Bug 793394 (CVE-2012-3546) - VUL-0: CVE-2012-3546: tomcat: Bypass of security constraints
Summary: VUL-0: CVE-2012-3546: tomcat: Bypass of security constraints
Status: RESOLVED FIXED
Alias: CVE-2012-3546
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: maint:running:50301:moderate maint:re...
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-07 13:29 UTC by Matthias Weckbecker
Modified: 2014-07-17 09:42 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-12-07 13:29:26 UTC 
Via full-disclosure:

--------------------------------------------------------------------------
CVE-2012-3546 Apache Tomcat Bypass of security constraints

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.0 to 7.0.29
- Tomcat 6.0.0 to 6.0.35
Earlier unsupported versions may also be affected

Description:
When using FORM authentication it was possible to bypass the security
constraint checks in the FORM authenticator by appending
"/j_security_check" to the end of the URL if some other component (such
as the Single-Sign-On valve) had called request.setUserPrincipal()
before the call to FormAuthenticator#authenticate().

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Tomcat 7.0.x users should upgrade to 7.0.30 or later
- Tomcat 6.0.x users should upgrade to 6.0.36 or later

Credit:
This issue was identified by The Tomcat security team

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
--------------------------------------------------------------------------
Comment 1 Bernhard Wiedemann 2012-12-10 11:00:42 UTC 
This is an autogenerated message for OBS integration:
This bug (793394) was mentioned in
https://build.opensuse.org/request/show/144937 Maintenance /
Comment 2 Bernhard Wiedemann 2012-12-10 13:00:47 UTC 
This is an autogenerated message for OBS integration:
This bug (793394) was mentioned in
https://build.opensuse.org/request/show/144949 Maintenance /
Comment 3 Michal Vyskocil 2012-12-10 13:20:00 UTC 
submitted,

see https://bugzilla.novell.com/show_bug.cgi?id=791426#c11
Comment 4 Bernhard Wiedemann 2012-12-10 14:00:51 UTC 
This is an autogenerated message for OBS integration:
This bug (793394) was mentioned in
https://build.opensuse.org/request/show/144953 Maintenance /
Comment 5 Bernhard Wiedemann 2012-12-10 16:01:00 UTC 
This is an autogenerated message for OBS integration:
This bug (793394) was mentioned in
https://build.opensuse.org/request/show/144989 Maintenance / 
https://build.opensuse.org/request/show/144990 Maintenance /
Comment 6 Bernhard Wiedemann 2012-12-19 16:00:45 UTC 
This is an autogenerated message for OBS integration:
This bug (793394) was mentioned in
https://build.opensuse.org/request/show/145902 Maintenance /
Comment 7 Swamp Workflow Management 2012-12-27 16:09:42 UTC 
openSUSE-SU-2012:1700-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 789406,791423,791424,791426,791679,793391,793394
CVE References: CVE-2009-2693,CVE-2009-2901,CVE-2009-2902,CVE-2012-2733,CVE-2012-3546,CVE-2012-4431,CVE-2012-5568,CVE-2012-5885,CVE-2012-5886,CVE-2012-5887
Sources used:
openSUSE 12.1 (src):    libtcnative-1-0-1.3.3-3.7.1, tomcat6-6.0.33-3.7.1
Comment 8 Swamp Workflow Management 2012-12-27 16:11:06 UTC 
openSUSE-SU-2012:1701-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 779538,789406,791423,791424,791426,791679,793391,793394
CVE References: CVE-2009-2693,CVE-2009-2901,CVE-2009-2902,CVE-2012-2733,CVE-2012-3546,CVE-2012-4431,CVE-2012-5568,CVE-2012-5885,CVE-2012-5886,CVE-2012-5887
Sources used:
openSUSE 12.2 (src):    tomcat-7.0.27-2.9.1
Comment 9 Swamp Workflow Management 2013-02-01 10:04:51 UTC 
Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 10 Swamp Workflow Management 2013-02-01 11:50:14 UTC 
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
SUSE-MANAGER 1.2 (x86_64)
Comment 11 Swamp Workflow Management 2013-02-01 12:33:14 UTC 
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps
Products:
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 12 Swamp Workflow Management 2013-02-01 13:08:40 UTC 
Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps
Products:
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 13 Marcus Meissner 2013-02-04 14:17:10 UTC 
released
Comment 14 Bernhard Wiedemann 2013-08-28 06:01:15 UTC 
This is an autogenerated message for OBS integration:
This bug (793394) was mentioned in
https://build.opensuse.org/request/show/196597 Evergreen:11.2 / tomcat6
Comment 15 Bernhard Wiedemann 2013-09-11 06:02:01 UTC 
This is an autogenerated message for OBS integration:
This bug (793394) was mentioned in
https://build.opensuse.org/request/show/198409 Evergreen:11.2 / tomcat6