Apache Tomcat Multiple Vunerabilities

Last Update Date: 20 Nov 2012 Release Date: 7 Nov 2012 4727 Views

RISK: High Risk

High Risk

TYPE: Servers - Web Servers

TYPE: Web Servers

Multipule vulnerabilities have been reported in Apache Tomcat, which can be exploited by malicious people to bypass certain security restrictions and cause a DoS (Denial of Service).

  1. An error within the "parseHeaders()" function (InternalNioInputBuffer.java) when parsing request headers does not properly verify the permitted size and can be exploited to trigger an OutOfMemoryError exception via specially crafted headers.
  2. Three vulnerabilities in Tomcat's implementation of DIGEST authentication:

    3. - Tomcat tracked client rather than server nonces and nonce count.
    - When a session ID was present, authentication was bypassed.
    - The user name and password were not checked before when indicating that a nonce was stale.

Impact

  • Denial of Service
  • Security Restriction Bypass

System / Technologies affected

  • Apache Tomcat versions 6.0.0-6.0.35 and 7.0.0-7.0.27.
  • Apache Tomcat versions 5.5.0-5.5.35, 6.0.0-6.0.35, and 7.0.0-7.0.29.

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • Update to version 5.5.36, 6.0.36, or 7.0.30

Vulnerability Identifier

Source

Related Link

Share with

Previous

VMware ESX Server Multiple Vulnerabilities

19 Nov 2012 3863 Views

Next

Apple Mac OS X Remote Code Execution Vulnerability

20 Nov 2012 3859 Views

We use cookies to give you the best possible experience on our website. By continuing to browse this site, you give consent for cookies to be used. For more details please read our Cookie Policy.

PRIVACY POLICY