Bugzilla – Bug 822177
VUL-1: CVE-2013-1976: tomcat: two issues
Last modified: 2018-08-23 16:07:18 UTC
There are two new CVE regarding tomcat: * CVE-2013-2051 * CVE-2013-1976 Unfortunately, I don't have much more at the moment. Are you guys aware of more information?
bugbot adjusting priority
No, actually no one for Apache tomcat security pages mention those CVEs * CVE-2013-2071 * CVE-2013-2067 http://tomcat.apache.org/security-7.html * CVE-2013-2067 http://tomcat.apache.org/security-6.html * no 2013 CVE http://tomcat.apache.org/security-5.html
from rh bugzilla: CVE-2013-2051: It was found that the fix for CVE-2012-5887 shipped for tomcat 6 on Red Hat Enterprise Linux 6 (RHSA-2013:0623) was incomplete. The fix only allowed DIGEST authentication to succeed when a stale nonce was provided, rather than when a stale nonce was NOT provided. As a result, DIGEST authentication did not function. However, a man-in-the-middle attacker could record a DIGEST authentication exchange, wait until the associated nonce is marked as stale on the server, then successfully replay this request. (need to review our patch ... update soon) CVE-2013-1976 tomcat: Improper TOMCAT_LOG management in init script (DoS, ACE) A security flaw was found in the way init script implementation of the Tomcat service, an Apache Servlet/JSP Engine, as used in various versions of Red Hat Enterprise Linux and Fedora, performed management of Tomcat log file. A local attacker could use this flaw to cause denial of service or, potentially, execute arbitrary code with the privileges of the privileged system user (root) via symbolic link attacks on Tomcat log file. Evaluation: Our /var/log/tomcat6 is root:tomcat ... logfile is handled by root in our init script using: touch $TOMCAT_LOG chown ${TOMCAT_USER}:${TOMCAT_USER} $TOMCAT_LOG so basically a tomcat group member (attacker that gained tomcat privs) could escalate his privileges to root (by replacing the $TOMCAT_LOG file with a symlink to /etc/passwd. CHOWN with --no-dereference would be a hardening start there )
CVE-2013-2051: I think we backported correctly, our fixes in tomcat6 and tomcat6 looks like the upstream. So I would say not affected by CVE-2013-2051.
This is an autogenerated message for OBS integration: This bug (822177) was mentioned in https://build.opensuse.org/request/show/184435 Maintenance / https://build.opensuse.org/request/show/184436 Maintenance / https://build.opensuse.org/request/show/184437 Factory / tomcat
The SWAMPID for this issue is 53781. This issue was rated as moderate. Please submit fixed packages until 2013-08-09. When done, please reassign the bug to security-team@suse.de. Patchinfo will be handled by security team.
This is an autogenerated message for OBS integration: This bug (822177) was mentioned in https://build.opensuse.org/request/show/184583 Maintenance /
This is an autogenerated message for OBS integration: This bug (822177) was mentioned in https://build.opensuse.org/request/show/184951 Maintenance / https://build.opensuse.org/request/show/184952 Maintenance /
openSUSE-SU-2013:1306-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 822177,831117 CVE References: CVE-2013-1976,CVE-2013-2071 Sources used: openSUSE 12.3 (src): tomcat-7.0.35-2.9.1
openSUSE-SU-2013:1307-1: An update that solves three vulnerabilities and has two fixes is now available. Category: security (moderate) Bug References: 768772,804992,822177,831117,831119 CVE References: CVE-2013-1976,CVE-2013-2067,CVE-2013-3544 Sources used: openSUSE 12.2 (src): tomcat-7.0.27-2.19.1
This is an autogenerated message for OBS integration: This bug (822177) was mentioned in https://build.opensuse.org/request/show/186566 Factory / tomcat
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps Products: SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP2 (i386, x86_64)
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps Products: SLE-SERVER 11-SP3 (i386, ia64, ppc64, s390x, x86_64) SLES4VMWARE 11-SP3 (i386, x86_64)
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps Products: SLE-SERVER 11-SP1-TERADATA (x86_64) SUSE-MANAGER 1.2 (x86_64)
released
This is an autogenerated message for OBS integration: This bug (822177) was mentioned in https://build.opensuse.org/request/show/196597 Evergreen:11.2 / tomcat6
openSUSE-SU-2013:1411-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 768772,822177,831117,831119 CVE References: CVE-2012-3544,CVE-2013-1976,CVE-2013-2067 Sources used: openSUSE 11.4 (src): tomcat6-6.0.32-42.1
This is an autogenerated message for OBS integration: This bug (822177) was mentioned in https://build.opensuse.org/request/show/198409 Evergreen:11.2 / tomcat6