Vulnerabilities > CVE-2016-5388 - Improper Access Control vulnerability in multiple products

047910
CVSS 8.1 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
high complexity
redhat
hp
oracle
apache
CWE-284
nessus

Summary

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Vulnerable Configurations

Part Description Count
OS
Redhat
12
OS
Oracle
2
Application
Hp
84
Application
Apache
202

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.

Nessus

  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2016-722.NASL
    descriptionTomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id92469
    published2016-07-21
    reporterThis script is Copyright (C) 2016-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/92469
    titleAmazon Linux AMI : tomcat6 / tomcat7,tomcat8 (ALAS-2016-722) (httpoxy)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Amazon Linux AMI Security Advisory ALAS-2016-722.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(92469);
      script_version("2.4");
      script_cvs_date("Date: 2018/04/18 15:09:36");
    
      script_cve_id("CVE-2016-5388");
      script_xref(name:"ALAS", value:"2016-722");
    
      script_name(english:"Amazon Linux AMI : tomcat6 / tomcat7,tomcat8 (ALAS-2016-722) (httpoxy)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Amazon Linux AMI host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "Tomcat's CGI support used the value of the Proxy header from HTTP
    requests to initialize the HTTP_PROXY environment variable for CGI
    scripts, which in turn was incorrectly used by certain HTTP client
    implementations to configure the proxy for outgoing HTTP requests. A
    remote attacker could possibly use this flaw to redirect HTTP requests
    performed by a CGI script to an attacker-controlled proxy via a
    malicious HTTP request (known as the 'httpoxy' class of
    vulnerabilities)."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://httpoxy.org/"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://alas.aws.amazon.com/ALAS-2016-722.html"
      );
      script_set_attribute(
        attribute:"solution", 
        value:
    "Run 'yum update tomcat6' to update your system.
    
    Run 'yum update tomcat7' to update your system.
    
    Run 'yum update tomcat8' to update your system."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6-admin-webapps");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6-docs-webapp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6-el-2.1-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6-jsp-2.1-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6-lib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6-servlet-2.5-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat6-webapps");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat7");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat7-admin-webapps");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat7-docs-webapp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat7-el-2.2-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat7-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat7-jsp-2.2-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat7-lib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat7-log4j");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat7-servlet-3.0-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat7-webapps");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-admin-webapps");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-docs-webapp");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-el-3.0-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-javadoc");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-lib");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-log4j");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-webapps");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2016/07/20");
      script_set_attribute(attribute:"in_the_news", value:"true");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/07/21");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2016-2018 Tenable Network Security, Inc.");
      script_family(english:"Amazon Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    release = get_kb_item("Host/AmazonLinux/release");
    if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
    os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
    os_ver = os_ver[1];
    if (os_ver != "A")
    {
      if (os_ver == 'A') os_ver = 'AMI';
      audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
    }
    
    if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (rpm_check(release:"ALA", reference:"tomcat6-6.0.45-1.5.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat6-admin-webapps-6.0.45-1.5.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat6-docs-webapp-6.0.45-1.5.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat6-el-2.1-api-6.0.45-1.5.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat6-javadoc-6.0.45-1.5.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat6-jsp-2.1-api-6.0.45-1.5.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat6-lib-6.0.45-1.5.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat6-servlet-2.5-api-6.0.45-1.5.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat6-webapps-6.0.45-1.5.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat7-7.0.69-1.17.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat7-admin-webapps-7.0.69-1.17.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat7-docs-webapp-7.0.69-1.17.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat7-el-2.2-api-7.0.69-1.17.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat7-javadoc-7.0.69-1.17.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat7-jsp-2.2-api-7.0.69-1.17.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat7-lib-7.0.69-1.17.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat7-log4j-7.0.69-1.17.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat7-servlet-3.0-api-7.0.69-1.17.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat7-webapps-7.0.69-1.17.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat8-8.0.35-1.61.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat8-admin-webapps-8.0.35-1.61.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat8-docs-webapp-8.0.35-1.61.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat8-el-3.0-api-8.0.35-1.61.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat8-javadoc-8.0.35-1.61.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat8-jsp-2.3-api-8.0.35-1.61.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat8-lib-8.0.35-1.61.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat8-log4j-8.0.35-1.61.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat8-servlet-3.1-api-8.0.35-1.61.amzn1")) flag++;
    if (rpm_check(release:"ALA", reference:"tomcat8-webapps-8.0.35-1.61.amzn1")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tomcat6 / tomcat6-admin-webapps / tomcat6-docs-webapp / etc");
    }
    
  • NASL familyWeb Servers
    NASL idHPSMH_7_6.NASL
    descriptionAccording to its banner, the version of HP System Management Homepage (SMH) hosted on the remote web server is prior to 7.6. It is, therefore, affected by the following vulnerabilities : - A heap buffer overflow condition exists in OpenSSL in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in OpenSSL in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Multiple flaws exist OpenSSL in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - Multiple unspecified flaws exist in OpenSSL in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - A certificate validation bypass vulnerability exists in cURL and libcurl due to improper validation of TLS certificates. A man-in-the-middle attacker can exploit this, via a spoofed certificate that appears valid, to disclose or manipulate transmitted data. (CVE-2016-3739) - An integer overflow condition exists in PHP in the php_raw_url_encode() function within file ext/standard/url.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2016-4070) - A flaw exists in PHP in the php_snmp_error() function within file ext/snmp/snmp.c that is triggered when handling format string specifiers. An unauthenticated, remote attacker can exploit this, via a crafted SNMP object, to cause a denial of service or to execute arbitrary code. (CVE-2016-4071) - An invalid memory write error exists in PHP when handling the path of phar file names that allows an attacker to have an unspecified impact. (CVE-2016-4072) - A remote code execution vulnerability exists in PHP in phar_object.c due to improper handling of zero-length uncompressed data. An unauthenticated, remote attacker can exploit this, via a specially crafted TAR, ZIP, or PHAR file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4342) - A remote code execution vulnerability exists in PHP in the phar_make_dirstream() function within file ext/phar/dirstream.c due to improper handling of ././@LongLink files. An unauthenticated, remote attacker can exploit this, via a specially crafted TAR file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4343) - A cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user
    last seen2020-06-01
    modified2020-06-02
    plugin id94654
    published2016-11-09
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94654
    titleHP System Management Homepage < 7.6 Multiple Vulnerabilities (HPSBMU03653) (httpoxy)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(94654);
      script_version("1.12");
      script_cvs_date("Date: 2019/11/14");
    
      script_cve_id(
        "CVE-2016-2105",
        "CVE-2016-2106",
        "CVE-2016-2107",
        "CVE-2016-2109",
        "CVE-2016-3739",
        "CVE-2016-4070",
        "CVE-2016-4071",
        "CVE-2016-4072",
        "CVE-2016-4342",
        "CVE-2016-4343",
        "CVE-2016-4393",
        "CVE-2016-4394",
        "CVE-2016-4395",
        "CVE-2016-4396",
        "CVE-2016-4537",
        "CVE-2016-4538",
        "CVE-2016-4539",
        "CVE-2016-4540",
        "CVE-2016-4541",
        "CVE-2016-4542",
        "CVE-2016-4543",
        "CVE-2016-5385",
        "CVE-2016-5387",
        "CVE-2016-5388"
      );
      script_bugtraq_id(
        85800,
        85801,
        85993,
        87940,
        89154,
        89179,
        89744,
        89757,
        89760,
        89844,
        90172,
        90173,
        90174,
        90726,
        91816,
        91818,
        91821,
        93961
      );
      script_xref(name:"CERT", value:"797896");
      script_xref(name:"EDB-ID", value:"39645");
      script_xref(name:"EDB-ID", value:"39653");
      script_xref(name:"EDB-ID", value:"39768");
      script_xref(name:"HP", value:"HPSBMU03653");
      script_xref(name:"HP", value:"emr_na-c05320149");
      script_xref(name:"HP", value:"PSRT110145");
      script_xref(name:"HP", value:"PSRT110263");
      script_xref(name:"HP", value:"PSRT110115");
      script_xref(name:"HP", value:"PSRT110116");
      script_xref(name:"TRA", value:"TRA-2016-32");
      script_xref(name:"ZDI", value:"ZDI-16-587");
    
      script_name(english:"HP System Management Homepage < 7.6 Multiple Vulnerabilities (HPSBMU03653) (httpoxy)");
      script_summary(english:"Performs a banner check.");
    
      script_set_attribute(attribute:"synopsis", value:
    "The remote web server is affected by multiple vulnerabilities.");
      script_set_attribute(attribute:"description", value:
    "According to its banner, the version of HP System Management Homepage
    (SMH) hosted on the remote web server is prior to 7.6. It is,
    therefore, affected by the following vulnerabilities :
    
      - A heap buffer overflow condition exists in OpenSSL in
        the EVP_EncodeUpdate() function within file
        crypto/evp/encode.c that is triggered when handling
        a large amount of input data. An unauthenticated, remote
        attacker can exploit this to cause a denial of service
        condition. (CVE-2016-2105)
    
      - A heap buffer overflow condition exists in OpenSSL in
        the EVP_EncryptUpdate() function within file
        crypto/evp/evp_enc.c that is triggered when handling a
        large amount of input data after a previous call occurs
        to the same function with a partial block. An
        unauthenticated, remote attacker can exploit this to
        cause a denial of service condition. (CVE-2016-2106)
    
      - Multiple flaws exist OpenSSL in the
        aesni_cbc_hmac_sha1_cipher() function in file
        crypto/evp/e_aes_cbc_hmac_sha1.c and the
        aesni_cbc_hmac_sha256_cipher() function in file
        crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered
        when the connection uses an AES-CBC cipher and AES-NI
        is supported by the server. A man-in-the-middle attacker
        can exploit these to conduct a padding oracle attack,
        resulting in the ability to decrypt the network traffic.
        (CVE-2016-2107)
    
      - Multiple unspecified flaws exist in OpenSSL in the d2i
        BIO functions when reading ASN.1 data from a BIO due to
        invalid encoding causing a large allocation of memory.
        An unauthenticated, remote attacker can exploit these to
        cause a denial of service condition through resource
        exhaustion. (CVE-2016-2109)
    
      - A certificate validation bypass vulnerability exists in
        cURL and libcurl due to improper validation of TLS
        certificates. A man-in-the-middle attacker can exploit
        this, via a spoofed certificate that appears valid, to
        disclose or manipulate transmitted data. (CVE-2016-3739)
    
      - An integer overflow condition exists in PHP in the
        php_raw_url_encode() function within file
        ext/standard/url.c due to improper validation of
        user-supplied input. An unauthenticated, remote attacker
        can exploit this to have an unspecified impact.
        (CVE-2016-4070)
        
      - A flaw exists in PHP in the php_snmp_error() function
        within file ext/snmp/snmp.c that is triggered when
        handling format string specifiers. An unauthenticated,
        remote attacker can exploit this, via a crafted SNMP
        object, to cause a denial of service or to execute
        arbitrary code. (CVE-2016-4071)
    
      - An invalid memory write error exists in PHP when
        handling the path of phar file names that allows an
        attacker to have an unspecified impact. (CVE-2016-4072)
    
      - A remote code execution vulnerability exists in PHP in
        phar_object.c due to improper handling of zero-length
        uncompressed data. An unauthenticated, remote attacker
        can exploit this, via a specially crafted TAR, ZIP, or
        PHAR file, to cause a denial of service condition or the
        execution of arbitrary code. (CVE-2016-4342)
    
      - A remote code execution vulnerability exists in PHP in
        the phar_make_dirstream() function within file
        ext/phar/dirstream.c due to improper handling of
        ././@LongLink files. An unauthenticated, remote attacker
        can exploit this, via a specially crafted TAR file, to
        cause a denial of service condition or the execution of
        arbitrary code. (CVE-2016-4343)
    
      - A cross-site scripting (XSS) vulnerability exists due to
        improper validation of user-supplied input. An
        unauthenticated, remote attacker can exploit this, via a
        specially crafted request, to execute arbitrary script
        code in a user's browser session. (CVE-2016-4393)
    
      - An unspecified HTTP Strict Transport Security (HSTS)
        bypass vulnerability exists that allows authenticated,
        remote attackers to disclose sensitive information.
        (CVE-2016-4394)
    
      - A remote code execution vulnerability exists due to an
        overflow condition in the mod_smh_config.so library
        caused by improper validation of user-supplied input
        when parsing the admin-group parameter supplied to the
        /proxy/SetSMHData endpoint. An unauthenticated, remote
        attacker can exploit this, via a specially crafted
        request, to cause a denial of service condition or the
        execution of arbitrary code. (CVE-2016-4395)
    
      - A remote code execution vulnerability exists due to an
        overflow condition in the mod_smh_config.so library
        caused by improper validation of user-supplied input
        when parsing the TKN parameter supplied to the
        /Proxy/SSO endpoint. An unauthenticated, remote
        attacker can exploit this, via a specially crafted
        request, to cause a denial of service condition or the
        execution of arbitrary code. (CVE-2016-4396)
    
      - An out-of-bounds read error exists in PHP in the
        php_str2num() function in bcmath.c when handling
        negative scales. An unauthenticated, remote attacker can
        exploit this, via a crafted call, to cause a denial of
        service condition or the disclosure of memory contents.
        (CVE-2016-4537)
    
      - A flaw exists in PHP the bcpowmod() function in bcmath.c
        due to modifying certain data structures without
        considering whether they are copies of the _zero_,
        _one_, or _two_ global variables. An unauthenticated,
        remote attacker can exploit this, via a crafted call, to
        cause a denial of service condition. (CVE-2016-4538)
    
      - A flaw exists in PHP in the xml_parse_into_struct()
        function in xml.c when handling specially crafted XML
        contents. An unauthenticated, remote attacker can
        exploit this to cause a denial of service condition.
        (CVE-2016-4539)
    
      - Multiple out-of-bounds read errors exist in PHP within
        file ext/intl/grapheme/grapheme_string.c when handling
        negative offsets in the zif_grapheme_stripos() and
        zif_grapheme_strpos() functions. An unauthenticated,
        remote attacker can exploit these issues to cause a
        denial of service condition or disclose memory contents.
        (CVE-2016-4540, CVE-2016-4541)
    
      - A flaw exists in PHP in the exif_process_IFD_TAG()
        function in exif.c due to improper construction of
        spprintf arguments. An unauthenticated, remote attacker
        can exploit this, via crafted header data, to cause an
        out-of-bounds read error, resulting in a denial of
        service condition or the disclosure of memory contents.
        (CVE-2016-4542)
    
      - A flaw exists in PHP in the exif_process_IFD_in_JPEG()
        function in exif.c due to improper validation of IFD
        sizes. An unauthenticated, remote attacker can exploit
        this, via crafted header data, to cause an out-of-bounds
        read error, resulting in a denial of service condition
        or the disclosure of memory contents. (CVE-2016-4543)
    
      - A man-in-the-middle vulnerability exists, known as
        'httpoxy', in the Apache Tomcat, Apache HTTP Server, and
        PHP components due to a failure to properly resolve
        namespace conflicts in accordance with RFC 3875 section
        4.1.18. The HTTP_PROXY environment variable is set based
        on untrusted user data in the 'Proxy' header of HTTP
        requests. The HTTP_PROXY environment variable is used by
        some web client libraries to specify a remote proxy
        server. A remote attacker can exploit this, via a
        crafted 'Proxy' header in an HTTP request, to redirect
        an application's internal HTTP traffic to an arbitrary
        proxy server where it may be observed or manipulated.
        (CVE-2016-5385, CVE-2016-5387, CVE-2016-5388)
    
    Note that Nessus has not tested for these issues but has instead
    relied only on the application's self-reported version number.");
      # https://support.hpe.com/hpsc/doc/public/display?docId=emr_na-c05320149
      script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?b7e1b347");
      script_set_attribute(attribute:"see_also", value:"https://httpoxy.org");
      script_set_attribute(attribute:"see_also", value:"https://www.tenable.com/security/research/tra-2016-32");
      script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-16-587/");
      script_set_attribute(attribute:"solution", value:
    "Upgrade to HP System Management Homepage (SMH) version 7.6 or later.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
      script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
      script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-4342");
    
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_set_attribute(attribute:"in_the_news", value:"true");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2016/10/26");
      script_set_attribute(attribute:"patch_publication_date", value:"2016/10/26");
      script_set_attribute(attribute:"plugin_publication_date", value:"2016/11/09");
    
      script_set_attribute(attribute:"plugin_type", value:"remote");
      script_set_attribute(attribute:"cpe", value:"cpe:/a:hp:system_management_homepage");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_family(english:"Web Servers");
    
      script_copyright(english:"This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
    
      script_dependencies("compaq_wbem_detect.nasl", "os_fingerprint.nasl");
      script_require_keys("www/hp_smh");
      script_require_ports("Services/www", 2301, 2381);
    
      exit(0);
    }
    
    include("audit.inc");
    include("global_settings.inc");
    include("misc_func.inc");
    include("http.inc");
    include("install_func.inc");
    
    # Only Linux and Windows are affected -- HP-UX is not mentioned
    os = get_kb_item_or_exit("Host/OS");
    if ("Windows" >!< os && "Linux" >!< os) audit(AUDIT_OS_NOT, "Windows or Linux", os);
    
    port = get_http_port(default:2381, embedded:TRUE);
    app = "hp_smh";
    get_install_count(app_name:app, exit_if_zero:TRUE);
    
    install = get_single_install(
      app_name : app,
      port     : port,
      exit_if_unknown_ver : TRUE
    );
    
    dir = install['dir'];
    version = install['version'];
    prod = get_kb_item_or_exit("www/"+port+"/hp_smh/variant");
    source_line = get_kb_item("www/"+port+"/hp_smh/source");
    
    if (version == UNKNOWN_VER) audit(AUDIT_UNKNOWN_WEB_APP_VER, prod, build_url(port:port, qs:dir+"/") );
    
    # nb: 'version' can have non-numeric characters in it so we'll create
    #     an alternate form and make sure that's safe for use in 'ver_compare()'.
    version_alt = ereg_replace(pattern:"[_-]", replace:".", string:version);
    if (!ereg(pattern:"^[0-9][0-9.]+$", string:version_alt))
      audit(AUDIT_VER_FORMAT, version);
    
    if (ver_compare(ver:version_alt, fix:"7.6", strict:FALSE) == -1)
    {
      report = '\n  Product           : ' + prod;
      if (!isnull(source_line))
        report += '\n  Version source    : ' + source_line;
      report +=
        '\n  Installed version : ' + version +
        '\n  Fixed version     : 7.6' +
        '\n';
    
      security_report_v4(severity:SECURITY_HOLE, port:port, extra:report, xss:TRUE);
      exit(0);
    }
    else audit(AUDIT_LISTEN_NOT_VULN, prod, port, version);
    
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-2045.NASL
    descriptionFrom Red Hat Security Advisory 2016:2045 : An update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A directory traversal flaw was found in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id93947
    published2016-10-11
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93947
    titleOracle Linux 6 : tomcat6 (ELSA-2016-2045) (httpoxy)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-2046.NASL
    descriptionAn update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed configuration file / usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.
    last seen2020-06-01
    modified2020-06-02
    plugin id93966
    published2016-10-12
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93966
    titleCentOS 7 : tomcat (CESA-2016:2046) (httpoxy)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-4094BD4AD6.NASL
    descriptionThis updates includes a rebase from tomcat 8.0.36 up to 8.0.38 which resolves multiple CVEs and a problem that 8.0.37 introduces to freeipa : - rhbz#1375581 - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header - rhbz#1390532 - CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 tomcat: various flaws and includes two additional CVE fixes along with one bug fix : - rhbz#1383210 - CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service - rhbz#1383216 - CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation - rhbz#1370262 - catalina.out is no longer in use in the main package, but still gets rotated Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-11-14
    plugin id94747
    published2016-11-14
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94747
    titleFedora 23 : 1:tomcat (2016-4094bd4ad6) (httpoxy)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2016-2046.NASL
    descriptionFrom Red Hat Security Advisory 2016:2046 : An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed configuration file / usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.
    last seen2020-06-01
    modified2020-06-02
    plugin id93948
    published2016-10-11
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93948
    titleOracle Linux 7 : tomcat (ELSA-2016-2046) (httpoxy)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3177-2.NASL
    descriptionUSN-3177-1 fixed vulnerabilities in Tomcat. The update introduced a regression in environments where Tomcat is started with a security manager. This update fixes the problem. We apologize for the inconvenience. It was discovered that the Tomcat realm implementations incorrectly handled passwords when a username didn
    last seen2020-06-01
    modified2020-06-02
    plugin id96978
    published2017-02-03
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96978
    titleUbuntu 12.04 LTS / 14.04 LTS : tomcat6, tomcat7 regression (USN-3177-2) (httpoxy)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20161010_TOMCAT_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) - It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) - It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) - It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) - A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)
    last seen2020-03-18
    modified2016-10-12
    plugin id94005
    published2016-10-12
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94005
    titleScientific Linux Security Update : tomcat on SL7.x (noarch) (20161010) (httpoxy)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DLA-1883.NASL
    descriptionSeveral minor issues have been fixed in tomcat8, a Java Servlet and JSP engine. CVE-2016-5388 Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application
    last seen2020-06-01
    modified2020-06-02
    plugin id127865
    published2019-08-14
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127865
    titleDebian DLA-1883-1 : tomcat8 security update (httpoxy)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-2045.NASL
    descriptionAn update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A directory traversal flaw was found in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id93950
    published2016-10-11
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93950
    titleRHEL 6 : tomcat6 (RHSA-2016:2045) (httpoxy)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20161010_TOMCAT6_ON_SL6_X.NASL
    descriptionSecurity Fix(es) : - It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) - It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) - It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) - A directory traversal flaw was found in Tomcat
    last seen2020-03-18
    modified2016-10-12
    plugin id94004
    published2016-10-12
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94004
    titleScientific Linux Security Update : tomcat6 on SL6.x (noarch) (20161010) (httpoxy)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-3177-1.NASL
    descriptionIt was discovered that the Tomcat realm implementations incorrectly handled passwords when a username didn
    last seen2020-06-01
    modified2020-06-02
    plugin id96720
    published2017-01-24
    reporterUbuntu Security Notice (C) 2017-2019 Canonical, Inc. / NASL script (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/96720
    titleUbuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : tomcat6, tomcat7, tomcat8 vulnerabilities (USN-3177-1) (httpoxy)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-2046.NASL
    descriptionAn update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed configuration file / usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.
    last seen2020-06-01
    modified2020-06-02
    plugin id93951
    published2016-10-11
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93951
    titleRHEL 7 : tomcat (RHSA-2016:2046) (httpoxy)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2016-1049.NASL
    descriptionAccording to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.(CVE-2014-7810) - Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.(CVE-2015-5346) - Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application
    last seen2020-05-06
    modified2017-05-01
    plugin id99812
    published2017-05-01
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99812
    titleEulerOS 2.0 SP1 : tomcat (EulerOS-SA-2016-1049)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-C1B01B9278.NASL
    descriptionThis updates includes a rebase from tomcat 8.0.36 up to 8.0.38 which resolves multiple CVEs and a problem that 8.0.37 introduces to freeipa : - rhbz#1375581 - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header - rhbz#1390532 - CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 tomcat: various flaws and includes two additional CVE fixes along with one bug fix : - rhbz#1383210 - CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service - rhbz#1383216 - CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation - rhbz#1370262 - catalina.out is no longer in use in the main package, but still gets rotated Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-11-14
    plugin id94748
    published2016-11-14
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94748
    titleFedora 24 : 1:tomcat (2016-c1b01b9278) (httpoxy)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2016-2045.NASL
    descriptionAn update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A directory traversal flaw was found in Tomcat
    last seen2020-06-01
    modified2020-06-02
    plugin id93965
    published2016-10-12
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93965
    titleCentOS 6 : tomcat6 (CESA-2016:2045) (httpoxy)
  • NASL familyWeb Servers
    NASL idHTTP_HTTPOXY.NASL
    descriptionThe web application running on the remote web server is affected by a man-in-the-middle vulnerability known as
    last seen2020-06-01
    modified2020-06-02
    plugin id92539
    published2016-07-25
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/92539
    titleHTTP_PROXY Environment Variable Namespace Collision Vulnerability (httpoxy)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1635.NASL
    descriptionUpdated packages that provide Red Hat JBoss Web Server 3.0.3 Service Pack 1 and fixes two security issues and a bug with ajp processors are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. This release of Red Hat JBoss Web Server 3.0.3 Service Pack 1 serves as a update for Red Hat JBoss Web Server 3.0.3 httpd and tomcat. Security Fix(es) : * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) Note: After this update, httpd will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93043
    published2016-08-19
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93043
    titleRHEL 7 : Red Hat JBoss Web Server 3.0.3 Service Pack 1 (RHSA-2016:1635) (httpoxy)
  • NASL familyMisc.
    NASL idORACLE_ENTERPRISE_MANAGER_JUL_2017_CPU.NASL
    descriptionThe version of Oracle Enterprise Manager Grid Control installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Bouncy Castle Java library due to improper validation of a point within the elliptic curve. An unauthenticated, remote attacker can exploit this to obtain private keys by using a series of specially crafted elliptic curve Diffie-Hellman (ECDH) key exchanges, also known as an
    last seen2020-06-01
    modified2020-06-02
    plugin id101837
    published2017-07-20
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101837
    titleOracle Enterprise Manager Grid Control Multiple Vulnerabilities (July 2017 CPU) (httpoxy)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2016-1636.NASL
    descriptionUpdated packages that provide Red Hat JBoss Web Server 3.0.3 Service Pack 1 and fixes two security issues and a bug with ajp processors are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. This release of Red Hat JBoss Web Server 3.0.3 Service Pack 1 serves as a update for Red Hat JBoss Web Server 3.0.3 httpd and tomcat. Security Fix(es) : * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) Note: After this update, httpd will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id93044
    published2016-08-19
    reporterThis script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/93044
    titleRHEL 6 : Red Hat JBoss Web Server 3.0.3 Service Pack 1 (RHSA-2016:1636) (httpoxy)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2016-1056.NASL
    descriptionThis update for tomcat fixes the following issues : - CVE-2016-3092: Usage of vulnerable FileUpload package can result in denial of service. (bsc#986359) - CVE-2016-5388: Setting HTTP_PROXY environment variable via Proxy header. (bsc#988489) This update was imported from the SUSE:SLE-12-SP1:Update project.
    last seen2020-06-05
    modified2016-09-08
    plugin id93362
    published2016-09-08
    reporterThis script is Copyright (C) 2016-2020 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/93362
    titleopenSUSE Security Update : tomcat (openSUSE-2016-1056) (httpoxy)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2016-38E5B05260.NASL
    descriptionThis updates includes a rebase from tomcat 8.0.36 up to 8.0.38 which resolves multiple CVEs and a problem that 8.0.37 introduces to freeipa : - rhbz#1375581 - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header - rhbz#1390532 - CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 tomcat: various flaws and includes two additional CVE fixes along with one bug fix : - rhbz#1383210 - CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service - rhbz#1383216 - CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation - rhbz#1370262 - catalina.out is no longer in use in the main package, but still gets rotated Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2016-11-21
    plugin id94997
    published2016-11-21
    reporterThis script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/94997
    titleFedora 25 : 1:tomcat (2016-38e5b05260) (httpoxy)

Redhat

advisories
  • rhsa
    idRHSA-2016:1624
  • rhsa
    idRHSA-2016:1635
  • rhsa
    idRHSA-2016:1636
  • rhsa
    idRHSA-2016:2045
  • rhsa
    idRHSA-2016:2046
rpms
  • httpd24-0:2.4.6-62.ep7.el7
  • httpd24-debuginfo-0:2.4.6-62.ep7.el7
  • httpd24-devel-0:2.4.6-62.ep7.el7
  • httpd24-manual-0:2.4.6-62.ep7.el7
  • httpd24-tools-0:2.4.6-62.ep7.el7
  • mod_ldap24-0:2.4.6-62.ep7.el7
  • mod_proxy24_html-1:2.4.6-62.ep7.el7
  • mod_session24-0:2.4.6-62.ep7.el7
  • mod_ssl24-1:2.4.6-62.ep7.el7
  • tomcat7-0:7.0.59-51_patch_01.ep7.el7
  • tomcat7-admin-webapps-0:7.0.59-51_patch_01.ep7.el7
  • tomcat7-docs-webapp-0:7.0.59-51_patch_01.ep7.el7
  • tomcat7-el-2.2-api-0:7.0.59-51_patch_01.ep7.el7
  • tomcat7-javadoc-0:7.0.59-51_patch_01.ep7.el7
  • tomcat7-jsp-2.2-api-0:7.0.59-51_patch_01.ep7.el7
  • tomcat7-lib-0:7.0.59-51_patch_01.ep7.el7
  • tomcat7-log4j-0:7.0.59-51_patch_01.ep7.el7
  • tomcat7-servlet-3.0-api-0:7.0.59-51_patch_01.ep7.el7
  • tomcat7-webapps-0:7.0.59-51_patch_01.ep7.el7
  • tomcat8-0:8.0.18-62_patch_01.ep7.el7
  • tomcat8-admin-webapps-0:8.0.18-62_patch_01.ep7.el7
  • tomcat8-docs-webapp-0:8.0.18-62_patch_01.ep7.el7
  • tomcat8-el-2.2-api-0:8.0.18-62_patch_01.ep7.el7
  • tomcat8-javadoc-0:8.0.18-62_patch_01.ep7.el7
  • tomcat8-jsp-2.3-api-0:8.0.18-62_patch_01.ep7.el7
  • tomcat8-lib-0:8.0.18-62_patch_01.ep7.el7
  • tomcat8-log4j-0:8.0.18-62_patch_01.ep7.el7
  • tomcat8-servlet-3.1-api-0:8.0.18-62_patch_01.ep7.el7
  • tomcat8-webapps-0:8.0.18-62_patch_01.ep7.el7
  • httpd24-0:2.4.6-62.ep7.el6
  • httpd24-debuginfo-0:2.4.6-62.ep7.el6
  • httpd24-devel-0:2.4.6-62.ep7.el6
  • httpd24-manual-0:2.4.6-62.ep7.el6
  • httpd24-tools-0:2.4.6-62.ep7.el6
  • mod_ldap24-0:2.4.6-62.ep7.el6
  • mod_proxy24_html-1:2.4.6-62.ep7.el6
  • mod_session24-0:2.4.6-62.ep7.el6
  • mod_ssl24-1:2.4.6-62.ep7.el6
  • tomcat7-0:7.0.59-51_patch_01.ep7.el6
  • tomcat7-admin-webapps-0:7.0.59-51_patch_01.ep7.el6
  • tomcat7-docs-webapp-0:7.0.59-51_patch_01.ep7.el6
  • tomcat7-el-2.2-api-0:7.0.59-51_patch_01.ep7.el6
  • tomcat7-javadoc-0:7.0.59-51_patch_01.ep7.el6
  • tomcat7-jsp-2.2-api-0:7.0.59-51_patch_01.ep7.el6
  • tomcat7-lib-0:7.0.59-51_patch_01.ep7.el6
  • tomcat7-log4j-0:7.0.59-51_patch_01.ep7.el6
  • tomcat7-servlet-3.0-api-0:7.0.59-51_patch_01.ep7.el6
  • tomcat7-webapps-0:7.0.59-51_patch_01.ep7.el6
  • tomcat8-0:8.0.18-62_patch_01.ep7.el6
  • tomcat8-admin-webapps-0:8.0.18-62_patch_01.ep7.el6
  • tomcat8-docs-webapp-0:8.0.18-62_patch_01.ep7.el6
  • tomcat8-el-2.2-api-0:8.0.18-62_patch_01.ep7.el6
  • tomcat8-javadoc-0:8.0.18-62_patch_01.ep7.el6
  • tomcat8-jsp-2.3-api-0:8.0.18-62_patch_01.ep7.el6
  • tomcat8-lib-0:8.0.18-62_patch_01.ep7.el6
  • tomcat8-log4j-0:8.0.18-62_patch_01.ep7.el6
  • tomcat8-servlet-3.1-api-0:8.0.18-62_patch_01.ep7.el6
  • tomcat8-webapps-0:8.0.18-62_patch_01.ep7.el6
  • tomcat6-0:6.0.24-98.el6_8
  • tomcat6-admin-webapps-0:6.0.24-98.el6_8
  • tomcat6-docs-webapp-0:6.0.24-98.el6_8
  • tomcat6-el-2.1-api-0:6.0.24-98.el6_8
  • tomcat6-javadoc-0:6.0.24-98.el6_8
  • tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8
  • tomcat6-lib-0:6.0.24-98.el6_8
  • tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8
  • tomcat6-webapps-0:6.0.24-98.el6_8
  • tomcat-0:7.0.54-8.el7_2
  • tomcat-admin-webapps-0:7.0.54-8.el7_2
  • tomcat-docs-webapp-0:7.0.54-8.el7_2
  • tomcat-el-2.2-api-0:7.0.54-8.el7_2
  • tomcat-javadoc-0:7.0.54-8.el7_2
  • tomcat-jsp-2.2-api-0:7.0.54-8.el7_2
  • tomcat-jsvc-0:7.0.54-8.el7_2
  • tomcat-lib-0:7.0.54-8.el7_2
  • tomcat-servlet-3.0-api-0:7.0.54-8.el7_2
  • tomcat-webapps-0:7.0.54-8.el7_2

References