Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2012:0682 - Security Advisory
Issued:
2012-05-21
Updated:
2012-05-21

RHSA-2012:0682 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: tomcat6 security and bug fix update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated tomcat6 packages that fix multiple security issues and three bugs
are now available for JBoss Enterprise Web Server 1.0.2 for Red Hat
Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

Apache Tomcat is a servlet container.

JBoss Enterprise Web Server includes the Tomcat Native library, providing
Apache Portable Runtime (APR) support for Tomcat. References in this text
to APR refer to the Tomcat Native implementation, not any other apr
package.

This update fixes the JBPAPP-4873, JBPAPP-6133, and JBPAPP-6852 bugs. It
also resolves the following security issues:

Multiple flaws weakened the Tomcat HTTP DIGEST authentication
implementation, subjecting it to some of the weaknesses of HTTP BASIC
authentication, for example, allowing remote attackers to perform session
replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063,
CVE-2011-5064)

A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor)
and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ
Protocol) connectors processed certain POST requests. An attacker could
send a specially-crafted request that would cause the connector to treat
the message body as a new request. This allows arbitrary AJP messages to be
injected, possibly allowing an attacker to bypass a web application's
authentication checks and gain access to information they would otherwise
be unable to access. The JK (org.apache.jk.server.JkCoyoteHandler)
connector is used by default when the APR libraries are not present. The JK
connector is not affected by this flaw. (CVE-2011-3190)

A flaw in the way Tomcat recycled objects that contain data from user
requests (such as IP addresses and HTTP headers) when certain errors
occurred. If a user sent a request that caused an error to be logged,
Tomcat would return a reply to the next request (which could be sent by a
different user) with data from the first user's request, leading to
information disclosure. Under certain conditions, a remote attacker could
leverage this flaw to hijack sessions. (CVE-2011-3375)

The Java hashCode() method implementation was susceptible to predictable
hash collisions. A remote attacker could use this flaw to cause Tomcat to
use an excessive amount of CPU time by sending an HTTP request with a large
number of parameters whose names map to the same hash value. This update
introduces a limit on the number of parameters processed per request to
mitigate this issue. The default limit is 512 for parameters and 128 for
headers. These defaults can be changed by setting the
org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2011-4858)

Tomcat did not handle large numbers of parameters and large parameter
values efficiently. A remote attacker could make Tomcat use an excessive
amount of CPU time by sending an HTTP request containing a large number of
parameters or large parameter values. This update introduces limits on the
number of parameters and headers processed per request to address this
issue. Refer to the CVE-2011-4858 description for information about the
org.apache.tomcat.util.http.Parameters.MAX_COUNT and
org.apache.tomcat.util.http.MimeHeaders.MAX_COUNT system properties.
(CVE-2012-0022)

A flaw in the Tomcat MemoryUserDatabase. If a runtime exception occurred
when creating a new user with a JMX client, that user's password was logged
to Tomcat log files. Note: By default, only administrators have access to
such log files. (CVE-2011-2204)

A flaw in the way Tomcat handled sendfile request attributes when using the
HTTP APR or NIO (Non-Blocking I/O) connector. A malicious web application
running on a Tomcat instance could use this flaw to bypass security manager
restrictions and gain access to files it would otherwise be unable to
access, or possibly terminate the Java Virtual Machine (JVM). The HTTP NIO
connector is used by default in JBoss Enterprise Web Server.
(CVE-2011-2526)

Red Hat would like to thank oCERT for reporting CVE-2011-4858, and the
Apache Tomcat project for reporting CVE-2011-2526. oCERT acknowledges
Julian Wälde and Alexander Klink as the original reporters of
CVE-2011-4858.

Solution

Users of Tomcat should upgrade to these updated packages, which
resolve these issues. Tomcat must be restarted for this update to take
effect.

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

  • JBoss Enterprise Web Server 1 for RHEL 6 x86_64
  • JBoss Enterprise Web Server 1 for RHEL 6 i386
  • JBoss Enterprise Web Server 1 for RHEL 5 x86_64
  • JBoss Enterprise Web Server 1 for RHEL 5 i386

Fixes

  • BZ - 717013 - CVE-2011-2204 tomcat: password disclosure vulnerability
  • BZ - 720948 - CVE-2011-2526 tomcat: security manager restrictions bypass
  • BZ - 734868 - CVE-2011-3190 tomcat: authentication bypass and information disclosure
  • BZ - 741401 - CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 tomcat: Multiple weaknesses in HTTP DIGEST authentication
  • BZ - 750521 - CVE-2011-4858 tomcat: hash table collisions CPU usage DoS (oCERT-2011-003)
  • BZ - 782624 - CVE-2011-3375 tomcat: information disclosure due to improper response and request object recycling
  • BZ - 783359 - CVE-2012-0022 tomcat: large number of parameters DoS

CVEs

  • CVE-2011-2526
  • CVE-2011-3190
  • CVE-2011-1184
  • CVE-2011-2204
  • CVE-2011-5062
  • CVE-2011-5063
  • CVE-2011-5064
  • CVE-2011-4858
  • CVE-2012-0022
  • CVE-2011-3375

References

  • https://access.redhat.com/security/updates/classification/#moderate
  • http://tomcat.apache.org/security-6.html
  • https://issues.jboss.org/browse/JBPAPP-4873
  • https://issues.jboss.org/browse/JBPAPP-6133
  • https://issues.jboss.org/browse/JBPAPP-6852
Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Web Server 1 for RHEL 6

SRPM
tomcat6-6.0.32-24_patch_07.ep5.el6.src.rpm SHA-256: 070a758e99638ae4373007e8fd3609f8b80ffb60305287f29bec13aa9fb55de7
x86_64
tomcat6-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: 87ffd7d21d91505253c306661baf3aa289af9a95e55dbdd4029b0a9abf9beddb
tomcat6-admin-webapps-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: ea0c40be0e468b42b38dc492ca08f3fe5226bb3270d3d74eb197a1dc71616059
tomcat6-docs-webapp-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: 889396e150cbb25fd243330dc4cb632c47eb72dedaaf7b8bfafa8d521e752558
tomcat6-el-1.0-api-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: d03d4b64937cc72757bbcf37e409a24fab1408d535d01b2e4bd548793cd96db6
tomcat6-javadoc-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: dba3d966e520c22d564805dd1516dda4526b2ecda3bb129e2a6d70a63b4d141d
tomcat6-jsp-2.1-api-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: 18cd536880b62a4c23222eb85bdd228531982b817663e79cd2c452e5d7375f7a
tomcat6-lib-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: 8e13ae25f253c4ac4d673af3642aff1448f922c3dc75bf0270d5e2d6f737ff69
tomcat6-log4j-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: c2f8bc9604f170d7d16620b86f07647b1cd4faa3b1cbdc85a7d9da9bb18bd762
tomcat6-servlet-2.5-api-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: c8b0810c45bf1f831f811e18ee794fb5c75725892ce5c1c94dbce0f2574cb031
tomcat6-webapps-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: a9201b63bf6a5b3e51dce8e6f250ffbc9135b3878ee52c69900102d32120315b
i386
tomcat6-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: 87ffd7d21d91505253c306661baf3aa289af9a95e55dbdd4029b0a9abf9beddb
tomcat6-admin-webapps-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: ea0c40be0e468b42b38dc492ca08f3fe5226bb3270d3d74eb197a1dc71616059
tomcat6-docs-webapp-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: 889396e150cbb25fd243330dc4cb632c47eb72dedaaf7b8bfafa8d521e752558
tomcat6-el-1.0-api-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: d03d4b64937cc72757bbcf37e409a24fab1408d535d01b2e4bd548793cd96db6
tomcat6-javadoc-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: dba3d966e520c22d564805dd1516dda4526b2ecda3bb129e2a6d70a63b4d141d
tomcat6-jsp-2.1-api-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: 18cd536880b62a4c23222eb85bdd228531982b817663e79cd2c452e5d7375f7a
tomcat6-lib-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: 8e13ae25f253c4ac4d673af3642aff1448f922c3dc75bf0270d5e2d6f737ff69
tomcat6-log4j-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: c2f8bc9604f170d7d16620b86f07647b1cd4faa3b1cbdc85a7d9da9bb18bd762
tomcat6-servlet-2.5-api-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: c8b0810c45bf1f831f811e18ee794fb5c75725892ce5c1c94dbce0f2574cb031
tomcat6-webapps-6.0.32-24_patch_07.ep5.el6.noarch.rpm SHA-256: a9201b63bf6a5b3e51dce8e6f250ffbc9135b3878ee52c69900102d32120315b

JBoss Enterprise Web Server 1 for RHEL 5

SRPM
tomcat6-6.0.32-24_patch_07.ep5.el5.src.rpm SHA-256: dc40d1d7fc3b29b43b3d65fa395227dcc3c43641c270489eccb9c2c6f89ff87d
x86_64
tomcat6-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: d1110e78fe8448f3c3cd889ba9946750b19c4be806d5d880ff63bdb107d90732
tomcat6-admin-webapps-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: ab0b7da353e866b4f397636412ffdfb090dfb81ec27d5db3d2cfe2dc28820280
tomcat6-docs-webapp-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: 1e3195983fb8d6af11d3f806aeeadc19c8bfbc66a259f2c21f691c2357a5eecc
tomcat6-el-1.0-api-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: 3b2841951eb776ac621173f92f2650758f3746bfbe0cc9630bcb9b1729ee1297
tomcat6-javadoc-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: 8743286b5e87524e76502bc6e8160043b471686471a3e0b6c89471dfae421407
tomcat6-jsp-2.1-api-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: 330f9308da23cbf3e5a3fa83f337f11e89eee7675eb327d69e13b75e83693e44
tomcat6-lib-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: a46ada6de6794535f03870662a6095f7504f944f5fb3f157e27ec8cbb3bcb206
tomcat6-log4j-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: feb48b9f808d190914d78a5e4bd73d497dbfaa7679d03df3ba622274ed4404d3
tomcat6-servlet-2.5-api-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: f1afdc12ac8923e795e00ce46f0b4ec8d137a01389f671d9f7ff9dc64b16ea97
tomcat6-webapps-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: c72d3bd98504e8c7ba4802d9402d1cd6e88fce13cca4dcb36b86cc29755c62c9
i386
tomcat6-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: d1110e78fe8448f3c3cd889ba9946750b19c4be806d5d880ff63bdb107d90732
tomcat6-admin-webapps-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: ab0b7da353e866b4f397636412ffdfb090dfb81ec27d5db3d2cfe2dc28820280
tomcat6-docs-webapp-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: 1e3195983fb8d6af11d3f806aeeadc19c8bfbc66a259f2c21f691c2357a5eecc
tomcat6-el-1.0-api-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: 3b2841951eb776ac621173f92f2650758f3746bfbe0cc9630bcb9b1729ee1297
tomcat6-javadoc-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: 8743286b5e87524e76502bc6e8160043b471686471a3e0b6c89471dfae421407
tomcat6-jsp-2.1-api-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: 330f9308da23cbf3e5a3fa83f337f11e89eee7675eb327d69e13b75e83693e44
tomcat6-lib-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: a46ada6de6794535f03870662a6095f7504f944f5fb3f157e27ec8cbb3bcb206
tomcat6-log4j-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: feb48b9f808d190914d78a5e4bd73d497dbfaa7679d03df3ba622274ed4404d3
tomcat6-servlet-2.5-api-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: f1afdc12ac8923e795e00ce46f0b4ec8d137a01389f671d9f7ff9dc64b16ea97
tomcat6-webapps-6.0.32-24_patch_07.ep5.el5.noarch.rpm SHA-256: c72d3bd98504e8c7ba4802d9402d1cd6e88fce13cca4dcb36b86cc29755c62c9

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat X (formerly Twitter)

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat, Inc.

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility