Explore top 10 tips to secure your open-source projects now. Read More

×
Alerts This Week
Warning Icon 1 528
Alerts This Week
Warning Icon 1 528

Scientific Linux: Important tomcat5 Update for Authentication Flaws

Scientific Large Esm H446
Important: tomcat5 security update
Date: Tue, 12 Mar 2013 16:10:11 -0500
Reply-To: Pat Riehecky 
Sender: Security Errata for Scientific Linux
 
From: Pat Riehecky 
Subject: Security ERRATA Important: tomcat5 on SL5.x i386/x86_64
MIME-Version: 1.0

Synopsis: Important: tomcat5 security update
Issue Date: 2013-03-12
CVE Numbers: CVE-2012-5885
 CVE-2012-5886
 CVE-2012-5887
 CVE-2012-3546
--

It was found that when an application used FORM authentication, along with
another component that calls request.setUserPrincipal() before the call to
FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it
was possible to bypass the security constraint checks in the FORM
authenticator by appending "/j_security_check" to the end of a URL. A
remote attacker with an authenticated session on an affected application
could use this flaw to circumvent authorization controls, and thereby
access resources not permitted by the roles associated with their
authenticated session. (CVE-2012-3546)

Multiple weaknesses were found in the Tomcat DIGEST authentication
implementation, effectively reducing the security normally provided by
DIGEST authentication. A remote attacker could use these flaws to perform
replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886,
CVE-2012-5887)

Tomcat must be restarted for this update to take effect.
--

SL5
 x86_64
 tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.x86_64.rpm
 tomcat5-jsp-2.0-api-5.5.23-0jpp.38.el5_9.x86_64.rpm
 tomcat5-servlet-2.4-api-5.5.23-0jpp.38.el5_9.x86_64.rpm
 tomcat5-5.5.23-0jpp.38.el5_9.x86_64.rpm
 tomcat5-admin-webapps-5.5.23-0jpp.38.el5_9.x86_64.rpm
 tomcat5-common-lib-5.5.23-0jpp.38.el5_9.x86_64.rpm
 tomcat5-jasper-5.5.23-0jpp.38.el5_9.x86_64.rpm
 tomcat5-jasper-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm
 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm
 tomcat5-server-lib-5.5.23-0jpp.38.el5_9.x86_64.rpm
 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.38.el5_9.x86_64.rpm
 tomcat5-webapps-5.5.23-0jpp.38.el5_9.x86_64.rpm
 i386
 tomcat5-debuginfo-5.5.23-0jpp.38.el5_9.i386.rpm
 tomcat5-jsp-2.0-api-5.5.23-0jpp.38.el5_9.i386.rpm
 tomcat5-servlet-2.4-api-5.5.23-0jpp.38.el5_9.i386.rpm
 tomcat5-5.5.23-0jpp.38.el5_9.i386.rpm
 tomcat5-admin-webapps-5.5.23-0jpp.38.el5_9.i386.rpm
 tomcat5-common-lib-5.5.23-0jpp.38.el5_9.i386.rpm
 tomcat5-jasper-5.5.23-0jpp.38.el5_9.i386.rpm
 tomcat5-jasper-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm
 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm
 tomcat5-server-lib-5.5.23-0jpp.38.el5_9.i386.rpm
 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.38.el5_9.i386.rpm
 tomcat5-webapps-5.5.23-0jpp.38.el5_9.i386.rpm

- Scientific Linux Development Team