Bug 727543 - (CVE-2011-4858) VUL-0: CVE-2011-4858: Apache tomcat vulnerable to hash collision attack.
(CVE-2011-4858)
VUL-0: CVE-2011-4858: Apache tomcat vulnerable to hash collision attack.
Status: RESOLVED FIXED
: 745056 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: General
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Security Team bot
E-mail List
maint:released:sle10-sp3:44836 maint:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2011-11-01 15:38 UTC by Sebastian Krahmer
Modified: 2013-12-10 22:43 UTC (History)
3 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Ludwig Nussel 2011-12-07 14:58:40 UTC
Specially crafted parameters of a request could result in getting the same hash value with consumes excessive amounts of resources (CVE-2011-4084)

http://tomcat.apache.org/tomcat-7.0-doc/changelog.html
http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Improve performance of parameter processing for GET and POST requests. Also add an option to limit the maximum number of parameters processed per request. This defaults to 10000. Excessive parameters are ignored. Note that FailedRequestFilter can be used to reject the request if some parameters were ignored. (markt/kkolinko)
Comment 3 Swamp Workflow Management 2012-01-04 10:48:15 UTC
The SWAMPID for this issue is 44791.
This issue was rated as important.
Please submit fixed packages until 2012-01-11.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 7 Michal Vyskocil 2012-01-06 14:46:43 UTC
submitted fixed packages

factory:99249
12.1: 99250
11.4: 99251
11.3: 99252

sle-11: 17109
sle-10: 17110
Comment 8 Bernhard Wiedemann 2012-01-06 15:00:34 UTC
This is an autogenerated message for OBS integration:
This bug (727543) was mentioned in
https://build.opensuse.org/request/show/99249 Factory / tomcat6
https://build.opensuse.org/request/show/99251 11.4 / tomcat6
https://build.opensuse.org/request/show/99252 11.3 / tomcat6
Comment 9 Sebastian Krahmer 2012-01-09 08:13:56 UTC
For submits that mention the CVE, we probably need to redo the submits since mitre assigned a
different CVE and rejected the old one:

---------------------8<----------------------------

The new CVE mapping for this Apache Tomcat issue is:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4858

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4084 (rejected)

(MITRE had previously been sent information about test cases and test
results that suggested a different mapping. However, yesterday we
received updated information about test cases and test results.)

- --
CVE assignment team, MITRE CVE Numbering Authority
M/S S145
202 Burlington Road, Bedford, MA 01730 USA
Comment 10 Michal Vyskocil 2012-01-09 08:50:17 UTC
(In reply to comment #9)
> For submits that mention the CVE, we probably need to redo the submits since
> mitre assigned a
> different CVE and rejected the old one:

Fortunately I did not refer CVE in changes neither in spec file - the patch is named apache-tomcat-parameter-processing-performance.patch and changes have 

fix bnc#727543 - VUL-0: Apache tomcat vulnerable to hash collision attack
  backport upstream changes:
  ...

so no action is needed.
Comment 13 Swamp Workflow Management 2012-01-16 14:09:29 UTC
Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 14 Bernhard Wiedemann 2012-01-19 14:00:17 UTC
This is an autogenerated message for OBS integration:
This bug (727543) was mentioned in
https://build.opensuse.org/request/show/100728 12.1 / tomcat6
Comment 15 Bernhard Wiedemann 2012-01-23 12:00:15 UTC
This is an autogenerated message for OBS integration:
This bug (727543) was mentioned in
https://build.opensuse.org/request/show/101114 Evergreen:11.2 / tomcat6
Comment 17 Bernhard Wiedemann 2012-01-30 11:00:33 UTC
This is an autogenerated message for OBS integration:
This bug (727543) was mentioned in
https://build.opensuse.org/request/show/101999 Evergreen:11.2 / tomcat6
Comment 18 Swamp Workflow Management 2012-02-03 19:31:41 UTC
Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps
Products:
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 19 Michal Vyskocil 2012-02-10 13:07:58 UTC
*** Bug 745056 has been marked as a duplicate of this bug. ***
Comment 23 Swamp Workflow Management 2012-04-23 11:27:10 UTC
The SWAMPID for this issue is 46954.
This issue was rated as important.
Please submit fixed packages until 2012-04-30.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 31 Marcus Meissner 2013-12-04 09:52:08 UTC
for the SLES 11 codebase this was fixed with

the tomcat6-6.0.18-20.33.1 release, published in February 2012.

(as part of the release of tomcat6 into the SLES product channels.)