Vulnerabilities > CVE-2011-3375 - Information Exposure vulnerability in Apache Tomcat

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
PARTIAL
Integrity impact
NONE
Availability impact
NONE
network
low complexity
apache
CWE-200
nessus

Summary

Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data.

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Subverting Environment Variable Values
    The attacker directly or indirectly modifies environment variables used by or controlling the target software. The attacker's goal is to cause the target software to deviate from its expected operation in a manner that benefits the attacker.
  • Footprinting
    An attacker engages in probing and exploration activity to identify constituents and properties of the target. Footprinting is a general term to describe a variety of information gathering techniques, often used by attackers in preparation for some attack. It consists of using tools to learn as much as possible about the composition, configuration, and security mechanisms of the targeted application, system or network. Information that might be collected during a footprinting effort could include open ports, applications and their versions, network topology, and similar information. While footprinting is not intended to be damaging (although certain activities, such as network scans, can sometimes cause disruptions to vulnerable applications inadvertently) it may often pave the way for more damaging attacks.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Browser Fingerprinting
    An attacker carefully crafts small snippets of Java Script to efficiently detect the type of browser the potential victim is using. Many web-based attacks need prior knowledge of the web browser including the version of browser to ensure successful exploitation of a vulnerability. Having this knowledge allows an attacker to target the victim with attacks that specifically exploit known or zero day weaknesses in the type and version of the browser used by the victim. Automating this process via Java Script as a part of the same delivery system used to exploit the browser is considered more efficient as the attacker can supply a browser fingerprinting method and integrate it with exploit code, all contained in Java Script and in response to the same web page request by the browser.
  • Session Credential Falsification through Prediction
    This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.

Nessus

  • NASL familyWeb Servers
    NASL idTOMCAT_7_0_22.NASL
    descriptionAccording to its self-reported version number, the instance of Apache Tomcat 7.x listening on the remote host is prior to 7.0.22. It is, therefore, affected by multiple vulnerabilities : - An information disclosure vulnerability exists. Request information is cached in two objects, and these objects are not recycled at the same time. Further requests can obtain sensitive information if certain error conditions occur. (CVE-2011-3375) - The web server is not properly restricting access to the servlets that provide the functionality of the Manager application. This can allow untrusted web applications to access privileged internal functionality such as gathering information on running web applications and deploying additional web applications. (CVE-2011-3376) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-03-18
    modified2011-12-12
    plugin id57082
    published2011-12-12
    reporterThis script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57082
    titleApache Tomcat 7.x < 7.0.22 Multiple Vulnerabilities
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(57082);
      script_version("1.16");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/11");
    
      script_cve_id("CVE-2011-3375", "CVE-2011-3376");
      script_bugtraq_id(50603, 51442);
    
      script_name(english:"Apache Tomcat 7.x < 7.0.22 Multiple Vulnerabilities");
      script_summary(english:"Checks the Apache Tomcat version.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its self-reported version number, the instance of Apache
    Tomcat 7.x listening on the remote host is prior to 7.0.22. It is,
    therefore, affected by multiple vulnerabilities :
    
      - An information disclosure vulnerability exists. Request
        information is cached in two objects, and these objects
        are not recycled at the same time. Further requests can
        obtain sensitive information if certain error conditions
        occur. (CVE-2011-3375)
    
      - The web server is not properly restricting access to
        the servlets that provide the functionality of the
        Manager application. This can allow untrusted web
        applications to access privileged internal functionality
        such as gathering information on running web
        applications and deploying additional web applications.
        (CVE-2011-3376)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      script_set_attribute(attribute:"see_also", value:"http://svn.apache.org/viewvc?view=revision&revision=1176588");
      script_set_attribute(attribute:"see_also", value:"http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.22");
      script_set_attribute(attribute:"solution", value:"Upgrade to Apache Tomcat version 7.0.22 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N");
      script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2011-3375");
    
      script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"false");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2011/11/08");
      script_set_attribute(attribute:"patch_publication_date", value:"2011/11/08");
      script_set_attribute(attribute:"plugin_publication_date", value:"2011/12/12");
    
      script_set_attribute(attribute:"plugin_type", value:"combined");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat");
      script_set_attribute(attribute:"agent", value:"all");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("tomcat_error_version.nasl", "tomcat_win_installed.nbin", "apache_tomcat_nix_installed.nbin");
      script_require_keys("installed_sw/Apache Tomcat");
    
      exit(0);
    }
    
    include("tomcat_version.inc");
    
    tomcat_check_version(fixed:"7.0.22", min:"7.0.0", severity:SECURITY_WARNING, granularity_regex:"^7(\.0)?$");
    
    
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201206-24.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201206-24 (Apache Tomcat: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Apache Tomcat. Please review the CVE identifiers referenced below for details. Impact : The vulnerabilities allow an attacker to cause a Denial of Service, to hijack a session, to bypass authentication, to inject webscript, to enumerate valid usernames, to read, modify and overwrite arbitrary files, to bypass intended access restrictions, to delete work-directory files, to discover the server&rsquo;s hostname or IP, to bypass read permissions for files or HTTP headers, to read or write files outside of the intended working directory, and to obtain sensitive information by reading a log file. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id59677
    published2012-06-25
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/59677
    titleGLSA-201206-24 : Apache Tomcat: Multiple vulnerabilities
  • NASL familyWeb Servers
    NASL idTOMCAT_6_0_35.NASL
    descriptionAccording to its self-reported version number, the instance of Apache Tomcat 6.x listening on the remote host is prior to 6.0.35. It is, therefore, affected by multiple vulnerabilities : - Specially crafted requests are incorrectly processed by Tomcat and can cause the server to allow injection of arbitrary AJP messages. This can lead to authentication bypass and disclosure of sensitive information. (CVE-2011-3190) - An information disclosure vulnerability exists. Request information is cached in two objects and these objects are not recycled at the same time. Further requests can obtain sensitive information if certain error conditions occur. (CVE-2011-3375) - Large numbers of crafted form parameters can cause excessive CPU consumption due to hash collisions. (CVE-2011-4858, CVE-2012-0022) Note that Nessus has not tested for these issues but has instead relied only on the application
    last seen2020-03-18
    modified2011-12-12
    plugin id57080
    published2011-12-12
    reporterThis script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57080
    titleApache Tomcat 6.x < 6.0.35 Multiple Vulnerabilities
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2012-0682.NASL
    descriptionUpdated tomcat6 packages that fix multiple security issues and three bugs are now available for JBoss Enterprise Web Server 1.0.2 for Red Hat Enterprise Linux 5 and 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Apache Tomcat is a servlet container. JBoss Enterprise Web Server includes the Tomcat Native library, providing Apache Portable Runtime (APR) support for Tomcat. References in this text to APR refer to the Tomcat Native implementation, not any other apr package. This update fixes the JBPAPP-4873, JBPAPP-6133, and JBPAPP-6852 bugs. It also resolves the following security issues : Multiple flaws weakened the Tomcat HTTP DIGEST authentication implementation, subjecting it to some of the weaknesses of HTTP BASIC authentication, for example, allowing remote attackers to perform session replay attacks. (CVE-2011-1184, CVE-2011-5062, CVE-2011-5063, CVE-2011-5064) A flaw was found in the way the Coyote (org.apache.coyote.ajp.AjpProcessor) and APR (org.apache.coyote.ajp.AjpAprProcessor) Tomcat AJP (Apache JServ Protocol) connectors processed certain POST requests. An attacker could send a specially crafted request that would cause the connector to treat the message body as a new request. This allows arbitrary AJP messages to be injected, possibly allowing an attacker to bypass a web application
    last seen2020-06-01
    modified2020-06-02
    plugin id78925
    published2014-11-08
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/78925
    titleRHEL 5 / 6 : JBoss Web Server (RHSA-2012:0682)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2012-129.NASL
    descriptionTomcat was vulnerable to a hash collision attack which allowed remote attackers to mount DoS attacks.
    last seen2020-06-05
    modified2014-06-13
    plugin id74554
    published2014-06-13
    reporterThis script is Copyright (C) 2014-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/74554
    titleopenSUSE Security Update : tomcat6 (openSUSE-2012-129)
  • NASL familyVMware ESX Local Security Checks
    NASL idVMWARE_VMSA-2012-0005.NASL
    descriptiona. VMware Tools Display Driver Privilege Escalation The VMware XPDM and WDDM display drivers contain buffer overflow vulnerabilities and the XPDM display driver does not properly check for NULL pointers. Exploitation of these issues may lead to local privilege escalation on Windows-based Guest Operating Systems. VMware would like to thank Tarjei Mandt for reporting theses issues to us. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2012-1509 (XPDM buffer overrun), CVE-2012-1510 (WDDM buffer overrun) and CVE-2012-1508 (XPDM null pointer dereference) to these issues. Note: CVE-2012-1509 doesn
    last seen2020-06-01
    modified2020-06-02
    plugin id58362
    published2012-03-16
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/58362
    titleVMSA-2012-0005 : VMware vCenter Server, Orchestrator, Update Manager, vShield, vSphere Client, Workstation, Player, ESXi, and ESX address several security issues
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS11_TOMCAT_20120404.NASL
    descriptionThe remote Solaris system is missing necessary patches to address security updates : - Apache Tomcat 6.0.30 through 6.0.33 and 7.x before 7.0.22 does not properly perform certain caching and recycling operations involving request objects, which allows remote attackers to obtain unintended read access to IP address and HTTP header information in opportunistic circumstances by reading TCP data. (CVE-2011-3375)
    last seen2020-06-01
    modified2020-06-02
    plugin id80789
    published2015-01-19
    reporterThis script is Copyright (C) 2015-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/80789
    titleOracle Solaris Third-Party Patch Update : tomcat (cve_2011_3375_information_disclosure)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-1359-1.NASL
    descriptionIt was discovered that Tomcat incorrectly performed certain caching and recycling operations. A remote attacker could use this flaw to obtain read access to IP address and HTTP header information in certain cases. This issue only applied to Ubuntu 11.10. (CVE-2011-3375) It was discovered that Tomcat computed hash values for form parameters without restricting the ability to trigger hash collisions predictably. A remote attacker could cause a denial of service by sending many crafted parameters. (CVE-2011-4858) It was discovered that Tomcat incorrectly handled parameters. A remote attacker could cause a denial of service by sending requests with a large number of parameters and values. (CVE-2012-0022). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id57933
    published2012-02-14
    reporterUbuntu Security Notice (C) 2012-2019 Canonical, Inc. / NASL script (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57933
    titleUbuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : tomcat6 vulnerabilities (USN-1359-1)
  • NASL familyMisc.
    NASL idVMWARE_VMSA-2012-0005_REMOTE.NASL
    descriptionThe remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components : - Apache Tomcat - bzip2 library - JRE - WDDM display driver - XPDM display driver
    last seen2020-06-01
    modified2020-06-02
    plugin id89106
    published2016-03-03
    reporterThis script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/89106
    titleVMware ESX / ESXi Multiple Vulnerabilities (VMSA-2012-0005) (BEAST) (remote check)
  • NASL familyMisc.
    NASL idVMWARE_VCENTER_VMSA-2012-0005.NASL
    descriptionThe version of VMware vCenter Server installed on the remote host is 4.0 before Update 4a, 4.1 before Update 3, or 5.0 before Update 1. As such it is potentially affected by multiple vulnerabilities in the embedded Apache Tomcat server and the Oracle (Sun) Java Runtime Environment.
    last seen2020-06-01
    modified2020-06-02
    plugin id66812
    published2013-06-05
    reporterThis script is Copyright (C) 2013-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/66812
    titleVMware vCenter Server Multiple Vulnerabilities (VMSA-2012-0005)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2401.NASL
    descriptionSeveral vulnerabilities have been found in Tomcat, a servlet and JSP engine : - CVE-2011-1184 CVE-2011-5062 CVE-2011-5063 CVE-2011-5064 The HTTP Digest Access Authentication implementation performed insufficient countermeasures against replay attacks. - CVE-2011-2204 In rare setups passwords were written into a logfile. - CVE-2011-2526 Missing input sanitising in the HTTP APR or HTTP NIO connectors could lead to denial of service. - CVE-2011-3190 AJP requests could be spoofed in some setups. - CVE-2011-3375 Incorrect request caching could lead to information disclosure. - CVE-2011-4858 CVE-2012-0022 This update adds countermeasures against a collision denial of service vulnerability in the Java hashtable implementation and addresses denial of service potentials when processing large amounts of requests. Additional information can be found at
    last seen2020-03-17
    modified2012-02-03
    plugin id57812
    published2012-02-03
    reporterThis script is Copyright (C) 2012-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/57812
    titleDebian DSA-2401-1 : tomcat6 - several vulnerabilities

Redhat

rpms
  • tomcat6-0:6.0.32-24_patch_07.ep5.el5
  • tomcat6-0:6.0.32-24_patch_07.ep5.el6
  • tomcat6-admin-webapps-0:6.0.32-24_patch_07.ep5.el5
  • tomcat6-admin-webapps-0:6.0.32-24_patch_07.ep5.el6
  • tomcat6-docs-webapp-0:6.0.32-24_patch_07.ep5.el5
  • tomcat6-docs-webapp-0:6.0.32-24_patch_07.ep5.el6
  • tomcat6-el-1.0-api-0:6.0.32-24_patch_07.ep5.el5
  • tomcat6-el-1.0-api-0:6.0.32-24_patch_07.ep5.el6
  • tomcat6-javadoc-0:6.0.32-24_patch_07.ep5.el5
  • tomcat6-javadoc-0:6.0.32-24_patch_07.ep5.el6
  • tomcat6-jsp-2.1-api-0:6.0.32-24_patch_07.ep5.el5
  • tomcat6-jsp-2.1-api-0:6.0.32-24_patch_07.ep5.el6
  • tomcat6-lib-0:6.0.32-24_patch_07.ep5.el5
  • tomcat6-lib-0:6.0.32-24_patch_07.ep5.el6
  • tomcat6-log4j-0:6.0.32-24_patch_07.ep5.el5
  • tomcat6-log4j-0:6.0.32-24_patch_07.ep5.el6
  • tomcat6-servlet-2.5-api-0:6.0.32-24_patch_07.ep5.el5
  • tomcat6-servlet-2.5-api-0:6.0.32-24_patch_07.ep5.el6
  • tomcat6-webapps-0:6.0.32-24_patch_07.ep5.el5
  • tomcat6-webapps-0:6.0.32-24_patch_07.ep5.el6

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 51442 CVE ID: CVE-2011-3375 Apache Tomcat是一个流行的开放源码的JSP应用服务器程序。 Apache Tomcat在实现上存在安全限制绕过漏洞,成功利用后可允许攻击者绕过某些安全策略限制。 0 Apache Group Tomcat 7.x Apache Group Tomcat 6.x 厂商补丁: Apache Group ------------ 目前厂商已经发布了升级补丁以修复这个安全问题,请到厂商的主页下载: http://jakarta.apache.org/tomcat/index.html
    idSSV:30076
    last seen2017-11-19
    modified2012-02-04
    published2012-02-04
    reporterRoot
    titleApache Tomcat请求对象安全限制绕过漏洞
  • bulletinFamilyexploit
    descriptionNo description provided by source.
    idSSV:30034
    last seen2017-11-19
    modified2012-01-18
    published2012-01-18
    reporterRoot
    sourcehttps://www.seebug.org/vuldb/ssvid-30034
    titleApache Tomcat Request Information Disclosure