Vulnerabilities > CVE-2014-7810 - Improper Access Control vulnerability in multiple products
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN Summary
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Embedding Scripts within Scripts An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
- Signature Spoofing by Key Theft An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Nessus
NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2654-1.NASL description It was discovered that the Tomcat XML parser incorrectly handled XML External Entities (XXE). A remote attacker could possibly use this issue to read arbitrary files. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-0119) It was discovered that Tomcat incorrectly handled data with malformed chunked transfer coding. A remote attacker could possibly use this issue to conduct HTTP request smuggling attacks, or cause Tomcat to consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-0227) It was discovered that Tomcat incorrectly handled HTTP responses occurring before the entire request body was finished being read. A remote attacker could possibly use this issue to cause memory consumption, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-0230) It was discovered that the Tomcat Expression Language (EL) implementation incorrectly handled accessible interfaces implemented by inaccessible classes. An attacker could possibly use this issue to bypass a SecurityManager protection mechanism. (CVE-2014-7810). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 84429 published 2015-06-26 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84429 title Ubuntu 14.04 LTS / 14.10 / 15.04 : tomcat7 vulnerabilities (USN-2654-1) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-2654-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(84429); script_version("2.13"); script_cvs_date("Date: 2019/09/18 12:31:44"); script_cve_id("CVE-2014-0119", "CVE-2014-0227", "CVE-2014-0230", "CVE-2014-7810"); script_bugtraq_id(67669, 72717, 74475, 74665); script_xref(name:"USN", value:"2654-1"); script_name(english:"Ubuntu 14.04 LTS / 14.10 / 15.04 : tomcat7 vulnerabilities (USN-2654-1)"); script_summary(english:"Checks dpkg output for updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Ubuntu host is missing a security-related patch." ); script_set_attribute( attribute:"description", value: "It was discovered that the Tomcat XML parser incorrectly handled XML External Entities (XXE). A remote attacker could possibly use this issue to read arbitrary files. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-0119) It was discovered that Tomcat incorrectly handled data with malformed chunked transfer coding. A remote attacker could possibly use this issue to conduct HTTP request smuggling attacks, or cause Tomcat to consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-0227) It was discovered that Tomcat incorrectly handled HTTP responses occurring before the entire request body was finished being read. A remote attacker could possibly use this issue to cause memory consumption, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-0230) It was discovered that the Tomcat Expression Language (EL) implementation incorrectly handled accessible interfaces implemented by inaccessible classes. An attacker could possibly use this issue to bypass a SecurityManager protection mechanism. (CVE-2014-7810). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/2654-1/" ); script_set_attribute( attribute:"solution", value:"Update the affected libtomcat7-java package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libtomcat7-java"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.04"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:14.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:15.04"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/05/31"); script_set_attribute(attribute:"patch_publication_date", value:"2015/06/25"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/06/26"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! preg(pattern:"^(14\.04|14\.10|15\.04)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 14.04 / 14.10 / 15.04", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"14.04", pkgname:"libtomcat7-java", pkgver:"7.0.52-1ubuntu0.3")) flag++; if (ubuntu_check(osver:"14.10", pkgname:"libtomcat7-java", pkgver:"7.0.55-1ubuntu0.2")) flag++; if (ubuntu_check(osver:"15.04", pkgname:"libtomcat7-java", pkgver:"7.0.56-2ubuntu0.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "libtomcat7-java"); }NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-656.NASL description It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made. (CVE-2014-0230) last seen 2020-06-01 modified 2020-06-02 plugin id 89837 published 2016-03-11 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89837 title Amazon Linux AMI : tomcat6 (ALAS-2016-656) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2016-656. # include("compat.inc"); if (description) { script_id(89837); script_version("2.2"); script_cvs_date("Date: 2018/04/18 15:09:35"); script_cve_id("CVE-2014-0230", "CVE-2014-7810"); script_xref(name:"ALAS", value:"2016-656"); script_name(english:"Amazon Linux AMI : tomcat6 (ALAS-2016-656)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made. (CVE-2014-0230)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2016-656.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update tomcat6' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6-admin-webapps"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6-docs-webapp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6-el-2.1-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6-jsp-2.1-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6-lib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6-servlet-2.5-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6-webapps"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/10"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/11"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"tomcat6-6.0.44-1.3.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat6-admin-webapps-6.0.44-1.3.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat6-docs-webapp-6.0.44-1.3.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat6-el-2.1-api-6.0.44-1.3.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat6-javadoc-6.0.44-1.3.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat6-jsp-2.1-api-6.0.44-1.3.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat6-lib-6.0.44-1.3.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat6-servlet-2.5-api-6.0.44-1.3.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat6-webapps-6.0.44-1.3.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tomcat6 / tomcat6-admin-webapps / tomcat6-docs-webapp / etc"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-2046.NASL description An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed configuration file / usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security. last seen 2020-06-01 modified 2020-06-02 plugin id 93966 published 2016-10-12 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93966 title CentOS 7 : tomcat (CESA-2016:2046) (httpoxy) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2016:2046 and # CentOS Errata and Security Advisory 2016:2046 respectively. # include("compat.inc"); if (description) { script_id(93966); script_version("2.12"); script_cvs_date("Date: 2020/01/02"); script_cve_id("CVE-2014-7810", "CVE-2015-5346", "CVE-2016-5388", "CVE-2016-5425", "CVE-2016-6325"); script_xref(name:"RHSA", value:"2016:2046"); script_name(english:"CentOS 7 : tomcat (CESA-2016:2046) (httpoxy)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed configuration file / usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security." ); # https://lists.centos.org/pipermail/centos-announce/2016-October/022121.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?1f6eee75" ); script_set_attribute( attribute:"solution", value:"Update the affected tomcat packages." ); script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5425"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tomcat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tomcat-admin-webapps"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tomcat-docs-webapp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tomcat-el-2.2-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tomcat-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tomcat-jsp-2.2-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tomcat-jsvc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tomcat-lib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tomcat-servlet-3.0-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:tomcat-webapps"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/06/07"); script_set_attribute(attribute:"patch_publication_date", value:"2016/10/11"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/10/12"); script_set_attribute(attribute:"in_the_news", value:"true"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 7.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"tomcat-7.0.54-8.el7_2")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"tomcat-admin-webapps-7.0.54-8.el7_2")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"tomcat-docs-webapp-7.0.54-8.el7_2")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"tomcat-el-2.2-api-7.0.54-8.el7_2")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"tomcat-javadoc-7.0.54-8.el7_2")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"tomcat-jsp-2.2-api-7.0.54-8.el7_2")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"tomcat-jsvc-7.0.54-8.el7_2")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"tomcat-lib-7.0.54-8.el7_2")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"tomcat-servlet-3.0-api-7.0.54-8.el7_2")) flag++; if (rpm_check(release:"CentOS-7", cpu:"x86_64", reference:"tomcat-webapps-7.0.54-8.el7_2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc"); }NASL family Scientific Linux Local Security Checks NASL id SL_20160323_TOMCAT6_ON_SL6_X.NASL description It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) This update also fixes the following bug : - Previously, using a New I/O (NIO) connector in the Apache Tomcat 6 servlet resulted in a large memory leak. An upstream patch has been applied to fix this bug, and the memory leak no longer occurs. Tomcat must be restarted for this update to take effect. last seen 2020-03-18 modified 2016-03-24 plugin id 90146 published 2016-03-24 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90146 title Scientific Linux Security Update : tomcat6 on SL6.x i386/x86_64 (20160323) code # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(90146); script_version("2.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/25"); script_cve_id("CVE-2014-7810"); script_name(english:"Scientific Linux Security Update : tomcat6 on SL6.x i386/x86_64 (20160323)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) This update also fixes the following bug : - Previously, using a New I/O (NIO) connector in the Apache Tomcat 6 servlet resulted in a large memory leak. An upstream patch has been applied to fix this bug, and the memory leak no longer occurs. Tomcat must be restarted for this update to take effect." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1603&L=scientific-linux-errata&F=&S=&P=13333 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?3f15523e" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat6-admin-webapps"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat6-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat6-docs-webapp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat6-el-2.1-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat6-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat6-jsp-2.1-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat6-lib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat6-servlet-2.5-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat6-webapps"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2015/06/07"); script_set_attribute(attribute:"patch_publication_date", value:"2016/03/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/03/24"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 6.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL6", reference:"tomcat6-6.0.24-94.el6_7")) flag++; if (rpm_check(release:"SL6", reference:"tomcat6-admin-webapps-6.0.24-94.el6_7")) flag++; if (rpm_check(release:"SL6", reference:"tomcat6-debuginfo-6.0.24-94.el6_7")) flag++; if (rpm_check(release:"SL6", reference:"tomcat6-docs-webapp-6.0.24-94.el6_7")) flag++; if (rpm_check(release:"SL6", reference:"tomcat6-el-2.1-api-6.0.24-94.el6_7")) flag++; if (rpm_check(release:"SL6", reference:"tomcat6-javadoc-6.0.24-94.el6_7")) flag++; if (rpm_check(release:"SL6", reference:"tomcat6-jsp-2.1-api-6.0.24-94.el6_7")) flag++; if (rpm_check(release:"SL6", reference:"tomcat6-lib-6.0.24-94.el6_7")) flag++; if (rpm_check(release:"SL6", reference:"tomcat6-servlet-2.5-api-6.0.24-94.el6_7")) flag++; if (rpm_check(release:"SL6", reference:"tomcat6-webapps-6.0.24-94.el6_7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tomcat6 / tomcat6-admin-webapps / tomcat6-debuginfo / etc"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3447.NASL description It was discovered that malicious web applications could use the Expression Language to bypass protections of a Security Manager as expressions were evaluated within a privileged code section. last seen 2020-06-01 modified 2020-06-02 plugin id 87979 published 2016-01-19 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87979 title Debian DSA-3447-1 : tomcat7 - security update code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-3447. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(87979); script_version("2.7"); script_cvs_date("Date: 2018/11/10 11:49:37"); script_cve_id("CVE-2014-7810"); script_xref(name:"DSA", value:"3447"); script_name(english:"Debian DSA-3447-1 : tomcat7 - security update"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "It was discovered that malicious web applications could use the Expression Language to bypass protections of a Security Manager as expressions were evaluated within a privileged code section." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2013-4444" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-0075" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-0099" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-0227" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2014-0230" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/wheezy/tomcat7" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/jessie/tomcat7" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2016/dsa-3447" ); script_set_attribute( attribute:"solution", value: "Upgrade the tomcat7 packages. For the oldstable distribution (wheezy), this problem has been fixed in version 7.0.28-4+deb7u3. This update also provides fixes for CVE-2013-4444, CVE-2014-0075, CVE-2014-0099, CVE-2014-0227 and CVE-2014-0230, which were all fixed for the stable distribution (jessie) already. For the stable distribution (jessie), this problem has been fixed in version 7.0.56-3+deb8u1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat7"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:7.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0"); script_set_attribute(attribute:"patch_publication_date", value:"2016/01/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2016/01/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"7.0", prefix:"libservlet3.0-java", reference:"7.0.28-4+deb7u3")) flag++; if (deb_check(release:"7.0", prefix:"libservlet3.0-java-doc", reference:"7.0.28-4+deb7u3")) flag++; if (deb_check(release:"7.0", prefix:"libtomcat7-java", reference:"7.0.28-4+deb7u3")) flag++; if (deb_check(release:"7.0", prefix:"tomcat7", reference:"7.0.28-4+deb7u3")) flag++; if (deb_check(release:"7.0", prefix:"tomcat7-admin", reference:"7.0.28-4+deb7u3")) flag++; if (deb_check(release:"7.0", prefix:"tomcat7-common", reference:"7.0.28-4+deb7u3")) flag++; if (deb_check(release:"7.0", prefix:"tomcat7-docs", reference:"7.0.28-4+deb7u3")) flag++; if (deb_check(release:"7.0", prefix:"tomcat7-examples", reference:"7.0.28-4+deb7u3")) flag++; if (deb_check(release:"7.0", prefix:"tomcat7-user", reference:"7.0.28-4+deb7u3")) flag++; if (deb_check(release:"8.0", prefix:"libservlet3.0-java", reference:"7.0.56-3+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libservlet3.0-java-doc", reference:"7.0.56-3+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"libtomcat7-java", reference:"7.0.56-3+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"tomcat7", reference:"7.0.56-3+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"tomcat7-admin", reference:"7.0.56-3+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"tomcat7-common", reference:"7.0.56-3+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"tomcat7-docs", reference:"7.0.56-3+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"tomcat7-examples", reference:"7.0.56-3+deb8u1")) flag++; if (deb_check(release:"8.0", prefix:"tomcat7-user", reference:"7.0.56-3+deb8u1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get()); else security_warning(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Debian Local Security Checks NASL id DEBIAN_DLA-232.NASL description The following vulnerabilities were found in Apache Tomcat 6 : CVE-2014-0227 The Tomcat security team identified that it was possible to conduct HTTP request smuggling attacks or cause a DoS by streaming malformed data. CVE-2014-0230 AntBean@secdig, from the Baidu Security Team, disclosed that it was possible to cause a limited DoS attack by feeding data by aborting an upload. CVE-2014-7810 The Tomcat security team identified that malicious web applications could bypass the Security Manager by the use of expression language. For Debian 6 last seen 2020-03-17 modified 2015-05-29 plugin id 83887 published 2015-05-29 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/83887 title Debian DLA-232-1 : tomcat6 security update code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DLA-232-1. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(83887); script_version("2.13"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2014-0227", "CVE-2014-0230", "CVE-2014-7810"); script_bugtraq_id(72717, 74475, 74665); script_name(english:"Debian DLA-232-1 : tomcat6 security update"); script_summary(english:"Checks dpkg output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security update." ); script_set_attribute( attribute:"description", value: "The following vulnerabilities were found in Apache Tomcat 6 : CVE-2014-0227 The Tomcat security team identified that it was possible to conduct HTTP request smuggling attacks or cause a DoS by streaming malformed data. CVE-2014-0230 AntBean@secdig, from the Baidu Security Team, disclosed that it was possible to cause a limited DoS attack by feeding data by aborting an upload. CVE-2014-7810 The Tomcat security team identified that malicious web applications could bypass the Security Manager by the use of expression language. For Debian 6 'Squeeze', these issues have been fixed in tomcat6 version 6.0.41-2+squeeze7. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://lists.debian.org/debian-lts-announce/2015/05/msg00016.html" ); script_set_attribute( attribute:"see_also", value:"https://packages.debian.org/source/squeeze-lts/tomcat6" ); script_set_attribute(attribute:"solution", value:"Upgrade the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libservlet2.4-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libservlet2.5-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libservlet2.5-java-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libtomcat6-java"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat6"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat6-admin"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat6-common"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat6-docs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat6-examples"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat6-extras"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat6-user"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:6.0"); script_set_attribute(attribute:"patch_publication_date", value:"2015/05/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2015/05/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2015-2020 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"6.0", prefix:"libservlet2.4-java", reference:"6.0.41-2+squeeze7")) flag++; if (deb_check(release:"6.0", prefix:"libservlet2.5-java", reference:"6.0.41-2+squeeze7")) flag++; if (deb_check(release:"6.0", prefix:"libservlet2.5-java-doc", reference:"6.0.41-2+squeeze7")) flag++; if (deb_check(release:"6.0", prefix:"libtomcat6-java", reference:"6.0.41-2+squeeze7")) flag++; if (deb_check(release:"6.0", prefix:"tomcat6", reference:"6.0.41-2+squeeze7")) flag++; if (deb_check(release:"6.0", prefix:"tomcat6-admin", reference:"6.0.41-2+squeeze7")) flag++; if (deb_check(release:"6.0", prefix:"tomcat6-common", reference:"6.0.41-2+squeeze7")) flag++; if (deb_check(release:"6.0", prefix:"tomcat6-docs", reference:"6.0.41-2+squeeze7")) flag++; if (deb_check(release:"6.0", prefix:"tomcat6-examples", reference:"6.0.41-2+squeeze7")) flag++; if (deb_check(release:"6.0", prefix:"tomcat6-extras", reference:"6.0.41-2+squeeze7")) flag++; if (deb_check(release:"6.0", prefix:"tomcat6-user", reference:"6.0.41-2+squeeze7")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Web Servers NASL id TOMCAT_8_0_17.NASL description According to its self-reported version number, the Apache Tomcat server listening on the remote host is 8.0.x prior to 8.0.17. It is, therefore, affected by a security bypass vulnerability due to a flaw that occurs when handling expression language. A remote attacker can exploit this, via a crafted web application, to bypass the security manager protection and execute arbitrary code. Note that Nessus has not attempted to exploit this issue but has instead relied only on the application last seen 2020-03-18 modified 2015-05-21 plugin id 83765 published 2015-05-21 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83765 title Apache Tomcat 8.0.x < 8.0.17 Security Manager Bypass NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_25E0593D13C011E59AFB3C970E169BC2.NASL description Apache Software Foundation reports : Low: Denial of Service CVE-2014-0230 When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection. Moderate: Security Manager bypass CVE-2014-7810 Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section. last seen 2020-06-01 modified 2020-06-02 plugin id 84201 published 2015-06-16 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84201 title FreeBSD : tomcat -- multiple vulnerabilities (25e0593d-13c0-11e5-9afb-3c970e169bc2) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-2046.NASL description From Red Hat Security Advisory 2016:2046 : An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed configuration file / usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security. last seen 2020-06-01 modified 2020-06-02 plugin id 93948 published 2016-10-11 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93948 title Oracle Linux 7 : tomcat (ELSA-2016-2046) (httpoxy) NASL family Web Servers NASL id TOMCAT_6_0_44.NASL description According to its self-reported version number, the Apache Tomcat service listening on the remote host is 6.0.x prior to 6.0.44. It is, therefore, affected by multiple vulnerabilities : - An error exists due to a failure to limit the size of discarded requests. A remote attacker can exploit this to exhaust available memory resources, resulting in a denial of service condition. (CVE-2014-0230) - A NULL pointer dereference flaw exists when the SSLv3 option isn last seen 2020-04-30 modified 2015-05-15 plugin id 83490 published 2015-05-15 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83490 title Apache Tomcat 6.0.x < 6.0.44 Multiple Vulnerabilities (FREAK) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-0492.NASL description From Red Hat Security Advisory 2016:0492 : Updated tomcat6 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) This update also fixes the following bug : * Previously, using a New I/O (NIO) connector in the Apache Tomcat 6 servlet resulted in a large memory leak. An upstream patch has been applied to fix this bug, and the memory leak no longer occurs. (BZ#1301646) All Tomcat 6 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 90111 published 2016-03-23 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90111 title Oracle Linux 6 : tomcat6 (ELSA-2016-0492) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-657.NASL description A directory traversal vulnerability in RequestUtil.java was discovered which allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call. (CVE-2015-5174) A session fixation vulnerability was discovered that might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request when different session settings are used for deployments of multiple versions of the same web application. (CVE-2015-5346) It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) last seen 2020-06-01 modified 2020-06-02 plugin id 89838 published 2016-03-11 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89838 title Amazon Linux AMI : tomcat7 (ALAS-2016-657) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-0492.NASL description Updated tomcat6 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) This update also fixes the following bug : * Previously, using a New I/O (NIO) connector in the Apache Tomcat 6 servlet resulted in a large memory leak. An upstream patch has been applied to fix this bug, and the memory leak no longer occurs. (BZ#1301646) All Tomcat 6 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 90115 published 2016-03-23 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90115 title RHEL 6 : tomcat6 (RHSA-2016:0492) NASL family Scientific Linux Local Security Checks NASL id SL_20161010_TOMCAT_ON_SL7_X.NASL description Security Fix(es) : - It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) - It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) - It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) - It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) - A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) last seen 2020-03-18 modified 2016-10-12 plugin id 94005 published 2016-10-12 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94005 title Scientific Linux Security Update : tomcat on SL7.x (noarch) (20161010) (httpoxy) NASL family Web Servers NASL id TOMCAT_7_0_59.NASL description According to its self-reported version number, the Apache Tomcat server listening on the remote host is 7.0.x prior to 7.0.59. It is, therefore, affected by a security bypass vulnerability due to a flaw that occurs when handling expression language. A remote attacker can exploit this, via a crafted web application, to bypass the security manager protection and execute arbitrary code. Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-03-18 modified 2015-05-21 plugin id 83764 published 2015-05-21 reporter This script is Copyright (C) 2015-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83764 title Apache Tomcat 7.0.x < 7.0.59 Security Manager Bypass NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3428.NASL description It was discovered that malicious web applications could use the Expression Language to bypass protections of a Security Manager as expressions were evaluated within a privileged code section. last seen 2020-06-01 modified 2020-06-02 plugin id 87511 published 2015-12-21 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/87511 title Debian DSA-3428-1 : tomcat8 - security update NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3530.NASL description Multiple security vulnerabilities have been fixed in the Tomcat servlet and JSP engine, which may result on bypass of security manager restrictions, information disclosure, denial of service or session fixation. last seen 2020-06-01 modified 2020-06-02 plugin id 90205 published 2016-03-28 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90205 title Debian DSA-3530-1 : tomcat6 - security update NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-2046.NASL description An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed configuration file / usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security. last seen 2020-06-01 modified 2020-06-02 plugin id 93951 published 2016-10-11 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93951 title RHEL 7 : tomcat (RHSA-2016:2046) (httpoxy) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-0492.NASL description Updated tomcat6 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) This update also fixes the following bug : * Previously, using a New I/O (NIO) connector in the Apache Tomcat 6 servlet resulted in a large memory leak. An upstream patch has been applied to fix this bug, and the memory leak no longer occurs. (BZ#1301646) All Tomcat 6 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 90121 published 2016-03-24 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/90121 title CentOS 6 : tomcat6 (CESA-2016:0492) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2016-1049.NASL description According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.(CVE-2014-7810) - Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.(CVE-2015-5346) - Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application last seen 2020-05-06 modified 2017-05-01 plugin id 99812 published 2017-05-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99812 title EulerOS 2.0 SP1 : tomcat (EulerOS-SA-2016-1049) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2016-658.NASL description A directory traversal vulnerability in RequestUtil.java was discovered which allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call. (CVE-2015-5174) The Mapper component processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. (CVE-2015-5345) It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) last seen 2020-06-01 modified 2020-06-02 plugin id 89839 published 2016-03-11 reporter This script is Copyright (C) 2016-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/89839 title Amazon Linux AMI : tomcat8 (ALAS-2016-658) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2655-1.NASL description It was discovered that Tomcat incorrectly handled data with malformed chunked transfer coding. A remote attacker could possibly use this issue to conduct HTTP request smuggling attacks, or cause Tomcat to consume resources, resulting in a denial of service. (CVE-2014-0227) It was discovered that Tomcat incorrectly handled HTTP responses occurring before the entire request body was finished being read. A remote attacker could possibly use this issue to cause memory consumption, resulting in a denial of service. (CVE-2014-0230) It was discovered that the Tomcat Expression Language (EL) implementation incorrectly handled accessible interfaces implemented by inaccessible classes. An attacker could possibly use this issue to bypass a SecurityManager protection mechanism. (CVE-2014-7810). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 84430 published 2015-06-26 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/84430 title Ubuntu 12.04 LTS : tomcat6 vulnerabilities (USN-2655-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2015-1622.NASL description Updated tomcat6 and tomcat7 packages that fix two security issues are now available for Red Hat JBoss Web Server 2.1.0 on Red Hat Enterprise Linux 5, 6, and 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made. (CVE-2014-0230) All users of Red Hat JBoss Web Server 2.1.0 as provided from the Red Hat Customer Portal are advised to apply this update. The Red Hat JBoss Web Server process must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 85441 published 2015-08-17 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/85441 title RHEL 5 / 6 / 7 : JBoss Web Server (RHSA-2015:1622)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://svn.apache.org/viewvc?view=revision&revision=1644018
- http://svn.apache.org/viewvc?view=revision&revision=1645642
- http://tomcat.apache.org/security-6.html
- http://tomcat.apache.org/security-8.html
- http://tomcat.apache.org/security-7.html
- http://www.debian.org/security/2016/dsa-3530
- https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964
- http://marc.info/?l=bugtraq&m=145974991225029&w=2
- http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html
- http://rhn.redhat.com/errata/RHSA-2016-2046.html
- http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
- http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
- http://www.securityfocus.com/bid/74665
- http://rhn.redhat.com/errata/RHSA-2016-0492.html
- http://www.debian.org/security/2015/dsa-3428
- http://www.debian.org/security/2016/dsa-3447
- http://rhn.redhat.com/errata/RHSA-2015-1622.html
- http://rhn.redhat.com/errata/RHSA-2015-1621.html
- http://www.ubuntu.com/usn/USN-2655-1
- http://www.securitytracker.com/id/1032330
- http://www.ubuntu.com/usn/USN-2654-1
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3E