NVD Vulnerability Detail

CVE-2011-5062

Summary	The HTTP Digest Access Authentication implementation in Apache Tomcat 5.5.x before 5.5.34, 6.x before 6.0.33, and 7.x before 7.0.12 does not check qop values, which might allow remote attackers to bypass intended integrity-protection requirements via a qop=auth value, a different vulnerability than CVE-2011-1184.
Publication Date	Jan. 15, 2012, 6:55 a.m.
Registration Date	Jan. 28, 2021, 4:40 p.m.
Last Update	Nov. 21, 2024, 10:33 a.m.

CVSS2.0 : MEDIUM
Score	5.0
Vector	AV:N/AC:L/Au:N/C:P/I:N/A:N
攻撃元区分(AV)	ネットワーク
攻撃条件の複雑さ(AC)	低
攻撃前の認証要否(Au)	不要
機密性への影響(C)	低
完全性への影響(I)	なし
可用性への影響(A)	なし
Get all privileges.	いいえ
Get user privileges	いいえ
Get other privileges	いいえ
User operation required	いいえ

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat:5.5.27:::::::*
cpe:2.3:a:apache:tomcat:5.5.18:::::::*
cpe:2.3:a:apache:tomcat:5.5.12:::::::*
cpe:2.3:a:apache:tomcat:5.5.14:::::::*
cpe:2.3:a:apache:tomcat:5.5.10:::::::*
cpe:2.3:a:apache:tomcat:5.5.4:::::::*
cpe:2.3:a:apache:tomcat:5.5.7:::::::*
cpe:2.3:a:apache:tomcat:5.5.1:::::::*
cpe:2.3:a:apache:tomcat:5.5.11:::::::*
cpe:2.3:a:apache:tomcat:5.5.28:::::::*
cpe:2.3:a:apache:tomcat:5.5.6:::::::*
cpe:2.3:a:apache:tomcat:5.5.26:::::::*
cpe:2.3:a:apache:tomcat:5.5.20:::::::*
cpe:2.3:a:apache:tomcat:5.5.15:::::::*
cpe:2.3:a:apache:tomcat:5.5.5:::::::*
cpe:2.3:a:apache:tomcat:5.5.30:::::::*
cpe:2.3:a:apache:tomcat:5.5.21:::::::*
cpe:2.3:a:apache:tomcat:5.5.22:::::::*
cpe:2.3:a:apache:tomcat:5.5.3:::::::*
cpe:2.3:a:apache:tomcat:5.5.32:::::::*
cpe:2.3:a:apache:tomcat:5.5.31:::::::*
cpe:2.3:a:apache:tomcat:5.5.9:::::::*
cpe:2.3:a:apache:tomcat:5.5.25:::::::*
cpe:2.3:a:apache:tomcat:5.5.33:::::::*
cpe:2.3:a:apache:tomcat:5.5.2:::::::*
cpe:2.3:a:apache:tomcat:5.5.0:::::::*
cpe:2.3:a:apache:tomcat:5.5.13:::::::*
cpe:2.3:a:apache:tomcat:5.5.24:::::::*
cpe:2.3:a:apache:tomcat:5.5.8:::::::*
cpe:2.3:a:apache:tomcat:5.5.16:::::::*
cpe:2.3:a:apache:tomcat:5.5.17:::::::*
cpe:2.3:a:apache:tomcat:5.5.29:::::::*
cpe:2.3:a:apache:tomcat:5.5.19:::::::*
cpe:2.3:a:apache:tomcat:5.5.23:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat:6.0.6:::::::*
cpe:2.3:a:apache:tomcat:6.0.11:::::::*
cpe:2.3:a:apache:tomcat:6.0.7:::::::*
cpe:2.3:a:apache:tomcat:6.0.4:::::::*
cpe:2.3:a:apache:tomcat:6.0.15:::::::*
cpe:2.3:a:apache:tomcat:6.0.20:::::::*
cpe:2.3:a:apache:tomcat:6.0.10:::::::*
cpe:2.3:a:apache:tomcat:6.0.31:::::::*
cpe:2.3:a:apache:tomcat:6.0.29:::::::*
cpe:2.3:a:apache:tomcat:6.0.3:::::::*
cpe:2.3:a:apache:tomcat:6.0.9:::::::*
cpe:2.3:a:apache:tomcat:6.0.24:::::::*
cpe:2.3:a:apache:tomcat:6.0.17:::::::*
cpe:2.3:a:apache:tomcat:6.0:::::::*
cpe:2.3:a:apache:tomcat:6.0.32:::::::*
cpe:2.3:a:apache:tomcat:6.0.28:::::::*
cpe:2.3:a:apache:tomcat:6.0.0:::::::*
cpe:2.3:a:apache:tomcat:6.0.14:::::::*
cpe:2.3:a:apache:tomcat:6.0.1:::::::*
cpe:2.3:a:apache:tomcat:6.0.12:::::::*
cpe:2.3:a:apache:tomcat:6.0.18:::::::*
cpe:2.3:a:apache:tomcat:6.0.5:::::::*
cpe:2.3:a:apache:tomcat:6.0.30:::::::*
cpe:2.3:a:apache:tomcat:6.0.2:::::::*
cpe:2.3:a:apache:tomcat:6.0.13:::::::*
cpe:2.3:a:apache:tomcat:6.0.26:::::::*
cpe:2.3:a:apache:tomcat:6.0.19:::::::*
cpe:2.3:a:apache:tomcat:6.0.27:::::::*
cpe:2.3:a:apache:tomcat:6.0.16:::::::*
cpe:2.3:a:apache:tomcat:6.0.8:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat:7.0.8:::::::*
cpe:2.3:a:apache:tomcat:7.0.1:::::::*
cpe:2.3:a:apache:tomcat:7.0.2:::::::*
cpe:2.3:a:apache:tomcat:7.0.5:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:::::::*
cpe:2.3:a:apache:tomcat:7.0.6:::::::*
cpe:2.3:a:apache:tomcat:7.0.11:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:beta::::::
cpe:2.3:a:apache:tomcat:7.0.7:::::::*
cpe:2.3:a:apache:tomcat:7.0.10:::::::*
cpe:2.3:a:apache:tomcat:7.0.9:::::::*
cpe:2.3:a:apache:tomcat:7.0.4:::::::*
cpe:2.3:a:apache:tomcat:7.0.3:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html
2	http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html
3	http://marc.info/?l=bugtraq&m=139344343412337&w=2
4	http://rhn.redhat.com/errata/RHSA-2012-0074.html
5	http://rhn.redhat.com/errata/RHSA-2012-0075.html
6	http://rhn.redhat.com/errata/RHSA-2012-0076.html
7	http://rhn.redhat.com/errata/RHSA-2012-0077.html
8	http://rhn.redhat.com/errata/RHSA-2012-0078.html
9	http://rhn.redhat.com/errata/RHSA-2012-0325.html
10	http://secunia.com/advisories/57126
11	http://svn.apache.org/viewvc?view=rev&rev=1087655	Patch
12	http://svn.apache.org/viewvc?view=rev&rev=1158180	Patch
13	http://svn.apache.org/viewvc?view=rev&rev=1159309	Patch
14	http://tomcat.apache.org/security-5.html	Vendor Advisory
15	http://tomcat.apache.org/security-6.html	Vendor Advisory
16	http://tomcat.apache.org/security-7.html	Vendor Advisory
17	http://www.debian.org/security/2012/dsa-2401
18	http://www.redhat.com/support/errata/RHSA-2011-1845.html
19	https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
20	https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
21	https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
22	https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
23	http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00002.html
24	https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5%40%3Cdev.tomcat.apache.org%3E
25	https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf%40%3Cdev.tomcat.apache.org%3E
26	https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa%40%3Cdev.tomcat.apache.org%3E
27	https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e%40%3Cdev.tomcat.apache.org%3E
28	http://www.redhat.com/support/errata/RHSA-2011-1845.html
29	http://www.debian.org/security/2012/dsa-2401
30	http://tomcat.apache.org/security-7.html	Vendor Advisory
31	http://tomcat.apache.org/security-6.html	Vendor Advisory
32	http://tomcat.apache.org/security-5.html	Vendor Advisory
33	http://svn.apache.org/viewvc?view=rev&rev=1159309	Patch
34	http://svn.apache.org/viewvc?view=rev&rev=1158180	Patch
35	http://svn.apache.org/viewvc?view=rev&rev=1087655	Patch
36	http://secunia.com/advisories/57126
37	http://rhn.redhat.com/errata/RHSA-2012-0325.html
38	http://rhn.redhat.com/errata/RHSA-2012-0078.html
39	http://rhn.redhat.com/errata/RHSA-2012-0077.html
40	http://rhn.redhat.com/errata/RHSA-2012-0076.html
41	http://rhn.redhat.com/errata/RHSA-2012-0075.html
42	http://rhn.redhat.com/errata/RHSA-2012-0074.html
43	http://marc.info/?l=bugtraq&m=139344343412337&w=2
44	http://lists.opensuse.org/opensuse-security-announce/2012-02/msg00006.html

Common Vulnerabilities List

No	CWE	Name	URL
1	CWE-264	認可・権限・アクセス制御	https://cwe.mitre.org/data/definitions/264.html

JVN Vulnerability Information

Apache Tomcat の HTTP Digest Access Authentication 実装における完全性保護の要求を回避される脆弱性

Title	Apache Tomcat の HTTP Digest Access Authentication 実装における完全性保護の要求を回避される脆弱性
Summary	Apache Tomcat の HTTP Digest Access Authentication 実装は、qop 値をチェックしないため、完全性保護の要求を回避される脆弱性が存在します。本脆弱性は、CVE-2011-1184 とは異なる脆弱性です。
Possible impacts	第三者により、qop=auth 値を介して、完全性保護の要求を回避される可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Jan. 14, 2012, midnight
Registration Date	Jan. 17, 2012, 4:17 p.m.
Last Update	Aug. 2, 2016, 5:34 p.m.

Affected System

ヒューレット・パッカード

HP XP P9000 Performance Advisor ソフトウェア 5.4.1 およびそれ以前

Apache Software Foundation

Apache Tomcat 5.5.34 未満の 5.5.x

Apache Tomcat 6.0.33 未満の 6.x

Apache Tomcat 7.0.12 未満の 7.x

日本電気

InfoCage PCセキュリティ V1.44 以前

WebOTX Enterprise Edition V4.1 から V5.3

WebOTX Standard Edition V4.1 から V5.3

WebOTX Standard-J Edition V4.1 から V5.3

WebOTX UDDI Registry V7.1

WebOTX Web Edition V4.1 から V5.3

WebOTX Application Server Enterprise Edition V7.1 から V8.1

WebOTX Application Server Enterprise V8.2 から V8.4

WebOTX Application Server Express V8.2 から V8.4

WebOTX Application Server Foundation V8.2 から V8.4

WebOTX Application Server Standard Edition V7.1 から V8.1

WebOTX Application Server Standard V8.2 から V8.4

WebOTX Application Server Standard-J Edition V7.1 から V8.1

WebOTX Application Server Web Edition V7.1 から V8.1

WebOTX Developer V7.1 から V8.4

WebOTX Enterprise Service Bus V7.1 から V8.4

WebOTX Portal V8.2 から V8.3

WebOTX SIP Application Server Standard Edition V7.1 から V8.1

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2011-5062	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5062
National Vulnerability Database (NVD)
2	CVE-2011-5062	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-5062

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-264	https://jvndb.jvn.jp/ja/cwe/CWE-264.html

ベンダー情報

No	Name	URL
Apache Tomcat
1	security-5	http://tomcat.apache.org/security-5.html
2	security-6	http://tomcat.apache.org/security-6.html
3	security-7	http://tomcat.apache.org/security-7.html
Apache-SVN
4	1087655	http://svn.apache.org/viewvc?view=revision&revision=1087655
5	1158180	http://svn.apache.org/viewvc?view=revision&revision=1158180
6	1159309	http://svn.apache.org/viewvc?view=revision&revision=1159309
HP Security Bulletin
7	HPSBST02955	http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c04047415
NEC製品セキュリティ情報
8	NV14-008	http://jpn.nec.com/security-info/secinfo/nv14-008.html
SECURITY BLOG
9	Multiple vulnerabilities in Oracle Java Web Console - oracle_java	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_oracle_java
10	Multiple vulnerabilities in Oracle Java Web Console - oracle_java1	https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_oracle_java1

Change Log

No	Changed Details	Date of change
0	[2012年01月17日] 掲載 [2012年09月28日] ベンダ情報：オラクル (Multiple vulnerabilities in Oracle Java Web Console - oracle_java) を追加ベンダ情報：オラクル (Multiple vulnerabilities in Oracle Java Web Console - oracle_java1) を追加 [2014年12月19日] 影響を受けるシステム：ベンダ情報の追加に伴い内容を更新ベンダ情報：日本電気 (NV14-008) を追加ベンダ情報：ヒューレット・パッカード (HPSBST02955) を追加 [2016年08月02日] 影響を受けるシステム：ベンダ情報の更新に伴い内容を更新	Feb. 17, 2018, 10:37 a.m.

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat:5.5.27:::::::*
cpe:2.3:a:apache:tomcat:5.5.18:::::::*
cpe:2.3:a:apache:tomcat:5.5.12:::::::*
cpe:2.3:a:apache:tomcat:5.5.14:::::::*
cpe:2.3:a:apache:tomcat:5.5.10:::::::*
cpe:2.3:a:apache:tomcat:5.5.4:::::::*
cpe:2.3:a:apache:tomcat:5.5.7:::::::*
cpe:2.3:a:apache:tomcat:5.5.1:::::::*
cpe:2.3:a:apache:tomcat:5.5.11:::::::*
cpe:2.3:a:apache:tomcat:5.5.28:::::::*
cpe:2.3:a:apache:tomcat:5.5.6:::::::*
cpe:2.3:a:apache:tomcat:5.5.26:::::::*
cpe:2.3:a:apache:tomcat:5.5.20:::::::*
cpe:2.3:a:apache:tomcat:5.5.15:::::::*
cpe:2.3:a:apache:tomcat:5.5.5:::::::*
cpe:2.3:a:apache:tomcat:5.5.30:::::::*
cpe:2.3:a:apache:tomcat:5.5.21:::::::*
cpe:2.3:a:apache:tomcat:5.5.22:::::::*
cpe:2.3:a:apache:tomcat:5.5.3:::::::*
cpe:2.3:a:apache:tomcat:5.5.32:::::::*
cpe:2.3:a:apache:tomcat:5.5.31:::::::*
cpe:2.3:a:apache:tomcat:5.5.9:::::::*
cpe:2.3:a:apache:tomcat:5.5.25:::::::*
cpe:2.3:a:apache:tomcat:5.5.33:::::::*
cpe:2.3:a:apache:tomcat:5.5.2:::::::*
cpe:2.3:a:apache:tomcat:5.5.0:::::::*
cpe:2.3:a:apache:tomcat:5.5.13:::::::*
cpe:2.3:a:apache:tomcat:5.5.24:::::::*
cpe:2.3:a:apache:tomcat:5.5.8:::::::*
cpe:2.3:a:apache:tomcat:5.5.16:::::::*
cpe:2.3:a:apache:tomcat:5.5.17:::::::*
cpe:2.3:a:apache:tomcat:5.5.29:::::::*
cpe:2.3:a:apache:tomcat:5.5.19:::::::*
cpe:2.3:a:apache:tomcat:5.5.23:::::::*

Configuration2	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat:6.0.6:::::::*
cpe:2.3:a:apache:tomcat:6.0.11:::::::*
cpe:2.3:a:apache:tomcat:6.0.7:::::::*
cpe:2.3:a:apache:tomcat:6.0.4:::::::*
cpe:2.3:a:apache:tomcat:6.0.15:::::::*
cpe:2.3:a:apache:tomcat:6.0.20:::::::*
cpe:2.3:a:apache:tomcat:6.0.10:::::::*
cpe:2.3:a:apache:tomcat:6.0.31:::::::*
cpe:2.3:a:apache:tomcat:6.0.29:::::::*
cpe:2.3:a:apache:tomcat:6.0.3:::::::*
cpe:2.3:a:apache:tomcat:6.0.9:::::::*
cpe:2.3:a:apache:tomcat:6.0.24:::::::*
cpe:2.3:a:apache:tomcat:6.0.17:::::::*
cpe:2.3:a:apache:tomcat:6.0:::::::*
cpe:2.3:a:apache:tomcat:6.0.32:::::::*
cpe:2.3:a:apache:tomcat:6.0.28:::::::*
cpe:2.3:a:apache:tomcat:6.0.0:::::::*
cpe:2.3:a:apache:tomcat:6.0.14:::::::*
cpe:2.3:a:apache:tomcat:6.0.1:::::::*
cpe:2.3:a:apache:tomcat:6.0.12:::::::*
cpe:2.3:a:apache:tomcat:6.0.18:::::::*
cpe:2.3:a:apache:tomcat:6.0.5:::::::*
cpe:2.3:a:apache:tomcat:6.0.30:::::::*
cpe:2.3:a:apache:tomcat:6.0.2:::::::*
cpe:2.3:a:apache:tomcat:6.0.13:::::::*
cpe:2.3:a:apache:tomcat:6.0.26:::::::*
cpe:2.3:a:apache:tomcat:6.0.19:::::::*
cpe:2.3:a:apache:tomcat:6.0.27:::::::*
cpe:2.3:a:apache:tomcat:6.0.16:::::::*
cpe:2.3:a:apache:tomcat:6.0.8:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:apache:tomcat:7.0.8:::::::*
cpe:2.3:a:apache:tomcat:7.0.1:::::::*
cpe:2.3:a:apache:tomcat:7.0.2:::::::*
cpe:2.3:a:apache:tomcat:7.0.5:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:::::::*
cpe:2.3:a:apache:tomcat:7.0.6:::::::*
cpe:2.3:a:apache:tomcat:7.0.11:::::::*
cpe:2.3:a:apache:tomcat:7.0.0:beta::::::
cpe:2.3:a:apache:tomcat:7.0.7:::::::*
cpe:2.3:a:apache:tomcat:7.0.10:::::::*
cpe:2.3:a:apache:tomcat:7.0.9:::::::*
cpe:2.3:a:apache:tomcat:7.0.4:::::::*
cpe:2.3:a:apache:tomcat:7.0.3:::::::*