Vulnerabilities > CVE-2017-5664 - Improper Handling of Exceptional Conditions vulnerability in Apache Tomcat
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2017-794C18B62D.NASL description This update includes a rebase from 8.0.43 up to 8.0.44 which resolves a single CVE along with various other bugs/features : - rhbz#1459160 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-07-17 plugin id 101661 published 2017-07-17 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101661 title Fedora 26 : 1:tomcat (2017-794c18b62d) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-794c18b62d. # include("compat.inc"); if (description) { script_id(101661); script_version("3.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-5664"); script_xref(name:"FEDORA", value:"2017-794c18b62d"); script_name(english:"Fedora 26 : 1:tomcat (2017-794c18b62d)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update includes a rebase from 8.0.43 up to 8.0.44 which resolves a single CVE along with various other bugs/features : - rhbz#1459160 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-794c18b62d" ); script_set_attribute( attribute:"solution", value:"Update the affected 1:tomcat package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:1:tomcat"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:26"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/06"); script_set_attribute(attribute:"patch_publication_date", value:"2017/07/07"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/07/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^26([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 26", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC26", reference:"tomcat-8.0.44-1.fc26", epoch:"1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "1:tomcat"); }NASL family Fedora Local Security Checks NASL id FEDORA_2017-63789C8C29.NASL description This update includes a rebase from 8.0.43 up to 8.0.44 which resolves a single CVE along with various other bugs/features : - rhbz#1459160 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-06-30 plugin id 101123 published 2017-06-30 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101123 title Fedora 25 : 1:tomcat (2017-63789c8c29) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory FEDORA-2017-63789c8c29. # include("compat.inc"); if (description) { script_id(101123); script_version("3.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/04"); script_cve_id("CVE-2017-5664"); script_xref(name:"FEDORA", value:"2017-63789c8c29"); script_name(english:"Fedora 25 : 1:tomcat (2017-63789c8c29)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update includes a rebase from 8.0.43 up to 8.0.44 which resolves a single CVE along with various other bugs/features : - rhbz#1459160 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bodhi.fedoraproject.org/updates/FEDORA-2017-63789c8c29" ); script_set_attribute( attribute:"solution", value:"Update the affected 1:tomcat package." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:1:tomcat"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:25"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/06/06"); script_set_attribute(attribute:"patch_publication_date", value:"2017/06/29"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/06/30"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = pregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! preg(pattern:"^25([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 25", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC25", reference:"tomcat-8.0.44-1.fc25", epoch:"1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "1:tomcat"); }NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-862.NASL description Security constrained bypass in error page mechanism : A vulnerability was discovered in the error page mechanism in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 102177 published 2017-08-04 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/102177 title Amazon Linux AMI : tomcat8 (ALAS-2017-862) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Amazon Linux AMI Security Advisory ALAS-2017-862. # include("compat.inc"); if (description) { script_id(102177); script_version("3.8"); script_cvs_date("Date: 2018/04/18 15:09:36"); script_cve_id("CVE-2017-5664", "CVE-2017-7674"); script_xref(name:"ALAS", value:"2017-862"); script_name(english:"Amazon Linux AMI : tomcat8 (ALAS-2017-862)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Amazon Linux AMI host is missing a security update." ); script_set_attribute( attribute:"description", value: "Security constrained bypass in error page mechanism : A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664) The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. (CVE-2017-7674)" ); script_set_attribute( attribute:"see_also", value:"https://alas.aws.amazon.com/ALAS-2017-862.html" ); script_set_attribute( attribute:"solution", value:"Run 'yum update tomcat8' to update your system." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-admin-webapps"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-docs-webapp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-el-3.0-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-lib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-log4j"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-webapps"); script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2017/08/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/04"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc."); script_family(english:"Amazon Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/AmazonLinux/release"); if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux"); os_ver = pregmatch(pattern: "^AL(A|\d)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux"); os_ver = os_ver[1]; if (os_ver != "A") { if (os_ver == 'A') os_ver = 'AMI'; audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver); } if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (rpm_check(release:"ALA", reference:"tomcat8-8.0.45-1.72.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat8-admin-webapps-8.0.45-1.72.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat8-docs-webapp-8.0.45-1.72.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat8-el-3.0-api-8.0.45-1.72.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat8-javadoc-8.0.45-1.72.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat8-jsp-2.3-api-8.0.45-1.72.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat8-lib-8.0.45-1.72.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat8-log4j-8.0.45-1.72.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat8-servlet-3.1-api-8.0.45-1.72.amzn1")) flag++; if (rpm_check(release:"ALA", reference:"tomcat8-webapps-8.0.45-1.72.amzn1")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tomcat8 / tomcat8-admin-webapps / tomcat8-docs-webapp / etc"); }NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1191.NASL description According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762) - It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018) - It was discovered that when a SecurityManager was configured, Tomcat last seen 2020-05-06 modified 2017-09-08 plugin id 103029 published 2017-09-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103029 title EulerOS 2.0 SP1 : tomcat (EulerOS-SA-2017-1191) NASL family Web Servers NASL id TOMCAT_6_0_24.NASL description The version of Apache Tomcat installed on the remote host is 6.0.x prior to 6.0.24. It is, therefore, affected by multiple vulnerabilities : - An unspecified flaw exists in the handling of pipelined requests when last seen 2020-03-18 modified 2017-11-02 plugin id 104358 published 2017-11-02 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104358 title Apache Tomcat 6.0.x < 6.0.24 Multiple Vulnerabilities NASL family Junos Local Security Checks NASL id JUNIPER_SPACE_JSA_10838.NASL description According to its self-reported version number, the remote Junos Space version is prior to 17.2R1. It is, therefore, affected by multiple vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 108520 published 2018-03-21 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108520 title Juniper Junos Space < 17.2R1 Multiple Vulnerabilities (JSA10838) NASL family Scientific Linux Local Security Checks NASL id SL_20170727_TOMCAT_ON_SL7_X.NASL description Security Fix(es) : - A vulnerability was discovered in the error page mechanism in Tomcat last seen 2020-03-18 modified 2017-07-28 plugin id 102032 published 2017-07-28 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102032 title Scientific Linux Security Update : tomcat on SL7.x (noarch) (20170727) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3891.NASL description Aniket Nandkishor Kulkarni discovered that in tomcat8, a servlet and JSP engine, static error pages used the original request last seen 2020-06-01 modified 2020-06-02 plugin id 101008 published 2017-06-23 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101008 title Debian DSA-3891-1 : tomcat8 - security update NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-1809.NASL description An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * A vulnerability was discovered in the error page mechanism in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 102020 published 2017-07-28 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102020 title CentOS 7 : tomcat (CESA-2017:1809) NASL family Virtuozzo Local Security Checks NASL id VIRTUOZZO_VZLSA-2017-3080.NASL description An update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * A vulnerability was discovered in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 119237 published 2018-11-27 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119237 title Virtuozzo 6 : tomcat6 / tomcat6-admin-webapps / etc (VZLSA-2017-3080) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-3080.NASL description From Red Hat Security Advisory 2017:3080 : An update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * A vulnerability was discovered in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 104247 published 2017-10-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104247 title Oracle Linux 6 : tomcat6 (ELSA-2017-3080) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-2635.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.17 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.16, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) * A vulnerability was discovered in the error page mechanism in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 103041 published 2017-09-08 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103041 title RHEL 6 : JBoss EAP (RHSA-2017:2635) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1809.NASL description An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * A vulnerability was discovered in the error page mechanism in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 102012 published 2017-07-27 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102012 title RHEL 7 : tomcat (RHSA-2017:1809) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2017-1809.NASL description From Red Hat Security Advisory 2017:1809 : An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * A vulnerability was discovered in the error page mechanism in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 102031 published 2017-07-28 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102031 title Oracle Linux 7 : tomcat (ELSA-2017-1809) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-1801.NASL description An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) * A vulnerability was discovered in tomcat last seen 2020-05-09 modified 2018-08-29 plugin id 112177 published 2018-08-29 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112177 title RHEL 6 / 7 : Red Hat JBoss Web Server 3.1.0 Service Pack 1 (RHSA-2017:1801) NASL family Scientific Linux Local Security Checks NASL id SL_20171030_TOMCAT6_ON_SL6_X.NASL description Security Fix(es) : - A vulnerability was discovered in Tomcat last seen 2020-03-18 modified 2017-10-31 plugin id 104268 published 2017-10-31 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104268 title Scientific Linux Security Update : tomcat6 on SL6.x (noarch) (20171030) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2017-3080.NASL description An update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * A vulnerability was discovered in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 104256 published 2017-10-31 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104256 title CentOS 6 : tomcat6 (CESA-2017:3080) NASL family SuSE Local Security Checks NASL id OPENSUSE-2017-1299.NASL description This update for tomcat fixes the following issues : Security issues fixed : - CVE-2017-5664: A problem in handling error pages was fixed, to avoid potential file overwrites during error page handling. (bsc#1042910). - CVE-2017-7674: A CORS Filter issue could lead to client and server side cache poisoning (bsc#1053352) - CVE-2017-12617: A remote code execution possibility via JSP Upload was fixed (bsc#1059554) Non security bugs fixed : - Fix tomcat-digest classpath error (bsc#977410) - Fix packaged /etc/alternatives symlinks for api libs that caused rpm -V to report link mismatch (bsc#1019016) This update was imported from the SUSE:SLE-12-SP2:Update update project. last seen 2020-06-05 modified 2017-11-27 plugin id 104765 published 2017-11-27 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104765 title openSUSE Security Update : tomcat (openSUSE-2017-1299) NASL family CGI abuses NASL id MYSQL_ENTERPRISE_MONITOR_3_4_3_4225.NASL description According to its self-reported version, the MySQL Enterprise Monitor application running on the remote host is 3.2.x prior to 3.2.9.2249, 3.3.x prior to 3.3.5.3292, or 3.4.x prior to 3.4.3.4225. It is, therefore, affected by multiple vulnerabilities as noted in the October 2017 Critical Patch Update advisory. Please consult the CVRF details for the applicable CVEs for additional information. Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 103536 published 2017-09-28 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103536 title MySQL Enterprise Monitor 3.2.x < 3.2.9.2249 / 3.3.x < 3.3.5.3292 / 3.4.x < 3.4.3.4225 Multiple Vulnerabilities (October 2017 CPU) NASL family Misc. NASL id SYMANTEC_CONTENT_ANALYSIS_SYMSA1419.NASL description The version of Symantec Content Analysis running on the remote host is prior to version 2.3.5.1. It is, therefore, affected by multiple vulnerabilities: - A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. (CVE-2017-5647) - The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. (CVE-2017-5664) last seen 2020-06-01 modified 2020-06-02 plugin id 125633 published 2019-05-31 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125633 title Symantec Content Analysis < 2.3.5.1 affected by Multiple Vulnerabilities (SYMSA1419) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0117_TOMCAT6.NASL description The remote NewStart CGSL host, running version MAIN 4.05, has tomcat6 packages installed that are affected by multiple vulnerabilities: - It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816) - A vulnerability was discovered in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 127359 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127359 title NewStart CGSL MAIN 4.05 : tomcat6 Multiple Vulnerabilities (NS-SA-2019-0117) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-996.NASL description The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. For Debian 7 last seen 2020-03-17 modified 2017-06-21 plugin id 100941 published 2017-06-21 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100941 title Debian DLA-996-1 : tomcat7 security update NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-2637.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 5. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.17 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.16, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) * A vulnerability was discovered in the error page mechanism in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 103043 published 2017-09-08 reporter This script is Copyright (C) 2017-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/103043 title RHEL 5 : JBoss EAP (RHSA-2017:2637) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-853.NASL description Security constrained bypass in error page mechanism : A vulnerability was discovered in the error page mechanism in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 101270 published 2017-07-07 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/101270 title Amazon Linux AMI : tomcat7 (ALAS-2017-853) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-3080.NASL description An update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * A vulnerability was discovered in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 104250 published 2017-10-30 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/104250 title RHEL 6 : tomcat6 (RHSA-2017:3080) NASL family Web Servers NASL id TOMCAT_8_5_15.NASL description According to its self-reported version number, the Apache Tomcat service running on the remote host is 7.0.x prior to 7.0.78, 8.0.x prior to 8.0.44, 8.5.x prior to 8.5.15, or 9.0.x prior to 9.0.0.M21. It is, therefore, affected by an implementation flaw in the error page reporting mechanism in which it does not conform to the Java Servlet Specification that requires static error pages to be processed as an HTTP GET request nothwithstanding the HTTP request method that was originally used when the error occurred. Depending on the original request and the configuration of the Default Servlet, an unauthenticated, remote attacker can exploit this issue to replace or remove custom error pages. Note that Nessus has not attempted to exploit this issue but has instead relied only on the application last seen 2020-03-18 modified 2017-06-08 plugin id 100681 published 2017-06-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/100681 title Apache Tomcat 7.0.x < 7.0.78 / 8.0.x < 8.0.44 / 8.5.x < 8.5.15 / 9.0.x < 9.0.0.M21 Remote Error Page Manipulation NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-2493.NASL description An update is now available for Red Hat JBoss Enterprise Web Server 2.1.2 for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Web Server 2.1.2 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. This release provides an update to OpenSSL and Tomcat 6/7 for Red Hat JBoss Web Server 2.1.2. The updates are documented in the Release Notes document linked to in the References. Users of Red Hat JBoss Web Server 2.1.2 should upgrade to these updated packages, which resolve several security issues. Security Fix(es) : * A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304) * A vulnerability was discovered in tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 102692 published 2017-08-23 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/102692 title RHEL 6 / 7 : JBoss Web Server (RHSA-2017:2493) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2017-1192.NASL description According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762) - It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018) - It was discovered that when a SecurityManager was configured, Tomcat last seen 2020-05-06 modified 2017-09-08 plugin id 103030 published 2017-09-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103030 title EulerOS 2.0 SP2 : tomcat (EulerOS-SA-2017-1192) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-854.NASL description Security constrained bypass in error page mechanism : A vulnerability was discovered in the error page mechanism in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 101271 published 2017-07-07 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/101271 title Amazon Linux AMI : tomcat8 (ALAS-2017-854) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-2638.NASL description An update for jboss-ec2-eap is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.17. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) * A vulnerability was discovered in the error page mechanism in Tomcat last seen 2020-05-09 modified 2017-09-08 plugin id 103044 published 2017-09-08 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103044 title RHEL 6 : jboss-ec2-eap (RHSA-2017:2638) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2017-2636.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.17 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.16, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645) * A vulnerability was discovered in the error page mechanism in Tomcat last seen 2020-06-01 modified 2020-06-02 plugin id 103042 published 2017-09-08 reporter This script is Copyright (C) 2017-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/103042 title RHEL 7 : JBoss EAP (RHSA-2017:2636) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-3892.NASL description Aniket Nandkishor Kulkarni discovered that in tomcat7, a servlet and JSP engine, static error pages used the original request last seen 2020-06-01 modified 2020-06-02 plugin id 101009 published 2017-06-23 reporter This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101009 title Debian DSA-3892-1 : tomcat7 - security update NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-873.NASL description Security constrained bypass in error page mechanism : While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.(CVE-2017-5664 ) Calls to application listeners did not use the appropriate facade object : A vulnerability was discovered in tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application. (CVE-2017-5648) The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.(CVE-2017-7674) last seen 2020-06-01 modified 2020-06-02 plugin id 102547 published 2017-08-18 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/102547 title Amazon Linux AMI : tomcat7 (ALAS-2017-873) NASL family Fedora Local Security Checks NASL id FEDORA_2017-E4638A345C.NASL description This update includes a rebase from 8.0.43 up to 8.0.44 which resolves a single CVE along with various other bugs/features : - rhbz#1459160 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2017-07-03 plugin id 101185 published 2017-07-03 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/101185 title Fedora 24 : 1:tomcat (2017-e4638a345c) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3519-1.NASL description It was discovered that Tomcat incorrectly handled certain pipelined requests when sendfile was used. A remote attacker could use this issue to obtain wrong responses possibly containing sensitive information. (CVE-2017-5647) It was discovered that Tomcat incorrectly used the appropriate facade object. A malicious application could possibly use this to bypass Security Manager restrictions. (CVE-2017-5648) It was discovered that Tomcat incorrectly handled error pages. A remote attacker could possibly use this issue to replace or remove the custom error page. (CVE-2017-5664) It was discovered that Tomcat incorrectly handled the CORS filter. A remote attacker could possibly use this issue to perform cache poisoning. (CVE-2017-7674). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 105687 published 2018-01-09 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/105687 title Ubuntu 14.04 LTS / 16.04 LTS / 17.04 : tomcat7, tomcat8 vulnerabilities (USN-3519-1)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
Seebug
| bulletinFamily | exploit |
| description | ### Several recent Tomcat CVE * CVE-2017-5664 Tomcat Security Constraint Bypass * CVE-2017-12615 remote code execution vulnerability * CVE-2017-12616 information disclosure vulnerability ### Common Is tasteless With JspServlet and DefaultServlet about the system. CVE-2017-12615 this remote code execution are everywhere, and it seems like no one is watching CVE-2017-12616 cause JSP source code leakage problems. Here simply write about it. CVE-2017-12616 ### Requirements Target the use of VirtualDirContext to mount the virtual directory. Mount the virtual catalog of the demand should still have some, so should be larger than the opening and PUT the probability to be larger, but is also tasteless. ### A brief analysis To cause Jsp source code disclosure, definitely need to let the DefaultServlet to handle jsp requests. Tomcat use similar JNDI way to manage Web resources, JSP, static file, Class, etc. By default, resources by FileDirContext to manage. And the use of VirtualDirContext mount the virtual catalog, is by the VirtualDirContext to manage. Through the similar to CVE-2017-12615 use way to access the virtual directory of resources, allowing the request by the DefaultServlet processing, the Tomcat from VirtualDirContext management of resources to obtain access to the jsp files through the doLookup method, directly to the content returned, resulting in source code disclosure. Why only the virtual directory for the existence of this vulnerability? Because of the non-virtual directory default by FileDirContext management. FileDirContext in the presence of a named file check method. `` protected File file(String name) { File file = new File(base, name); if (file. the exists() && file. the canRead()) { if (allowLinking) return file; // Check that this file belongs to our root path String canPath = null; try { canPath = file. getCanonicalPath(); } catch (IOException e) { // Ignore } if (canPath == null) return null; // Check to see if going outside of the web application root if (! canPath. startsWith(absoluteBase)) { return null; } // Case sensitivity check - this is now always done String fileAbsPath = file. getAbsolutePath(); if (fileAbsPath. endsWith(".")) fileAbsPath = fileAbsPath + "/"; String absPath = normalize(fileAbsPath); canPath = normalize(canPath); if ((absoluteBase. length() < absPath. length()) && (absoluteBase. length() < canPath. length())) { absPath = absPath. substring(absoluteBase. length() + 1); if (absPath. equals("")) absPath = "/"; canPath = canPath. substring(absoluteBase. length() + 1); if (canPath. equals("")) canPath = "/"; if (! canPath. equals(absPath)) return null; } } else { return null; } return file; } `` This method can not prevent /a. jsp/ this URL, but DefaultServlet then have a check at the end of the/, leading to / Can't be used. And the new version of the fix mode is also the code for the small-scale reconstruction, the above method of checking the disassembly to called the validate method, and re-wrote VirtualDirContext in a lot of method, call the validate access to the file to be checked. ### Use With CVE-2017-12615 similar, to achieve the view Jsp file source code of the effect. |
| id | SSV:96562 |
| last seen | 2017-11-19 |
| modified | 2017-09-21 |
| published | 2017-09-21 |
| reporter | Root |
| title | Tomcat information disclosure Vulnerability(CVE-2017-12616 )analysis |
References
- http://www.securityfocus.com/bid/98888
- http://www.securitytracker.com/id/1038641
- http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
- http://www.debian.org/security/2017/dsa-3892
- http://www.debian.org/security/2017/dsa-3891
- https://security.netapp.com/advisory/ntap-20171019-0002/
- https://access.redhat.com/errata/RHSA-2017:3080
- https://access.redhat.com/errata/RHSA-2017:2638
- https://access.redhat.com/errata/RHSA-2017:2637
- https://access.redhat.com/errata/RHSA-2017:2636
- https://access.redhat.com/errata/RHSA-2017:2635
- https://access.redhat.com/errata/RHSA-2017:2633
- https://access.redhat.com/errata/RHSA-2017:2494
- https://access.redhat.com/errata/RHSA-2017:2493
- https://access.redhat.com/errata/RHSA-2017:1809
- https://access.redhat.com/errata/RHSA-2017:1802
- https://access.redhat.com/errata/RHSA-2017:1801
- http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
- http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
- https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbux03828en_us
- http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://lists.apache.org/thread.html/a42c48e37398d76334e17089e43ccab945238b8b7896538478d76066%40%3Cannounce.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E