<em style='font-weight:bold;'>(Description Provided by <a href="http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-1184" target="_blank">CVE</a>)</em> : The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not have the expected countermeasures against replay attacks, which makes it easier for remote attackers to bypass intended access restrictions by sniffing the network for valid requests, related to lack of checking of nonce (aka server nonce) and nc (aka nonce-count or client nonce count) values.

Upgrade to version 5.5.34, 6.0.33, or 7.0.12 or higher, as they have been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.

• CVE ID: 2011-1184 (see also: NVD)
• Secunia Advisory ID: 46703 47125 47298 47503 47507 47675 47793 47794 47866 47913 48841 49270 49702 50395 50745 52740 52816
• Bugtraq ID: 49762
• Vendor Specific Advisory URL: http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03281831
  http://www.juniper.net/alerts/viewalert.jsp?actionBtn=Search&txtAlertNumber=PSN-2012-05-584&viewMode=view
  https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_oracle_java
  https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_oracle_java1
  https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03716627
  https://kb.bluecoat.com/index?page=content&id=SA66
• Mail List Post: http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html
  http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html
  http://seclists.org/bugtraq/2011/Sep/151
  http://seclists.org/bugtraq/2012/Apr/114
• Packet Storm: http://packetstormsecurity.com/files/121037/HP-Security-Bulletin-HPSBUX02860-SSRT101146.html
  http://packetstormsecurity.org/files/111920/HP-Security-Bulletin-HPSBOV02762-SSRT100825.html
• Vendor Specific News/Changelog Entry: http://security.gentoo.org/glsa/glsa-201206-24.xml
  http://svn.apache.org/viewvc?view=rev&rev=1087655
  http://svn.apache.org/viewvc?view=rev&rev=1158180
  http://svn.apache.org/viewvc?view=rev&rev=1159309
  http://tomcat.apache.org/security-5.html
  http://tomcat.apache.org/security-6.html
  http://tomcat.apache.org/security-7.html
  http://www.debian.org/security/2012/dsa-2401
  http://www.ibm.com/support/docview.wss?uid=ssg1S1004302
  http://www.ibm.com/support/docview.wss?uid=swg21609004
  http://www.ubuntu.com/usn/usn-1252-1
  https://issues.apache.org/jira/browse/BIGTOP-812
• Other Advisory URL: http://www.mandriva.com/security/advisories?name=MDVSA-2011:156
• RedHat RHSA: RHSA-2011:1780 RHSA-2011:1845 RHSA-2012:0041 RHSA-2012:0074 RHSA-2012:0075 RHSA-2012:0076 RHSA-2012:0077 RHSA-2012:0078 RHSA-2012:0091 RHSA-2012:0679 RHSA-2012:0680 RHSA-2012:0681 RHSA-2012:0682

Unknown or Incomplete