CVE-2012-4431

Publication date 19 December 2012

Last updated 24 July 2024

Ubuntu priority

org/apache/catalina/filters/CsrfPreventionFilter.java in Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32 allows remote attackers to bypass the cross-site request forgery (CSRF) protection mechanism via a request that lacks a session identifier.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
tomcat6	13.04 raring	Not affected
	12.10 quantal	Fixed 6.0.35-5ubuntu0.1
	12.04 LTS precise	Fixed 6.0.35-1ubuntu3.2
	11.10 oneiric	Fixed 6.0.32-5ubuntu1.4
	10.04 LTS lucid	Not affected
	8.04 LTS hardy	Not in release
tomcat7	13.04 raring	Not affected
	12.10 quantal	Fixed 7.0.30-0ubuntu1.1
	12.04 LTS precise	Fixed 7.0.26-1ubuntu1.2
	11.10 oneiric	Fixed 7.0.21-1ubuntu0.1
	10.04 LTS lucid	Not in release
	8.04 LTS hardy	Not in release

Notes

seth-arnold

tomcat6 on 10.04 LTS does not have this file nor function: the CSRF protection was consolidated after 10.04 LTS.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
tomcat6	Upstream: http://svn.apache.org/viewvc?view=revision&revision=1394456
tomcat7	Upstream: http://svn.apache.org/viewvc?view=revision&revision=1393088

References

Related Ubuntu Security Notices (USN)