791426 – (CVE-2012-5887) VUL-0: CVE-2012-5887: tomcat: stale nonce weakness

Bug 791426 (CVE-2012-5887) - VUL-0: CVE-2012-5887: tomcat: stale nonce weakness

Summary: VUL-0: CVE-2012-5887: tomcat: stale nonce weakness

Status:	RESOLVED FIXED
Duplicates (1):	789405 (view as bug list)

Alias:	CVE-2012-5887

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Normal
Target Milestone:	---
Deadline:	2012-12-12
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:released:sle10-sp3:50427 maint:...
Keywords:

Depends on:	CVE-2012-5568
Blocks:
	Show dependency tree / graph

Clone This Bug

Reported:	2012-11-27 12:26 UTC by Sebastian Krahmer
Modified:	2019-05-01 15:50 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sebastian Krahmer 2012-11-27 12:26:08 UTC

Name: CVE-2012-5887

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x
before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly
check for stale nonce values in conjunction with enforcement of proper
credentials, which makes it easier for remote attackers to bypass intended
access restrictions by sniffing the network for valid requests.



Reference: CONFIRM: http://tomcat.apache.org/security-7.html
Reference: CONFIRM: http://tomcat.apache.org/security-6.html
Reference: CONFIRM: http://tomcat.apache.org/security-5.html
Reference: CONFIRM:
http://svn.apache.org/viewvc?view=revision&revision=1392248
Reference: CONFIRM:
http://svn.apache.org/viewvc?view=revision&revision=1380829
Reference: CONFIRM:
http://svn.apache.org/viewvc?view=revision&revision=1377807

Comment 1 Michal Vyskocil 2012-11-27 14:09:45 UTC

(In reply to comment #0)
> Name: CVE-2012-5887

Well, tomcat security and commit logs use the CVE-2012-3439. Reading the Nist page, this should not be used. Can you close the bnc#CVE-2012-3439, then? I will resubmit the package(s) with a correct CVE number then.

[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3439

Comment 2 Michal Vyskocil 2012-11-27 14:10:12 UTC

I meant bnc#789405

Comment 3 Sebastian Krahmer 2012-11-27 14:16:37 UTC

*** Bug 789405 has been marked as a duplicate of this bug. ***

Comment 4 Swamp Workflow Management 2012-11-28 10:53:05 UTC

The SWAMPID for this issue is 50301.
This issue was rated as moderate.
Please submit fixed packages until 2012-12-12.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.

Comment 5 Sebastian Krahmer 2012-11-28 10:55:06 UTC

I have seen tomcat submits, buts its probably not all issues
included, as some just arrived yesterday.
Do we need resubmits (SWAMP 50301)

Comment 6 Michal Vyskocil 2012-12-04 08:49:13 UTC

All patches are ready, but the bnc#791679 looking for the input of security-team needs to be resolved first.

Comment 7 Bernhard Wiedemann 2012-12-04 09:00:41 UTC

This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/144019 Maintenance /

Comment 8 Bernhard Wiedemann 2012-12-07 13:01:07 UTC

This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/144552 Maintenance /

Comment 9 Bernhard Wiedemann 2012-12-10 11:00:30 UTC

This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/144937 Maintenance /

Comment 10 Bernhard Wiedemann 2012-12-10 13:00:35 UTC

This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/144949 Maintenance /

Comment 11 Michal Vyskocil 2012-12-10 13:14:41 UTC

submitted fixed packages

tomcat(7):
12.2      144949
factory   contains 7.0.33 with no security issues inside

tomcat6:
12.1      144937
sle11     23071

tomcat5:
sle10     23077

Comment 12 Michal Vyskocil 2012-12-10 13:17:25 UTC

upps, again

tomcat6
12.1     144953

Comment 13 Bernhard Wiedemann 2012-12-10 14:00:26 UTC

This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/144953 Maintenance /

Comment 14 Bernhard Wiedemann 2012-12-10 16:00:38 UTC

This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/144989 Maintenance / 
https://build.opensuse.org/request/show/144990 Maintenance /

Comment 15 Bernhard Wiedemann 2012-12-19 16:00:28 UTC

This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/145902 Maintenance /

Comment 16 Swamp Workflow Management 2012-12-27 16:09:12 UTC

openSUSE-SU-2012:1700-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 789406,791423,791424,791426,791679,793391,793394
CVE References: CVE-2009-2693,CVE-2009-2901,CVE-2009-2902,CVE-2012-2733,CVE-2012-3546,CVE-2012-4431,CVE-2012-5568,CVE-2012-5885,CVE-2012-5886,CVE-2012-5887
Sources used:
openSUSE 12.1 (src):    libtcnative-1-0-1.3.3-3.7.1, tomcat6-6.0.33-3.7.1

Comment 17 Swamp Workflow Management 2012-12-27 16:10:36 UTC

openSUSE-SU-2012:1701-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 779538,789406,791423,791424,791426,791679,793391,793394
CVE References: CVE-2009-2693,CVE-2009-2901,CVE-2009-2902,CVE-2012-2733,CVE-2012-3546,CVE-2012-4431,CVE-2012-5568,CVE-2012-5885,CVE-2012-5886,CVE-2012-5887
Sources used:
openSUSE 12.2 (src):    tomcat-7.0.27-2.9.1

Comment 18 Swamp Workflow Management 2013-02-01 10:04:30 UTC

Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)

Comment 19 Swamp Workflow Management 2013-02-01 11:50:06 UTC

Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
SUSE-MANAGER 1.2 (x86_64)

Comment 20 Swamp Workflow Management 2013-02-01 12:33:21 UTC

Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps
Products:
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)

Comment 21 Swamp Workflow Management 2013-02-01 13:08:02 UTC

Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps
Products:
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)

Comment 22 Marcus Meissner 2013-02-04 14:15:42 UTC

released

Comment 23 Bernhard Wiedemann 2013-08-28 06:00:34 UTC

This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/196597 Evergreen:11.2 / tomcat6

Comment 24 Bernhard Wiedemann 2013-09-11 06:01:28 UTC

This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/198409 Evergreen:11.2 / tomcat6