ALAS-2011-025


Amazon Linux AMI Security Advisory: ALAS-2011-25
Advisory Release Date: 2014-09-14 15:04 Pacific
Severity: Important

Issue Overview:

Certain AJP protocol connector implementations in Apache Tomcat 7.0.0 through 7.0.20, 6.0.0 through 6.0.33, 5.5.0 through 5.5.33, and possibly other versions allow remote attackers to spoof AJP requests, bypass authentication, and obtain sensitive information by causing the connector to interpret a request body as a new request.

The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.

Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.17, when the MemoryUserDatabase is used, creates log entries containing passwords upon encountering errors in JMX user creation, which allows local users to obtain sensitive information by reading a log file.


Affected Packages:

tomcat6


Issue Correction:
Run yum update tomcat6 to update your system.

New Packages:
noarch:
    tomcat6-el-2.1-api-6.0.33-1.26.amzn1.noarch
    tomcat6-javadoc-6.0.33-1.26.amzn1.noarch
    tomcat6-lib-6.0.33-1.26.amzn1.noarch
    tomcat6-admin-webapps-6.0.33-1.26.amzn1.noarch
    tomcat6-servlet-2.5-api-6.0.33-1.26.amzn1.noarch
    tomcat6-6.0.33-1.26.amzn1.noarch
    tomcat6-jsp-2.1-api-6.0.33-1.26.amzn1.noarch
    tomcat6-webapps-6.0.33-1.26.amzn1.noarch
    tomcat6-docs-webapp-6.0.33-1.26.amzn1.noarch

src:
    tomcat6-6.0.33-1.26.amzn1.src