Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2013:0266 - Security Advisory
Issued:
2013-02-19
Updated:
2013-02-19

RHSA-2013:0266 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: tomcat6 security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated tomcat6 packages that fix multiple security issues are now
available for JBoss Enterprise Web Server 2.0.0 for Red Hat Enterprise
Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

Apache Tomcat is a servlet container.

It was found that sending a request without a session identifier to a
protected resource could bypass the Cross-Site Request Forgery (CSRF)
prevention filter. A remote attacker could use this flaw to perform
CSRF attacks against applications that rely on the CSRF prevention filter
and do not contain internal mitigation for CSRF. (CVE-2012-4431)

A flaw was found in the way Tomcat handled sendfile operations when using
the HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker
could use this flaw to cause a denial of service (infinite loop). The HTTP
NIO connector is used by default in JBoss Enterprise Web Server. The Apache
Portable Runtime (APR) connector from the Tomcat Native library was not
affected by this flaw. (CVE-2012-4534)

Multiple weaknesses were found in the Tomcat DIGEST authentication
implementation, effectively reducing the security normally provided by
DIGEST authentication. A remote attacker could use these flaws to perform
replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886,
CVE-2012-5887)

A denial of service flaw was found in the way the Tomcat HTTP NIO connector
enforced limits on the permitted size of request headers. A remote attacker
could use this flaw to trigger an OutOfMemoryError by sending a
specially-crafted request with very large headers. The HTTP NIO connector
is used by default in JBoss Enterprise Web Server. The APR connector from
the Tomcat Native library was not affected by this flaw. (CVE-2012-2733)

Warning: Before applying the update, back up your existing JBoss Enterprise
Web Server installation (including all applications and configuration
files).

Users of Tomcat should upgrade to these updated packages, which resolve
these issues. Tomcat must be restarted for this update to take effect.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

  • JBoss Enterprise Web Server 2 for RHEL 6 x86_64
  • JBoss Enterprise Web Server 2 for RHEL 6 i386
  • JBoss Enterprise Web Server 2 for RHEL 5 x86_64
  • JBoss Enterprise Web Server 2 for RHEL 5 i386

Fixes

  • BZ - 873664 - CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues
  • BZ - 873695 - CVE-2012-2733 tomcat: HTTP NIO connector OOM DoS via a request with large headers
  • BZ - 883636 - CVE-2012-4431 Tomcat/JBoss Web - Bypass of CSRF prevention filter
  • BZ - 883637 - CVE-2012-4534 Tomcat - Denial Of Service when using NIO+SSL+sendfile

CVEs

  • CVE-2012-2733
  • CVE-2012-4431
  • CVE-2012-4534
  • CVE-2012-5885
  • CVE-2012-5886
  • CVE-2012-5887

References

  • https://access.redhat.com/security/updates/classification/#moderate
  • http://tomcat.apache.org/security-6.html
Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Web Server 2 for RHEL 6

SRPM
tomcat6-6.0.35-29_patch_06.ep6.el6.src.rpm SHA-256: 500c01af36715c025ef5b43ef7284bb5aaabc3651d2a20e2906350dbe0defc0e
x86_64
tomcat6-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 1f5a20675db2d1de6d4bb301f0716d5a22cb07531f989276f0ea4f12458185f6
tomcat6-admin-webapps-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 580d9d95b5d23fb2e3955e581374441b0be5af481b9652d000a26e53879becf2
tomcat6-docs-webapp-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 8a37863d42026c903bae24c932740247a48bc37d213d4a7cb4c2103ee501cfd2
tomcat6-el-1.0-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 0fac1be5ab6fedf42acf11f452741228c974f299b41000d87e9a45bb89c136fd
tomcat6-javadoc-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: b9b1a4af84570a852fb2263bf4812aedce2f67ea3b9520fa21b266ec24ca02c6
tomcat6-jsp-2.1-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: f71239c415c84ef342be1dcbcba00fe6a17d5a6f8e098aa2cc177e31a609dbfb
tomcat6-lib-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: f0243c37f6488cfa4783019a07a04fe6373868a67eb070af028317c7f23f42ed
tomcat6-log4j-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 0c511e1d31f1ac32ed6214645aa44f7bcfca0c3a028b34b0172cfa256741bcc7
tomcat6-servlet-2.5-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 19e1dc1a06454d31ddc492efd0fc7ddb1d9b828d1eecce032d183f95d92ffdf6
tomcat6-webapps-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 6838dbb155e0ce863ca2969c4464c8998e046cd54db637e06e04d955d24af450
i386
tomcat6-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 1f5a20675db2d1de6d4bb301f0716d5a22cb07531f989276f0ea4f12458185f6
tomcat6-admin-webapps-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 580d9d95b5d23fb2e3955e581374441b0be5af481b9652d000a26e53879becf2
tomcat6-docs-webapp-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 8a37863d42026c903bae24c932740247a48bc37d213d4a7cb4c2103ee501cfd2
tomcat6-el-1.0-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 0fac1be5ab6fedf42acf11f452741228c974f299b41000d87e9a45bb89c136fd
tomcat6-javadoc-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: b9b1a4af84570a852fb2263bf4812aedce2f67ea3b9520fa21b266ec24ca02c6
tomcat6-jsp-2.1-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: f71239c415c84ef342be1dcbcba00fe6a17d5a6f8e098aa2cc177e31a609dbfb
tomcat6-lib-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: f0243c37f6488cfa4783019a07a04fe6373868a67eb070af028317c7f23f42ed
tomcat6-log4j-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 0c511e1d31f1ac32ed6214645aa44f7bcfca0c3a028b34b0172cfa256741bcc7
tomcat6-servlet-2.5-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 19e1dc1a06454d31ddc492efd0fc7ddb1d9b828d1eecce032d183f95d92ffdf6
tomcat6-webapps-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 6838dbb155e0ce863ca2969c4464c8998e046cd54db637e06e04d955d24af450

JBoss Enterprise Web Server 2 for RHEL 5

SRPM
tomcat6-6.0.35-6_patch_06.ep6.el5.src.rpm SHA-256: f0206f8a9e82dedca477ffcddd8ef5cb28859b2b60705738247611f99c871ee0
x86_64
tomcat6-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: a18fee1bfd36be88bb910565e1b6941d4d695e072bb5075a2f7901a4cb9fc527
tomcat6-admin-webapps-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: c97f41770436ae2e8d54899544820e32ed521d01b3509caf09634dbe4193e211
tomcat6-docs-webapp-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 84cfebe591b2d982750126e010004826e872688125c42a7f87571cde901494dc
tomcat6-el-1.0-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: f256a9c86bc20e5f1dc58df8c74ff93b8a35741e4c1d6eb519dcfe51b7aa8d17
tomcat6-javadoc-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 6d4e3fcbd4b65a11678d1d850e2e1ac76fce536b833806fccda92e900c3ea4b4
tomcat6-jsp-2.1-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 398874ea055d6579727eb8d16dd2aeade1fb6e78d9955cfcc132d08d7bf7ea44
tomcat6-lib-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 001734ba8303a62154a1c5b53e3d9cd2dcde1da3a5814e001f9f5c0c70e0b7a3
tomcat6-log4j-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: df2b4a572a91f6602b65ae5736f532f89d944a13427ba7e49677ffc553b819ae
tomcat6-servlet-2.5-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: a8dd2e7395063f331481aeb53d8ed6c0664cbe52580bb0c353c62341e61ad467
tomcat6-webapps-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 47f8dca27ccafdfc8ae16845d9e29784ecf09dd6144086cc90ca9710ad832ef5
i386
tomcat6-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: a18fee1bfd36be88bb910565e1b6941d4d695e072bb5075a2f7901a4cb9fc527
tomcat6-admin-webapps-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: c97f41770436ae2e8d54899544820e32ed521d01b3509caf09634dbe4193e211
tomcat6-docs-webapp-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 84cfebe591b2d982750126e010004826e872688125c42a7f87571cde901494dc
tomcat6-el-1.0-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: f256a9c86bc20e5f1dc58df8c74ff93b8a35741e4c1d6eb519dcfe51b7aa8d17
tomcat6-javadoc-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 6d4e3fcbd4b65a11678d1d850e2e1ac76fce536b833806fccda92e900c3ea4b4
tomcat6-jsp-2.1-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 398874ea055d6579727eb8d16dd2aeade1fb6e78d9955cfcc132d08d7bf7ea44
tomcat6-lib-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 001734ba8303a62154a1c5b53e3d9cd2dcde1da3a5814e001f9f5c0c70e0b7a3
tomcat6-log4j-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: df2b4a572a91f6602b65ae5736f532f89d944a13427ba7e49677ffc553b819ae
tomcat6-servlet-2.5-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: a8dd2e7395063f331481aeb53d8ed6c0664cbe52580bb0c353c62341e61ad467
tomcat6-webapps-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 47f8dca27ccafdfc8ae16845d9e29784ecf09dd6144086cc90ca9710ad832ef5

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat, Inc.

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility