Apache Tomcat HTTP DIGEST authentication Multiple Vulnerability
Last Update Date:
27 Sep 2011 12:17
Release Date:
27 Sep 2011
6327
Views
RISK: Medium Risk
TYPE: Servers - Internet App Servers
在 Apache Tomcat 發現多個漏洞,惡意使用者可利用漏洞繞過保安限制。
HTTP DIGEST 核證被發有以下弱點:
- 允許 replay 攻擊
- 沒有檢查伺服器 nonces
- 沒有檢查客戶端 nonce 數目
- 沒有檢查 qop 值
- 沒有檢查 realm 值
- 伺服器密匙使用已知的字串
這些弱點做成 DIGEST 認證跟 BASIC 認證安全等級一樣。
Impact
- Security Restriction Bypass
System / Technologies affected
- Apache Tomcat 7.0.x
- Apache Tomcat 6.0.x
- Apache Tomcat 5.5.x
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
Tomcat 7.0.x
Upgrade to 7.0.12 or laterTomcat 6.0.x
Upgrade to 6.0.33 or laterTomcat 5.5.x
Upgrade to 5.5.34 or later
Vulnerability Identifier
Source
Related Link
Share with