You are here
Apache Tomcat
Submitted on 20. December 2012 - 16:13 by rischi.
Last update on 8. January 2013 - 13:28.
Last update on 8. January 2013 - 13:28.
IDs:
CVE-2012-4534, CVE-2012-4431, CVE-2012-3546
Keywords:
Tomcat, DoS, CSRF, FORM authentication
Description:
Versions Affected:
CVE-2012-4534:
- Tomcat 7.0.0 to 7.0.27
- Tomcat 6.0.0 to 6.0.35
CVE-2012-4431:
- Tomcat 7.0.0 to 7.0.31
- Tomcat 6.0.0 to 6.0.35
CVE-2012-3546:
- Tomcat 7.0.0 to 7.0.29
- Tomcat 6.0.0 to 6.0.35
Three different weaknesses in Apache Tomcat were identified. The affected components of Tomcat are:
- FORM authentication
- CSRF prevention filter
- NIO connector in combination with HTTPS
Airlock's implementations of FORM authentication, CSRF prevention and HTTPS support are not based on the components above. Airlock is therefore not affected.
Resolution:
Back-end applications deployed on Tomcat are not affected if all of the following measures apply:
- Airlock's upstream authentication is used instead of FORM based authentication in the back-end application [prevents CVE-2012-4534]
- Airlock's session-based URL encryption is used to prevent CSRF instead of Tomcat's CSRF prevention filter [prevents CVE-2012-4431]
- All HTTPS connections to the Tomcat application server are routed through Airlock [prevents CVE-2012-3546]
- Airlock's upstream authentication is used instead of FORM based authentication in the back-end application [prevents CVE-2012-4534]
- Airlock's session-based URL encryption is used to prevent CSRF instead of Tomcat's CSRF prevention filter [prevents CVE-2012-4431]
- All HTTPS connections to the Tomcat application server are routed through Airlock [prevents CVE-2012-3546]
For vulnerable back-end systems where the above Airlock features can not be activated we recommend updating Tomcat to a newer version as recommended in the article referenced below.
Component:
Airlock
Airlock Vulnerability Status:
Does not affect Airlock
Back-end Vulnerability Status:
Back-ends may be vulnerable, see resolution