CVE-2011-5064

Published: 14 January 2012

DigestAuthenticator.java in the HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 uses Catalina as the hard-coded server secret (aka private key), which makes it easier for remote attackers to bypass cryptographic protection mechanisms by leveraging knowledge of this string, a different vulnerability than CVE-2011-1184.

Priority

Medium

Status

Package Release Status
tomcat5.5
Launchpad, Ubuntu, Debian 		Upstream Needs triage

Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1159309
tomcat6
Launchpad, Ubuntu, Debian 		Upstream Needs triage

Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1158180
tomcat7
Launchpad, Ubuntu, Debian 		Upstream Needs triage

Patches:
Upstream: http://svn.apache.org/viewvc?view=rev&rev=1087655

Notes

AuthorNote
sbeattie MITRE split this out from CVE-2011-1184.

References

Join the discussion

Canonical is offering Extended Security Maintenance

Canonical is offering Ubuntu 14.04 Extended Security Maintenance (ESM) for security fixes and essential packages.

Find out more about ESM

Further reading