Privacy and Legal Notice

DOE-CIRC TECHNICAL BULLETIN

T-153: Apache Tomcat Form Authentication Existing/Non-Existing Username Enumeration Weakness

[CVE-2009-0580]

June 4, 2009 14:00 GMT
PROBLEM: Apache Tomcat is prone to a username-enumeration weakness because it displays different responses to login attempts, depending on whether or not the username exists.
PLATFORM: Tomcat 4.1.x (prior to 4.1.40) Tomcat 5.5x (prior to 5.5.28) Tomcat 6.0.x (prior to 6.0.20) The unsupported Tomcat 3.x, 4.0.x and 5.0.x versions may be also affected.
ABSTRACT: Tomcat allows for the enumeration (brute force testing) of usernames by supplying illegally URL encoded passwords.
LINKS:  
  DOE-CIRC BULLETIN: http://www.doecirc.energy.gov/bulletins/t-153.shtml
  OTHER LINKS: Security Focus
http://www.securityfocus.com/bid/35196/info
http://www.securityfocus.com/archive/1/504045
Apache Tomcat
http://tomcat.apache.org/security.html
CVE: CVE-2009-0580
IMPACT ASSESSMENT This risk is low. Attackers may exploit this weakness to discern valid usernames. This may aid them in brute-force password cracking or other attacks. 
[***** Start CVE-2009-0580 *****]

Discussion:
Apache Tomcat is prone to a username-enumeration weakness because it displays different responses to login attempts,
depending on whether or not the username exists. Attackers may exploit this weakness to discern valid usernames. This may
aid them in brute-force password cracking or other attacks. Tomcat allows for the enumeration (brute force testing) of
usernames by supplying illegally URL encoded passwords. The attack is possible if form based authenticiaton
(j_security_check) with one of the following authentication realms is used:

- MemoryRealm
- DataSourceRealm
- JDBCRealm

Attackers can use readily available tools to exploit this issue:

The following example POST data is available:

The following POST request should trigger an error (500 server error or empty response, depending on the configuration) if
the ROOT web application is configured to use FORM authentication:

POST /j_security_check HTTP/1.1
Host: localhost

j_username=tomcat&j_password=%

Solution:
6.0.x users should do one of the following:
- upgrade to 6.0.20
- apply this patch http://svn.apache.org/viewvc?rev=747840&view=rev

5.5.x users should do one of the following:
- upgrade to 5.5.28 when released
- apply this patch http://svn.apache.org/viewvc?rev=781379&view=rev

4.1.x users should do one of the following:
- upgrade to 4.1.40 when released
- apply this patch http://svn.apache.org/viewvc?rev=781382&view=rev


[***** End CVE-2009-0580 *****]
DOECIRC services are available to DOE, DOE Contractors, and the NIH. DOE-CIRC can be contacted at: 
    Voice:          866-941-2472
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov
UCRL-MI-119788