Bug 735343 (CVE-2011-1184) - VUL-1: CVE-2011-1184: tomcat: Multiple weaknesses in HTTP DIGEST
Summary: VUL-1: CVE-2011-1184: tomcat: Multiple weaknesses in HTTP DIGEST
Status: RESOLVED FIXED
: 741530 741531 741533 (view as bug list)
Alias: CVE-2011-1184
Product: SUSE Security Incidents
Classification: Novell Products
Component: General (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: E-mail List
QA Contact: Security Team bot
URL:
Whiteboard: maint:released:sle11-sp1:45344
Keywords:
Depends on:
Blocks:
 
Reported: 2011-12-07 13:52 UTC by Matthias Weckbecker
Modified: 2014-07-17 09:48 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2011-12-07 13:52:37 UTC 
"The implementation of HTTP DIGEST authentication was discovered to
have several weaknesses:
- - replay attacks were permitted
- - server nonces were not checked
- - client nonce counts were not checked
- - qop values were not checked
- - realm values were not checked
- - the server secret was hard-coded to a known string
The result of these weaknesses is that DIGEST authentication was only
as secure as BASIC authentication.",

More references can be found here:
http://www.securityfocus.com/archive/1/519818/30/0/threaded
Comment 3 Sebastian Krahmer 2012-01-16 09:36:00 UTC 
CVE-2011-1184
Comment 4 Sebastian Krahmer 2012-01-16 09:39:52 UTC 
There are actually more bugs in tomcat belonging to authentication digests,
so above CVE is not the only one.
Descriptions follow.
Comment 5 Sebastian Krahmer 2012-01-16 09:40:13 UTC 
Name: CVE-2011-5062

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33,
+and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended
+integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.



Reference: CONFIRM: http://tomcat.apache.org/security-7.html
Reference: CONFIRM: http://tomcat.apache.org/security-6.html
Reference: CONFIRM: http://tomcat.apache.org/security-5.html
Reference: CONFIRM: http://svn.apache.org/viewvc?view=rev&rev=1159309
Reference: CONFIRM: http://svn.apache.org/viewvc?view=rev&rev=1158180
Reference: CONFIRM: http://svn.apache.org/viewvc?view=rev&rev=1087655
Comment 6 Sebastian Krahmer 2012-01-16 09:40:35 UTC 
Name: CVE-2011-5063

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33,
+and 7.x before 7.0.12 does not check realm values, which might allow remote attackers to bypass intended
+access restrictions by leveraging the availability of a protection space with weaker authentication or
+authorization requirements, a different vulnerability than CVE-2011-1184.



Reference: CONFIRM: http://tomcat.apache.org/security-7.html
Reference: CONFIRM: http://tomcat.apache.org/security-6.html
Reference: CONFIRM: http://tomcat.apache.org/security-5.html
Reference: CONFIRM: http://svn.apache.org/viewvc?view=rev&rev=1159309
Reference: CONFIRM: http://svn.apache.org/viewvc?view=rev&rev=1158180
Reference: CONFIRM: http://svn.apache.org/viewvc?view=rev&rev=1087655
Comment 7 Sebastian Krahmer 2012-01-16 09:40:53 UTC 
Name: CVE-2011-5064

DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x
+before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka
+private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by
+leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.



Reference: CONFIRM: http://tomcat.apache.org/security-7.html
Reference: CONFIRM: http://tomcat.apache.org/security-6.html
Reference: CONFIRM: http://tomcat.apache.org/security-5.html
Reference: CONFIRM: http://svn.apache.org/viewvc?view=rev&rev=1159309
Reference: CONFIRM: http://svn.apache.org/viewvc?view=rev&rev=1158180
Reference: CONFIRM: http://svn.apache.org/viewvc?view=rev&rev=1087655
Comment 8 Sebastian Krahmer 2012-01-18 09:26:37 UTC 
*** Bug 741530 has been marked as a duplicate of this bug. ***
Comment 9 Sebastian Krahmer 2012-01-18 09:27:09 UTC 
*** Bug 741531 has been marked as a duplicate of this bug. ***
Comment 10 Sebastian Krahmer 2012-01-18 09:27:50 UTC 
*** Bug 741533 has been marked as a duplicate of this bug. ***
Comment 12 Michal Vyskocil 2012-02-06 08:53:51 UTC 
"""The Apache Tomcat security team will continue to treat this as a single issue using the reference CVE-2011-1184."""

Oh well, please forgot the latest comment :(
Comment 13 Andrej Semen 2012-02-06 13:28:18 UTC 
could you be so kind to prove some test cases or reproducer?
Comment 14 Bernhard Wiedemann 2012-02-06 16:00:36 UTC 
This is an autogenerated message for OBS integration:
This bug (735343) was mentioned in
https://build.opensuse.org/request/show/102913 11.4 / tomcat6
https://build.opensuse.org/request/show/102914 12.1 / tomcat6.openSUSE_12.1
Comment 15 Swamp Workflow Management 2012-02-06 23:28:24 UTC 
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps
Products:
SLE-SERVER 11-SP1 (i386, ia64, ppc64, s390x, x86_64)
SLE-SERVER 11-SP1-TERADATA (x86_64)
SLES4VMWARE 11-SP1 (i386, x86_64)
SUSE-MANAGER 1.2 (x86_64)
Comment 16 Marcus Meissner 2012-02-20 16:36:20 UTC 
was released