You are here

Apache Tomcat

CVE-2012-4534, CVE-2012-4431, CVE-2012-3546
Tomcat, DoS, CSRF, FORM authentication
Versions Affected:

- Tomcat 7.0.0 to 7.0.27
- Tomcat 6.0.0 to 6.0.35
- Tomcat 7.0.0 to 7.0.31
- Tomcat 6.0.0 to 6.0.35
- Tomcat 7.0.0 to 7.0.29
- Tomcat 6.0.0 to 6.0.35

Three different weaknesses in Apache Tomcat were identified. The affected components of Tomcat are:
- FORM authentication
- CSRF prevention filter
- NIO connector in combination with HTTPS

Airlock's implementations of FORM authentication, CSRF prevention and HTTPS support are not based on the components above. Airlock is therefore not affected.

Back-end applications deployed on Tomcat are not affected if all of the following measures apply:
- Airlock's upstream authentication is used instead of FORM based authentication in the back-end application [prevents CVE-2012-4534]
- Airlock's session-based URL encryption is used to prevent CSRF instead of Tomcat's CSRF prevention filter [prevents CVE-2012-4431]
- All HTTPS connections to the Tomcat application server are routed through Airlock [prevents CVE-2012-3546]

For vulnerable back-end systems where the above Airlock features can not be activated we recommend updating Tomcat to a newer version as recommended in the article referenced below.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution