Apache Tomcat version older than 6.0.36

Description

Apache Tomcat versions 6.0.0 through 6.0.35 contain multiple critical security vulnerabilities that were resolved in version 6.0.36. These vulnerabilities include a denial of service condition in the HTTP NIO connector caused by improper request header size validation (CVE-2012-2733), weaknesses in DIGEST authentication implementation that enable replay attacks (CVE-2012-3439), a security constraint bypass in FORM authentication when combined with Single-Sign-On (CVE-2012-3546), a CSRF prevention filter bypass for requests without session identifiers (CVE-2012-4431), and an infinite loop denial of service in the NIO connector with sendfile and HTTPS enabled (CVE-2012-4534). These issues collectively expose applications to authentication bypass, denial of service attacks, and cross-site request forgery.

Remediation

Immediately upgrade Apache Tomcat to version 6.0.36 or later to remediate all identified vulnerabilities. Follow these steps:

1. Backup Current Installation: Create a complete backup of your existing Tomcat installation, including configuration files and deployed applications.
2. Download Latest Version: Obtain Apache Tomcat 6.0.36 or the latest version in the 6.x series from the official Apache Tomcat website (http://tomcat.apache.org/).
3. Review Configuration: Before upgrading, review your current server.xml and web.xml configurations to ensure compatibility with the new version.
4. Perform Upgrade: Stop the Tomcat service, replace the Tomcat binaries with the new version, and migrate your configuration files and applications to the new installation.
5. Test Thoroughly: Test all applications in a staging environment before deploying to production to ensure compatibility and proper functionality.
6. Verify Security Settings: Confirm that DIGEST authentication, FORM authentication, and CSRF protection filters are functioning correctly after the upgrade.

References

Related Vulnerabilities