Ubuntu 11.10 USN-1252-1 Critical: Tomcat Authentication Issue
Nov 08, 2011
•
LinuxSecurity Advisories
1 - 2 min read
Topics Covered
Tomcat could be made to crash or expose sensitive information over the network.
=========================================================================Ubuntu Security Notice USN-1252-1 November 08, 2011 tomcat6 vulnerabilities ========================================================================= A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 11.10 - Ubuntu 11.04 - Ubuntu 10.10 - Ubuntu 10.04 LTS Summary: Tomcat could be made to crash or expose sensitive information over the network. Software Description: - tomcat6: Servlet and JSP engine Details: It was discovered that Tomcat incorrectly implemented HTTP DIGEST authentication. An attacker could use this flaw to perform a variety of authentication attacks. (CVE-2011-1184) Polina Genova discovered that Tomcat incorrectly created log entries with passwords when encountering errors during JMX user creation. A local attacker could possibly use this flaw to obtain sensitive information. This issue only affected Ubuntu 10.04 LTS, 10.10 and 11.04. (CVE-2011-2204) It was discovered that Tomcat incorrectly validated certain request attributes when sendfile is enabled. A local attacker could bypass intended restrictions, or cause the JVM to crash, resulting in a denial of service. (CVE-2011-2526) It was discovered that Tomcat incorrectly handled certain AJP requests. A remote attacker could use this flaw to spoof requests, bypass authentication, and obtain sensitive information. This issue only affected Ubuntu 10.04 LTS, 10.10 and 11.04. (CVE-2011-3190) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: libtomcat6-java 6.0.32-5ubuntu1.1 Ubuntu 11.04: libtomcat6-java 6.0.28-10ubuntu2.2 Ubuntu 10.10: libtomcat6-java 6.0.28-2ubuntu1.5 Ubuntu 10.04 LTS: libtomcat6-java 6.0.24-2ubuntu1.9 In general, a standard system update will make all the necessary changes. References: CVE-2011-1184, CVE-2011-2204, CVE-2011-2526, CVE-2011-3190 Package Information: https://launchpad.net/ubuntu/+source/tomcat6/6.0.32-5ubuntu1.1 https://launchpad.net/ubuntu/+source/tomcat6/6.0.28-10ubuntu2.2 https://launchpad.net/ubuntu/+source/tomcat6/6.0.28-2ubuntu1.5 https://launchpad.net/ubuntu/+source/tomcat6/6.0.24-2ubuntu1.9
PREVIOUS
NEXT
Ubuntu 11.10 USN-1252-1 Critical: Tomcat Authentication Issue
ubuntu
November 8, 2011
Tomcat could be made to crash or expose sensitive information over the network.
Summary
Topics Covered
Update Instructions
The problem can be corrected by updating your system to the following package versions: Ubuntu 11.10: libtomcat6-java 6.0.32-5ubuntu1.1 Ubuntu 11.04: libtomcat6-java 6.0.28-10ubuntu2.2 Ubuntu 10.10: libtomcat6-java 6.0.28-2ubuntu1.5 Ubuntu 10.04 LTS: libtomcat6-java 6.0.24-2ubuntu1.9 In general, a standard system update will make all the necessary changes.
References
CVE-2011-1184, CVE-2011-2204, CVE-2011-2526, CVE-2011-3190
Severity
critical
Lowest
Low
Medium
High
Critical
November 08, 2011
Topics Covered
Package Information
https://launchpad.net/ubuntu/+source/tomcat6/6.0.32-5ubuntu1.1 https://launchpad.net/ubuntu/+source/tomcat6/6.0.28-10ubuntu2.2 https://launchpad.net/ubuntu/+source/tomcat6/6.0.28-2ubuntu1.5 https://launchpad.net/ubuntu/+source/tomcat6/6.0.24-2ubuntu1.9
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!