are as     follows: replay attacks are possible, server nonces     are not checked, client nonce counts are not checked,     'quality of protection' (qop) values are not checked,     realm values are not checked and the server secret is     a hard-coded, known string. The effect of these issues     is that Digest authentication is no stronger than Basic     authentication. (CVE-2011-1184, CVE-2011-5062,     CVE-2011-5063, CVE-2011-5064)

  - An error handling issue exists related to the     MemoryUserDatabase that allows user passwords to be     disclosed through log files. (CVE-2011-2204)

  - An input validation error exists that allows a local     attacker to either bypass security or carry out denial     of service attacks when the APR or NIO connectors are     enabled. (CVE-2011-2526)

  - A component that Apache Tomcat relies on called 'jsvc'     contains an error in that it does not drop capabilities     after starting and can allow access to sensitive files     owned by the super user. Note this vulnerability only     affects Linux operating systems and only when the     following are true: jsvc is compiled with libpcap and     the '-user' parameter is used. (CVE-2011-2729)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Versions of Tomcat 7.0.x earlier than 7.0.12 are potentially affected by multiple vulnerabilities : 

  - An information disclosure exists in the HTTP BIO connector. (CVE-2011-1475)

  - A security bypass vulnerability exists due to a regression in the fix for CVE-2011-1088.  Note that this issue only affects Tomcat 7.0.11.(CVE-2011-1183)

ID	Name	Product	Family	Severity
78925	RHEL 5 / 6 : tomcat6 (RHSA-2012:0682)	Nessus	Red Hat Local Security Checks	high
78924	RHEL 5 / 6 : tomcat5 (RHSA-2012:0680)	Nessus	Red Hat Local Security Checks	high
76037	openSUSE Security Update : tomcat6 (openSUSE-SU-2012:0208-1)	Nessus	SuSE Local Security Checks	medium
69584	Amazon Linux AMI : tomcat6 (ALAS-2011-25)	Nessus	Amazon Linux Local Security Checks	high
68410	Oracle Linux 5 : tomcat5 (ELSA-2011-1845)	Nessus	Oracle Linux Local Security Checks	medium
68399	Oracle Linux 6 : tomcat6 (ELSA-2011-1780)	Nessus	Oracle Linux Local Security Checks	high
64022	RHEL 5 / 6 : jbossweb (RHSA-2012:0074)	Nessus	Red Hat Local Security Checks	medium
61479	Fedora 16 : tomcat6-6.0.35-1.fc16 (2012-7593)	Nessus	Fedora Local Security Checks	medium
61211	Scientific Linux Security Update : tomcat5 on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
61184	Scientific Linux Security Update : tomcat6 on SL6.x	Nessus	Scientific Linux Local Security Checks	high
59677	GLSA-201206-24 : Apache Tomcat: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
57855	SuSE 11.1 Security Update : tomcat6 (SAT Patch Number 5759)	Nessus	SuSE Local Security Checks	medium
57812	Debian DSA-2401-1 : tomcat6 - several vulnerabilities	Nessus	Debian Local Security Checks	high
57374	CentOS 6 : tomcat6 (CESA-2011:1780)	Nessus	CentOS Local Security Checks	high
57356	RHEL 5 : tomcat5 (RHSA-2011:1845)	Nessus	Red Hat Local Security Checks	medium
57354	CentOS 5 : tomcat5 (CESA-2011:1845)	Nessus	CentOS Local Security Checks	medium
57023	RHEL 6 : tomcat6 (RHSA-2011:1780)	Nessus	Red Hat Local Security Checks	high
56791	Fedora 15 : tomcat6-6.0.32-10.fc15 (2011-15005)	Nessus	Fedora Local Security Checks	medium
56746	Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : tomcat6 vulnerabilities (USN-1252-1)	Nessus	Ubuntu Local Security Checks	high
56551	Mandriva Linux Security Advisory : tomcat5 (MDVSA-2011:156)	Nessus	Mandriva Local Security Checks	high
56301	Apache Tomcat 5.5.x < 5.5.34 Multiple Vulnerabilities	Nessus	Web Servers	high
56008	Apache Tomcat 6.0.x < 6.0.33 Multiple Vulnerabilities	Nessus	Web Servers	medium
800625	Apache Tomcat 7.0.x < 7.0.12 Multiple Vulnerabilities	Log Correlation Engine	Web Servers	medium

Detections

Analytics

CVE-2011-1184

medium

Tenable Plugins

high

high

medium

high

medium

high

medium

medium

medium

high

medium

medium

high

high

medium

medium

high

medium

high

high

high

medium

medium