CVE-2011-1184 Apache Tomcat – Multiple weaknesses in HTTP DIGEST authentication
严重性: 中等
所影响的版本:
– – Tomcat 7.0.0 to 7.0.11
– – Tomcat 6.0.0 to 6.0.32
– – Tomcat 5.5.0 to 5.5.33
– – Earlier, unsupported versions may also be affected
漏洞描述:
The implementation of HTTP DIGEST authentication was discovered to
have several weaknesses:
– – replay attacks were permitted
– – server nonces were not checked
– – client nonce counts were not checked
– – qop values were not checked
– – realm values were not checked
– – the server secret was hard-coded to a known string
The result of these weaknesses is that DIGEST authentication was only
as secure as BASIC authentication.
解决方法:
Users of Tomcat 7.0.x should upgrade to 7.0.12 or later
Users of Tomcat 6.0.x should upgrade to 6.0.33 or later
Users of Tomcat 5.5.x should upgrade to 5.5.34 or later
