Rapid7 Vulnerability & Exploit Database

RHSA-2011:1780: tomcat6 security and bug fix update

Back to Search

RHSA-2011:1780: tomcat6 security and bug fix update



Apache Tomcat is a servlet container for the Java Servlet and JavaServerPages (JSP) technologies.APR (Apache Portable Runtime) as mentioned in the CVE-2011-3190 andCVE-2011-2526 descriptions does not refer to APR provided by the aprpackages. It refers to the implementation of APR provided by the TomcatNative library, which provides support for using APR with Tomcat. Thislibrary is not shipped with Red Hat Enterprise Linux 6. This updateincludes fixes for users who have elected to use APR with Tomcat by takingthe Tomcat Native library from a different product. Such a configuration isnot supported by Red Hat, however.Multiple flaws were found in the way Tomcat handled HTTP DIGESTauthentication. These flaws weakened the Tomcat HTTP DIGEST authenticationimplementation, subjecting it to some of the weaknesses of HTTP BASICauthentication, for example, allowing remote attackers to perform sessionreplay attacks. (CVE-2011-1184)A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor)and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServProtocol) connectors processed certain POST requests. An attacker couldsend a specially-crafted request that would cause the connector to treatthe message body as a new request. This allows arbitrary AJP messages to beinjected, possibly allowing an attacker to bypass a web application'sauthentication checks and gain access to information they would otherwisebe unable to access. The JK (org.apache.jk.server.JkCoyoteHandler)connector is used by default when the APR libraries are not present. The JKconnector is not affected by this flaw. (CVE-2011-3190)A flaw was found in the Tomcat MemoryUserDatabase. If a runtime exceptionoccurred when creating a new user with a JMX client, that user's passwordwas logged to Tomcat log files. Note: By default, only administrators haveaccess to such log files. (CVE-2011-2204)A flaw was found in the way Tomcat handled sendfile request attributes whenusing the HTTP APR or NIO (Non-Blocking I/O) connector. A malicious webapplication running on a Tomcat instance could use this flaw to bypasssecurity manager restrictions and gain access to files it would otherwisebe unable to access, or possibly terminate the Java Virtual Machine (JVM).The HTTP blocking IO (BIO) connector, which is not vulnerable to thisissue, is used by default in Red Hat Enterprise Linux 6. (CVE-2011-2526)Red Hat would like to thank the Apache Tomcat project for reporting theCVE-2011-2526 issue.This update also fixes the following bug:Users of Tomcat should upgrade to these updated packages, which containbackported patches to correct these issues. Tomcat must be restarted forthis update to take effect.


  • redhat-upgrade-tomcat6
  • redhat-upgrade-tomcat6-admin-webapps
  • redhat-upgrade-tomcat6-docs-webapp
  • redhat-upgrade-tomcat6-el-2-1-api
  • redhat-upgrade-tomcat6-javadoc
  • redhat-upgrade-tomcat6-jsp-2-1-api
  • redhat-upgrade-tomcat6-lib
  • redhat-upgrade-tomcat6-servlet-2-5-api
  • redhat-upgrade-tomcat6-webapps

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center