Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2013:0266 - Security Advisory
Issued:
2013-02-19
Updated:
2013-02-19

RHSA-2013:0266 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: tomcat6 security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated tomcat6 packages that fix multiple security issues are now
available for JBoss Enterprise Web Server 2.0.0 for Red Hat Enterprise
Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate
security impact. Common Vulnerability Scoring System (CVSS) base scores,
which give detailed severity ratings, are available for each vulnerability
from the CVE links in the References section.

Description

Apache Tomcat is a servlet container.

It was found that sending a request without a session identifier to a
protected resource could bypass the Cross-Site Request Forgery (CSRF)
prevention filter. A remote attacker could use this flaw to perform
CSRF attacks against applications that rely on the CSRF prevention filter
and do not contain internal mitigation for CSRF. (CVE-2012-4431)

A flaw was found in the way Tomcat handled sendfile operations when using
the HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker
could use this flaw to cause a denial of service (infinite loop). The HTTP
NIO connector is used by default in JBoss Enterprise Web Server. The Apache
Portable Runtime (APR) connector from the Tomcat Native library was not
affected by this flaw. (CVE-2012-4534)

Multiple weaknesses were found in the Tomcat DIGEST authentication
implementation, effectively reducing the security normally provided by
DIGEST authentication. A remote attacker could use these flaws to perform
replay attacks in some circumstances. (CVE-2012-5885, CVE-2012-5886,
CVE-2012-5887)

A denial of service flaw was found in the way the Tomcat HTTP NIO connector
enforced limits on the permitted size of request headers. A remote attacker
could use this flaw to trigger an OutOfMemoryError by sending a
specially-crafted request with very large headers. The HTTP NIO connector
is used by default in JBoss Enterprise Web Server. The APR connector from
the Tomcat Native library was not affected by this flaw. (CVE-2012-2733)

Warning: Before applying the update, back up your existing JBoss Enterprise
Web Server installation (including all applications and configuration
files).

Users of Tomcat should upgrade to these updated packages, which resolve
these issues. Tomcat must be restarted for this update to take effect.

Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Affected Products

  • JBoss Enterprise Web Server 2 for RHEL 6 x86_64
  • JBoss Enterprise Web Server 2 for RHEL 6 i386
  • JBoss Enterprise Web Server 2 for RHEL 5 x86_64
  • JBoss Enterprise Web Server 2 for RHEL 5 i386

Fixes

  • BZ - 873664 - CVE-2012-5885 CVE-2012-5886 CVE-2012-5887 tomcat: three DIGEST authentication implementation issues
  • BZ - 873695 - CVE-2012-2733 tomcat: HTTP NIO connector OOM DoS via a request with large headers
  • BZ - 883636 - CVE-2012-4431 Tomcat/JBoss Web - Bypass of CSRF prevention filter
  • BZ - 883637 - CVE-2012-4534 Tomcat - Denial Of Service when using NIO+SSL+sendfile

CVEs

  • CVE-2012-2733
  • CVE-2012-4431
  • CVE-2012-4534
  • CVE-2012-5885
  • CVE-2012-5886
  • CVE-2012-5887

References

  • https://access.redhat.com/security/updates/classification/#moderate
  • http://tomcat.apache.org/security-6.html
Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Web Server 2 for RHEL 6

SRPM
tomcat6-6.0.35-29_patch_06.ep6.el6.src.rpm SHA-256: 500c01af36715c025ef5b43ef7284bb5aaabc3651d2a20e2906350dbe0defc0e
x86_64
tomcat6-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 1f5a20675db2d1de6d4bb301f0716d5a22cb07531f989276f0ea4f12458185f6
tomcat6-admin-webapps-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 580d9d95b5d23fb2e3955e581374441b0be5af481b9652d000a26e53879becf2
tomcat6-docs-webapp-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 8a37863d42026c903bae24c932740247a48bc37d213d4a7cb4c2103ee501cfd2
tomcat6-el-1.0-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 0fac1be5ab6fedf42acf11f452741228c974f299b41000d87e9a45bb89c136fd
tomcat6-javadoc-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: b9b1a4af84570a852fb2263bf4812aedce2f67ea3b9520fa21b266ec24ca02c6
tomcat6-jsp-2.1-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: f71239c415c84ef342be1dcbcba00fe6a17d5a6f8e098aa2cc177e31a609dbfb
tomcat6-lib-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: f0243c37f6488cfa4783019a07a04fe6373868a67eb070af028317c7f23f42ed
tomcat6-log4j-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 0c511e1d31f1ac32ed6214645aa44f7bcfca0c3a028b34b0172cfa256741bcc7
tomcat6-servlet-2.5-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 19e1dc1a06454d31ddc492efd0fc7ddb1d9b828d1eecce032d183f95d92ffdf6
tomcat6-webapps-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 6838dbb155e0ce863ca2969c4464c8998e046cd54db637e06e04d955d24af450
i386
tomcat6-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 1f5a20675db2d1de6d4bb301f0716d5a22cb07531f989276f0ea4f12458185f6
tomcat6-admin-webapps-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 580d9d95b5d23fb2e3955e581374441b0be5af481b9652d000a26e53879becf2
tomcat6-docs-webapp-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 8a37863d42026c903bae24c932740247a48bc37d213d4a7cb4c2103ee501cfd2
tomcat6-el-1.0-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 0fac1be5ab6fedf42acf11f452741228c974f299b41000d87e9a45bb89c136fd
tomcat6-javadoc-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: b9b1a4af84570a852fb2263bf4812aedce2f67ea3b9520fa21b266ec24ca02c6
tomcat6-jsp-2.1-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: f71239c415c84ef342be1dcbcba00fe6a17d5a6f8e098aa2cc177e31a609dbfb
tomcat6-lib-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: f0243c37f6488cfa4783019a07a04fe6373868a67eb070af028317c7f23f42ed
tomcat6-log4j-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 0c511e1d31f1ac32ed6214645aa44f7bcfca0c3a028b34b0172cfa256741bcc7
tomcat6-servlet-2.5-api-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 19e1dc1a06454d31ddc492efd0fc7ddb1d9b828d1eecce032d183f95d92ffdf6
tomcat6-webapps-6.0.35-29_patch_06.ep6.el6.noarch.rpm SHA-256: 6838dbb155e0ce863ca2969c4464c8998e046cd54db637e06e04d955d24af450

JBoss Enterprise Web Server 2 for RHEL 5

SRPM
tomcat6-6.0.35-6_patch_06.ep6.el5.src.rpm SHA-256: f0206f8a9e82dedca477ffcddd8ef5cb28859b2b60705738247611f99c871ee0
x86_64
tomcat6-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: a18fee1bfd36be88bb910565e1b6941d4d695e072bb5075a2f7901a4cb9fc527
tomcat6-admin-webapps-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: c97f41770436ae2e8d54899544820e32ed521d01b3509caf09634dbe4193e211
tomcat6-docs-webapp-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 84cfebe591b2d982750126e010004826e872688125c42a7f87571cde901494dc
tomcat6-el-1.0-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: f256a9c86bc20e5f1dc58df8c74ff93b8a35741e4c1d6eb519dcfe51b7aa8d17
tomcat6-javadoc-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 6d4e3fcbd4b65a11678d1d850e2e1ac76fce536b833806fccda92e900c3ea4b4
tomcat6-jsp-2.1-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 398874ea055d6579727eb8d16dd2aeade1fb6e78d9955cfcc132d08d7bf7ea44
tomcat6-lib-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 001734ba8303a62154a1c5b53e3d9cd2dcde1da3a5814e001f9f5c0c70e0b7a3
tomcat6-log4j-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: df2b4a572a91f6602b65ae5736f532f89d944a13427ba7e49677ffc553b819ae
tomcat6-servlet-2.5-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: a8dd2e7395063f331481aeb53d8ed6c0664cbe52580bb0c353c62341e61ad467
tomcat6-webapps-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 47f8dca27ccafdfc8ae16845d9e29784ecf09dd6144086cc90ca9710ad832ef5
i386
tomcat6-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: a18fee1bfd36be88bb910565e1b6941d4d695e072bb5075a2f7901a4cb9fc527
tomcat6-admin-webapps-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: c97f41770436ae2e8d54899544820e32ed521d01b3509caf09634dbe4193e211
tomcat6-docs-webapp-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 84cfebe591b2d982750126e010004826e872688125c42a7f87571cde901494dc
tomcat6-el-1.0-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: f256a9c86bc20e5f1dc58df8c74ff93b8a35741e4c1d6eb519dcfe51b7aa8d17
tomcat6-javadoc-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 6d4e3fcbd4b65a11678d1d850e2e1ac76fce536b833806fccda92e900c3ea4b4
tomcat6-jsp-2.1-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 398874ea055d6579727eb8d16dd2aeade1fb6e78d9955cfcc132d08d7bf7ea44
tomcat6-lib-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 001734ba8303a62154a1c5b53e3d9cd2dcde1da3a5814e001f9f5c0c70e0b7a3
tomcat6-log4j-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: df2b4a572a91f6602b65ae5736f532f89d944a13427ba7e49677ffc553b819ae
tomcat6-servlet-2.5-api-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: a8dd2e7395063f331481aeb53d8ed6c0664cbe52580bb0c353c62341e61ad467
tomcat6-webapps-6.0.35-6_patch_06.ep6.el5.noarch.rpm SHA-256: 47f8dca27ccafdfc8ae16845d9e29784ecf09dd6144086cc90ca9710ad832ef5

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2023 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter