Bug 793391 - (CVE-2012-4431) VUL-1: CVE-2012-4431: tomcat: bypass of CSRF prevention filter
(CVE-2012-4431)
VUL-1: CVE-2012-4431: tomcat: bypass of CSRF prevention filter
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:running:50301:moderate maint:re...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-12-07 13:15 UTC by Matthias Weckbecker
Modified: 2014-07-17 09:42 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Weckbecker 2012-12-07 13:15:56 UTC
Via full-disclosure:

--------------------------------------------------------------------------
CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
- Tomcat 7.0.0 to 7.0.31
- Tomcat 6.0.0 to 6.0.35

Description:
The CSRF prevention filter could be bypassed if a request was made to a
protected resource without a session identifier present in the request.

Mitigation:
Users of affected versions should apply one of the following mitigations:
- Tomcat 7.0.x users should upgrade to 7.0.32 or later
- Tomcat 6.0.x users should upgrade to 6.0.36 or later

Credit:
This issue was identified by The Tomcat security team

References:
http://tomcat.apache.org/security.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-6.html
--------------------------------------------------------------------------
Comment 1 Michal Vyskocil 2012-12-10 13:18:21 UTC
submitted,

see https://bugzilla.novell.com/show_bug.cgi?id=791426#c11
Comment 3 Matthias Weckbecker 2012-12-10 14:34:29 UTC
There is a typo in the bnc# ref in the submission. Can you re-submit, please?
Comment 4 Michal Vyskocil 2012-12-10 15:07:45 UTC
sent tomcat: 144989, tomcat6:144990, tomcat6:23086
Comment 5 Bernhard Wiedemann 2012-12-10 16:00:54 UTC
This is an autogenerated message for OBS integration:
This bug (793391) was mentioned in
https://build.opensuse.org/request/show/144989 Maintenance / 
https://build.opensuse.org/request/show/144990 Maintenance /
Comment 6 Bernhard Wiedemann 2012-12-19 16:00:40 UTC
This is an autogenerated message for OBS integration:
This bug (793391) was mentioned in
https://build.opensuse.org/request/show/145902 Maintenance /
Comment 10 Swamp Workflow Management 2012-12-27 16:09:32 UTC
openSUSE-SU-2012:1700-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 789406,791423,791424,791426,791679,793391,793394
CVE References: CVE-2009-2693,CVE-2009-2901,CVE-2009-2902,CVE-2012-2733,CVE-2012-3546,CVE-2012-4431,CVE-2012-5568,CVE-2012-5885,CVE-2012-5886,CVE-2012-5887
Sources used:
openSUSE 12.1 (src):    libtcnative-1-0-1.3.3-3.7.1, tomcat6-6.0.33-3.7.1
Comment 11 Swamp Workflow Management 2012-12-27 16:10:56 UTC
openSUSE-SU-2012:1701-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 779538,789406,791423,791424,791426,791679,793391,793394
CVE References: CVE-2009-2693,CVE-2009-2901,CVE-2009-2902,CVE-2012-2733,CVE-2012-3546,CVE-2012-4431,CVE-2012-5568,CVE-2012-5885,CVE-2012-5886,CVE-2012-5887
Sources used:
openSUSE 12.2 (src):    tomcat-7.0.27-2.9.1
Comment 13 Michal Vyskocil 2013-01-02 14:50:18 UTC
submitted fixed packages

tomcat(7), tomcat5 - not needed

tomcat6 (with refreshed CVE-2012-4431.patch):
  12.1:  146828
  sle11: 23294
Comment 14 Swamp Workflow Management 2013-02-01 11:50:24 UTC
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
SUSE-MANAGER 1.2 (x86_64)
Comment 15 Swamp Workflow Management 2013-02-01 12:33:24 UTC
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps
Products:
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 16 Marcus Meissner 2013-02-04 14:17:02 UTC
released
Comment 17 Bernhard Wiedemann 2013-08-28 06:01:01 UTC
This is an autogenerated message for OBS integration:
This bug (793391) was mentioned in
https://build.opensuse.org/request/show/196597 Evergreen:11.2 / tomcat6
Comment 18 Bernhard Wiedemann 2013-09-11 06:01:50 UTC
This is an autogenerated message for OBS integration:
This bug (793391) was mentioned in
https://build.opensuse.org/request/show/198409 Evergreen:11.2 / tomcat6