Bug 791426 - (CVE-2012-5887) VUL-0: CVE-2012-5887: tomcat: stale nonce weakness
(CVE-2012-5887)
VUL-0: CVE-2012-5887: tomcat: stale nonce weakness
Status: RESOLVED FIXED
: 789405 (view as bug list)
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Normal
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:sle10-sp3:50427 maint:...
:
Depends on: CVE-2012-5568
Blocks:
  Show dependency treegraph
 
Reported: 2012-11-27 12:26 UTC by Sebastian Krahmer
Modified: 2019-05-01 15:50 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Krahmer 2012-11-27 12:26:08 UTC
Name: CVE-2012-5887

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x
before 5.5.36, 6.x before 6.0.36, and 7.x before 7.0.30 does not properly
check for stale nonce values in conjunction with enforcement of proper
credentials, which makes it easier for remote attackers to bypass intended
access restrictions by sniffing the network for valid requests.



Reference: CONFIRM: http://tomcat.apache.org/security-7.html
Reference: CONFIRM: http://tomcat.apache.org/security-6.html
Reference: CONFIRM: http://tomcat.apache.org/security-5.html
Reference: CONFIRM:
http://svn.apache.org/viewvc?view=revision&revision=1392248
Reference: CONFIRM:
http://svn.apache.org/viewvc?view=revision&revision=1380829
Reference: CONFIRM:
http://svn.apache.org/viewvc?view=revision&revision=1377807
Comment 1 Michal Vyskocil 2012-11-27 14:09:45 UTC
(In reply to comment #0)
> Name: CVE-2012-5887

Well, tomcat security and commit logs use the CVE-2012-3439. Reading the Nist page, this should not be used. Can you close the bnc#CVE-2012-3439, then? I will resubmit the package(s) with a correct CVE number then.

[1] http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3439
Comment 2 Michal Vyskocil 2012-11-27 14:10:12 UTC
I meant bnc#789405
Comment 3 Sebastian Krahmer 2012-11-27 14:16:37 UTC
*** Bug 789405 has been marked as a duplicate of this bug. ***
Comment 4 Swamp Workflow Management 2012-11-28 10:53:05 UTC
The SWAMPID for this issue is 50301.
This issue was rated as moderate.
Please submit fixed packages until 2012-12-12.
When done, please reassign the bug to security-team@suse.de.
Patchinfo will be handled by security team.
Comment 5 Sebastian Krahmer 2012-11-28 10:55:06 UTC
I have seen tomcat submits, buts its probably not all issues
included, as some just arrived yesterday.
Do we need resubmits (SWAMP 50301)
Comment 6 Michal Vyskocil 2012-12-04 08:49:13 UTC
All patches are ready, but the bnc#791679 looking for the input of security-team needs to be resolved first.
Comment 7 Bernhard Wiedemann 2012-12-04 09:00:41 UTC
This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/144019 Maintenance /
Comment 8 Bernhard Wiedemann 2012-12-07 13:01:07 UTC
This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/144552 Maintenance /
Comment 9 Bernhard Wiedemann 2012-12-10 11:00:30 UTC
This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/144937 Maintenance /
Comment 10 Bernhard Wiedemann 2012-12-10 13:00:35 UTC
This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/144949 Maintenance /
Comment 11 Michal Vyskocil 2012-12-10 13:14:41 UTC
submitted fixed packages

tomcat(7):
12.2      144949
factory   contains 7.0.33 with no security issues inside

tomcat6:
12.1      144937
sle11     23071

tomcat5:
sle10     23077
Comment 12 Michal Vyskocil 2012-12-10 13:17:25 UTC
upps, again

tomcat6
12.1     144953
Comment 13 Bernhard Wiedemann 2012-12-10 14:00:26 UTC
This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/144953 Maintenance /
Comment 14 Bernhard Wiedemann 2012-12-10 16:00:38 UTC
This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/144989 Maintenance / 
https://build.opensuse.org/request/show/144990 Maintenance /
Comment 15 Bernhard Wiedemann 2012-12-19 16:00:28 UTC
This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/145902 Maintenance /
Comment 16 Swamp Workflow Management 2012-12-27 16:09:12 UTC
openSUSE-SU-2012:1700-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 789406,791423,791424,791426,791679,793391,793394
CVE References: CVE-2009-2693,CVE-2009-2901,CVE-2009-2902,CVE-2012-2733,CVE-2012-3546,CVE-2012-4431,CVE-2012-5568,CVE-2012-5885,CVE-2012-5886,CVE-2012-5887
Sources used:
openSUSE 12.1 (src):    libtcnative-1-0-1.3.3-3.7.1, tomcat6-6.0.33-3.7.1
Comment 17 Swamp Workflow Management 2012-12-27 16:10:36 UTC
openSUSE-SU-2012:1701-1: An update that fixes 10 vulnerabilities is now available.

Category: security (moderate)
Bug References: 779538,789406,791423,791424,791426,791679,793391,793394
CVE References: CVE-2009-2693,CVE-2009-2901,CVE-2009-2902,CVE-2012-2733,CVE-2012-3546,CVE-2012-4431,CVE-2012-5568,CVE-2012-5885,CVE-2012-5886,CVE-2012-5887
Sources used:
openSUSE 12.2 (src):    tomcat-7.0.27-2.9.1
Comment 18 Swamp Workflow Management 2013-02-01 10:04:30 UTC
Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps
Products:
SLE-SERVER 10-SP3-TERADATA (x86_64)
Comment 19 Swamp Workflow Management 2013-02-01 11:50:06 UTC
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps
Products:
SLE-SERVER 11-SP1-TERADATA (x86_64)
SUSE-MANAGER 1.2 (x86_64)
Comment 20 Swamp Workflow Management 2013-02-01 12:33:21 UTC
Update released for: tomcat6, tomcat6-admin-webapps, tomcat6-docs-webapp, tomcat6-javadoc, tomcat6-jsp-2_1-api, tomcat6-lib, tomcat6-servlet-2_5-api, tomcat6-webapps
Products:
SLE-SERVER 11-SP2 (i386, ia64, ppc64, s390x, x86_64)
SLES4VMWARE 11-SP2 (i386, x86_64)
Comment 21 Swamp Workflow Management 2013-02-01 13:08:02 UTC
Update released for: tomcat5, tomcat5-admin-webapps, tomcat5-webapps
Products:
SLE-SDK 10-SP4 (i386, ia64, ppc, s390x, x86_64)
SLE-SERVER 10-SP4 (i386, ia64, ppc, s390x, x86_64)
Comment 22 Marcus Meissner 2013-02-04 14:15:42 UTC
released
Comment 23 Bernhard Wiedemann 2013-08-28 06:00:34 UTC
This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/196597 Evergreen:11.2 / tomcat6
Comment 24 Bernhard Wiedemann 2013-09-11 06:01:28 UTC
This is an autogenerated message for OBS integration:
This bug (791426) was mentioned in
https://build.opensuse.org/request/show/198409 Evergreen:11.2 / tomcat6