Vulnerabilities > CVE-2017-5651 - Unspecified vulnerability in Apache Tomcat

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
apache
critical
nessus

Summary

In Apache Tomcat 9.0.0.M1 to 9.0.0.M18 and 8.5.0 to 8.5.12, the refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up.

Nessus

  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-5261BA4605.NASL
    descriptionThis updates includes a rebase from tomcat 8.0.42 up to 8.0.43 which resolves multiple CVEs : - rhbz#1441242 CVE-2017-5647 CVE-2017-5648 CVE-2017-5650 CVE-2017-5651 tomcat: various flaws Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-04-28
    plugin id99718
    published2017-04-28
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99718
    titleFedora 25 : 1:tomcat (2017-5261ba4605)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-5261ba4605.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(99718);
      script_version("3.8");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-5647", "CVE-2017-5648", "CVE-2017-5650", "CVE-2017-5651");
      script_xref(name:"FEDORA", value:"2017-5261ba4605");
    
      script_name(english:"Fedora 25 : 1:tomcat (2017-5261ba4605)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This updates includes a rebase from tomcat 8.0.42 up to 8.0.43 which
    resolves multiple CVEs :
    
      - rhbz#1441242 CVE-2017-5647 CVE-2017-5648 CVE-2017-5650
        CVE-2017-5651 tomcat: various flaws
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-5261ba4605"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected 1:tomcat package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:1:tomcat");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/28");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC25", reference:"tomcat-8.0.43-1.fc25", epoch:"1")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "1:tomcat");
    }
    
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-0E64C4C186.NASL
    descriptionThis updates includes a rebase from tomcat 8.0.42 up to 8.0.43 which resolves multiple CVEs : - rhbz#1441242 CVE-2017-5647 CVE-2017-5648 CVE-2017-5650 CVE-2017-5651 tomcat: various flaws Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-07-17
    plugin id101573
    published2017-07-17
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101573
    titleFedora 26 : 1:tomcat (2017-0e64c4c186)
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Fedora Security Advisory FEDORA-2017-0e64c4c186.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(101573);
      script_version("3.4");
      script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04");
    
      script_cve_id("CVE-2017-5647", "CVE-2017-5648", "CVE-2017-5650", "CVE-2017-5651");
      script_xref(name:"FEDORA", value:"2017-0e64c4c186");
    
      script_name(english:"Fedora 26 : 1:tomcat (2017-0e64c4c186)");
      script_summary(english:"Checks rpm output for the updated package.");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Fedora host is missing a security update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This updates includes a rebase from tomcat 8.0.42 up to 8.0.43 which
    resolves multiple CVEs :
    
      - rhbz#1441242 CVE-2017-5647 CVE-2017-5648 CVE-2017-5650
        CVE-2017-5651 tomcat: various flaws
    
    Note that Tenable Network Security has extracted the preceding
    description block directly from the Fedora update system website.
    Tenable has attempted to automatically clean and format it as much as
    possible without introducing additional issues."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-0e64c4c186"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Update the affected 1:tomcat package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:1:tomcat");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/04/17");
      script_set_attribute(attribute:"patch_publication_date", value:"2017/04/27");
      script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/17");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Fedora Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora");
    os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora");
    os_ver = os_ver[1];
    if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu);
    
    
    flag = 0;
    if (rpm_check(release:"FC26", reference:"tomcat-8.0.43-1.fc26", epoch:"1")) flag++;
    
    
    if (flag)
    {
      security_report_v4(
        port       : 0,
        severity   : SECURITY_HOLE,
        extra      : rpm_report_get()
      );
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "1:tomcat");
    }
    
  • NASL familyCGI abuses
    NASL idMYSQL_ENTERPRISE_MONITOR_3_3_4_3247.NASL
    descriptionAccording to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.2.x prior to 3.2.8.2223 or 3.3.x prior to 3.3.4.3247. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Apache Tomcat component in the handling of pipelined requests when send file processing is used that results in the pipelined request being lost when processing of the previous request has completed, causing responses to be sent for the wrong request. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-5647) - A flaw exists in the Apache Tomcat component in HTTP connectors when processing send files. If processing completed quickly, it was possible to add the processor to the processor cache twice, which allows the same processor to be used for multiple requests. An unauthenticated, remote attacker can exploit this to disclose sensitive information from other sessions or cause unexpected errors. (CVE-2017-5651)
    last seen2020-06-01
    modified2020-06-02
    plugin id101895
    published2017-07-21
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/101895
    titleMySQL Enterprise Monitor 3.2.x < 3.2.8.2223 / 3.3.x < 3.3.4.3247 Multiple Vulnerabilities (July 2017 CPU)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2017-D5AA7C77D6.NASL
    descriptionThis updates includes a rebase from tomcat 8.0.42 up to 8.0.43 which resolves multiple CVEs : - rhbz#1441242 CVE-2017-5647 CVE-2017-5648 CVE-2017-5650 CVE-2017-5651 tomcat: various flaws Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-05
    modified2017-04-28
    plugin id99720
    published2017-04-28
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99720
    titleFedora 24 : 1:tomcat (2017-d5aa7c77d6)
  • NASL familyWeb Servers
    NASL idTOMCAT_8_5_13.NASL
    descriptionAccording to its self-reported version number, the Apache Tomcat service running on the remote host is 8.5.x prior to 8.5.13 or 9.0.x prior to 9.0.0.M19. It is therefore affected by multiple vulnerabilities : - A flaw exists in the handling of pipelined requests when send file processing is used that results in the pipelined request being lost when processing of the previous request has completed, causing responses to be sent for the wrong request. An unauthenticated, remote attacker can exploit this to disclose sensitive information. (CVE-2017-5647) - A flaw exists in the handling of HTTP/2 GOAWAY frames for a connection due to streams associated with the connection not being properly closed if the connection was currently waiting for a WINDOW_UPDATE before allowing the application to write more data. Each stream consumes a processing thread in the system. An unauthenticated, remote attacker can exploit this issue, via a series of specially crafted HTTP/2 requests, to consume all available threads, resulting in a denial of service condition. (CVE-2017-5650) - A flaw exists in HTTP connectors when processing send files. If processing completed quickly, it was possible to add the processor to the processor cache twice, which allows the same processor to be used for multiple requests. An unauthenticated, remote attacker can exploit this to disclose sensitive information from other sessions or cause unexpected errors. (CVE-2017-5651) Note that Nessus has not attempted to exploit these issues but has instead relied only on the application
    last seen2020-03-18
    modified2017-04-14
    plugin id99368
    published2017-04-14
    reporterThis script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/99368
    titleApache Tomcat 8.5.x < 8.5.13 / 9.0.x < 9.0.0.M19 Multiple Vulnerabilities
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201705-09.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201705-09 (Apache Tomcat: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in Tomcat. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to cause a Denial of Service condition, obtain sensitive information, bypass protection mechanisms and authentication restrictions. A local attacker, who is a tomcat&rsquo;s system user or belongs to tomcat&rsquo;s group, could potentially escalate privileges. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id100262
    published2017-05-18
    reporterThis script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/100262
    titleGLSA-201705-09 : Apache Tomcat: Multiple vulnerabilities

References