CVE-2012-3439

Related Files

Ubuntu Security Notice USN-1637-1

Posted Nov 21, 2012

Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 1637-1 - It was discovered that the Apache Tomcat HTTP NIO connector incorrectly handled header data. A remote attacker could cause a denial of service by sending requests with a large amount of header data. It was discovered that Apache Tomcat incorrectly handled DIGEST authentication. A remote attacker could possibly use these flaws to perform a replay attack and bypass authentication. Various other issues were also addressed.

tags | advisory, remote, web, denial of service

systems | linux, ubuntu

advisories | CVE-2012-2733, CVE-2012-5887, CVE-2012-2733, CVE-2012-3439, CVE-2012-5885, CVE-2012-5886, CVE-2012-5887

SHA-256 | 6864ba7f5f6a718c9e0112e11cec496ec671ff32f21f776d4ab22411b5416b9c

Download | Favorite | View

Apache Tomcat 5.x / 6.x / 7.x DIGEST Authentication Weaknesses

Posted Nov 6, 2012

Authored by Mark Thomas, Tilmann Kuhn | Site tomcat.apache.org

Three weaknesses in Apache Tomcat's implementation of DIGEST authentication were identified and resolved. Tomcat tracked client rather than server nonces and nonce count. When a session ID was present, authentication was bypassed. The user name and password were not checked before when indicating that a nonce was stale. Tomcat versions 5.5.0 through 5.5.35, 6.0.0 through 6.0.35, and 7.0.0 through 7.0.29 are affected.

tags | advisory

advisories | CVE-2012-3439

SHA-256 | f21889923bf7d5548e26d54f6d23a9e7cb97188d566be43efdeb034fc1ccc1d2

Download | Favorite | View