Vulnerabilities > CVE-2018-8034 - Improper Certificate Validation vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Summary
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Creating a Rogue Certificate Authority Certificate An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20190806_TOMCAT_ON_SL7_X.NASL description Security Fix(es) : - tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) - tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305) - tomcat: Insecure defaults in CORS filter enable last seen 2020-03-18 modified 2019-08-27 plugin id 128266 published 2019-08-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128266 title Scientific Linux Security Update : tomcat on SL7.x x86_64 (20190806) code # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(128266); script_version("1.3"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/24"); script_cve_id("CVE-2018-1304", "CVE-2018-1305", "CVE-2018-8014", "CVE-2018-8034"); script_name(english:"Scientific Linux Security Update : tomcat on SL7.x x86_64 (20190806)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Security Fix(es) : - tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) - tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305) - tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014) - tomcat: Host name verification missing in WebSocket client (CVE-2018-8034)" ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1908&L=SCIENTIFIC-LINUX-ERRATA&P=24724 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?2aa9ccdd" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-admin-webapps"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-docs-webapp"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-el-2.2-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-javadoc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-jsp-2.2-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-jsvc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-lib"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-servlet-3.0-api"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-webapps"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2018/02/23"); script_set_attribute(attribute:"patch_publication_date", value:"2019/08/06"); script_set_attribute(attribute:"plugin_publication_date", value:"2019/08/27"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL7", reference:"tomcat-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"tomcat-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", reference:"tomcat-admin-webapps-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"tomcat-admin-webapps-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", reference:"tomcat-docs-webapp-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"tomcat-docs-webapp-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", reference:"tomcat-el-2.2-api-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"tomcat-el-2.2-api-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", reference:"tomcat-javadoc-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"tomcat-javadoc-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", reference:"tomcat-jsp-2.2-api-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"tomcat-jsp-2.2-api-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", reference:"tomcat-jsvc-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"tomcat-jsvc-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", reference:"tomcat-lib-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"tomcat-lib-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", reference:"tomcat-servlet-3.0-api-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"tomcat-servlet-3.0-api-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", reference:"tomcat-webapps-7.0.76-9.el7")) flag++; if (rpm_check(release:"SL7", cpu:"x86_64", reference:"tomcat-webapps-7.0.76-9.el7")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-1529.NASL description An update for the pki-deps:10.6 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Public Key Infrastructure (PKI) Deps module contains fundamental packages required as dependencies for the pki-core module by Red Hat Certificate System. Security Fix(es) : * tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up (CVE-2018-8037) * tomcat: Insecure defaults in CORS filter enable last seen 2020-05-23 modified 2019-06-19 plugin id 126030 published 2019-06-19 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126030 title RHEL 8 : pki-deps:10.6 (RHSA-2019:1529) NASL family Web Servers NASL id TOMCAT_8_5_32.NASL description The version of Apache Tomcat installed on the remote host is 8.5.x prior to 8.5.32. It is, therefore, affected by multiple vulnerabilities. last seen 2020-03-18 modified 2018-07-13 plugin id 111068 published 2018-07-13 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111068 title Apache Tomcat 8.5.0 < 8.5.32 Multiple Vulnerabilities NASL family Misc. NASL id SYMANTEC_CONTENT_ANALYSIS_SYMSA1463.NASL description The version of Symantec Content Analysis running on the remote host is prior to version 2.3.5.1. It is, therefore, affected by multiple vulnerabilities: - An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. (CVE-2018-1336) - When using an OCSP responder Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly handle invalid responses. This allowed for revoked client certificates to be incorrectly identified. It was therefore possible for users to authenticate with revoked certificates when using mutual TLS.(CVE-2018-8019) - Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. (CVE-2018-8020) - The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. (CVE-2018-8034) last seen 2020-06-01 modified 2020-06-02 plugin id 125550 published 2019-05-30 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125550 title Symantec Content Analysis < 2.3.5.1 affected by Multiple Vulnerabilities (SYMSA1463) NASL family CGI abuses NASL id ORACLE_PRIMAVERA_UNIFIER_CPU_APR_2019.NASL description According to its self-reported version number, the Oracle Primavera Unifier installation running on the remote web server is 16.x prior to 16.2.15.7 or 17.7.x prior to 17.12.10 or 18.x prior to 18.8.6. It is, therefore, affected by multiple vulnerabilities: - A deserialization vulnerability in Apache Commons FileUpload allows for remote code execution. (CVE-2016-1000031) - A denial of service (DoS) vulnerability exists in Apache HTTP Server 2.4.17 to 2.4.34, due to a design error. An unauthenticated, remote attacker can exploit this issue by sending continuous, large SETTINGS frames to cause a client to occupy a connection, server thread and CPU time without any connection timeout coming to effect. This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol. (CVE-2018-11763). - A deserialization vulnerability in jackson-databind, a fast and powerful JSON library for Java, allows an unauthenticated user to perform code execution. The issue was resolved by extending the blacklist and blocking more classes from polymorphic deserialization. (CVE-2018-19362) Note that Nessus has not tested for these issues but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 124170 published 2019-04-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124170 title Oracle Primavera Unifier Multiple Vulnerabilities (Apr 2019 CPU) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1129.NASL description This update for tomcat to version 9.0.10 fixes the following issues : Security issues fixed : - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters could have lead to an infinite loop in the decoder causing a Denial of Service (bsc#1102400). - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697). - CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (bsc#1102379). - CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could have resulted in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also have resulted in a user seeing a response intended for another user (bsc#1102410). Bug fixes : - Avoid overwriting of customer last seen 2020-06-05 modified 2018-10-09 plugin id 117983 published 2018-10-09 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117983 title openSUSE Security Update : tomcat (openSUSE-2018-1129) NASL family SuSE Local Security Checks NASL id OPENSUSE-2018-1019.NASL description This update for tomcat to 8.0.53 fixes the following issues : Security issue fixed : - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters could have lead to an infinite loop in the decoder causing a Denial of Service (bsc#1102400). - CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (bsc#1102379). - CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could have resulted in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also have resulted in a user seeing a response intended for another user (bsc#1102410). - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697). Bug fixes : - bsc#1067720: Avoid overwriting of customer last seen 2020-06-05 modified 2018-09-17 plugin id 117526 published 2018-09-17 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117526 title openSUSE Security Update : tomcat (openSUSE-2018-1019) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-1160.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.22 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.21, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * admin-cli: wildfly-core: Cross-site scripting (XSS) in JBoss Management Console (CVE-2018-10934) * dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents (CVE-2018-1000632) * jbossweb: tomcat: host name verification missing in WebSocket client (CVE-2018-8034) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 125034 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125034 title RHEL 6 : JBoss EAP (RHSA-2019:1160) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-1055.NASL description The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable last seen 2020-06-01 modified 2020-06-02 plugin id 111610 published 2018-08-10 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111610 title Amazon Linux AMI : tomcat7 / tomcat80 (ALAS-2018-1055) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1453.NASL description The host name verification in Tomcat when using TLS with the WebSocket client was missing. It is now enabled by default. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 111394 published 2018-07-30 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111394 title Debian DLA-1453-1 : tomcat7 security update NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2020-1402.NASL description The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. (CVE-2018-8034) The URL pattern of last seen 2020-03-19 modified 2020-03-16 plugin id 134569 published 2020-03-16 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/134569 title Amazon Linux 2 : tomcat (ALAS-2020-1402) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2361.NASL description According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The URL pattern of last seen 2020-05-08 modified 2019-12-10 plugin id 131853 published 2019-12-10 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/131853 title EulerOS 2.0 SP2 : tomcat (EulerOS-SA-2019-2361) NASL family CGI abuses NASL id JBOSS_EAP_RHSA-2019-1162.NASL description The version of Red Hat JBoss Enterprise Application Platform (EAP) installed on the remote host is 6.x prior to 6.4.22. It is therefore, affected my multiple vulnerabilities as referenced in the RHSA-2019:1162 advisory: - admin-cli: wildfly-core: Cross-site scripting (XSS) in JBoss Management Console (CVE-2018-10934) - dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents (CVE-2018-1000632) - jbossweb: tomcat: host name verification missing in WebSocket client (CVE-2018-8034) Note that Nessus has not tested for this issue but has instead relied only on the application last seen 2020-06-01 modified 2020-06-02 plugin id 132311 published 2019-12-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132311 title Red Hat JBoss Enterprise Application Platform 6.x < 6.4.22 Multiple Vulnerabilities NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2019-1529.NASL description From Red Hat Security Advisory 2019:1529 : An update for the pki-deps:10.6 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Public Key Infrastructure (PKI) Deps module contains fundamental packages required as dependencies for the pki-core module by Red Hat Certificate System. Security Fix(es) : * tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up (CVE-2018-8037) * tomcat: Insecure defaults in CORS filter enable last seen 2020-06-01 modified 2020-06-02 plugin id 127594 published 2019-08-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127594 title Oracle Linux 8 : pki-deps:10.6 (ELSA-2019-1529) NASL family Web Servers NASL id TOMCAT_9_0_9.NASL description The version of Apache Tomcat installed on the remote host is 9.0.x prior to 9.0.10. It is, therefore, affected by multiple vulnerabilities. A security misconfiguration vulnerability exists in Apache Tomcat prior to version 9.0.9 due to insecure default settings for the CORS filter (CVE-2018-8014). A security misconfiguration vulnerability exists in Apache Tomcat prior to version 9.0.10. Hostname validation was not enabled by default when using TLS with the WebSocket client (CVE-2018-8034). An information disclosure vulnerability exists in Apache Tomcat prior to version 9.0.10 due to a race condition. If an async request was completed by the application at the same time as the container triggered the async timeout, this could lead to a user being sent the response of another user (CVE-2018-8037). last seen 2020-03-18 modified 2018-07-24 plugin id 111069 published 2018-07-24 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111069 title Apache Tomcat 9.0.0 < 9.0.10 Multiple Vulnerabilites NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1992.NASL description According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The URL pattern of last seen 2020-05-08 modified 2019-09-24 plugin id 129186 published 2019-09-24 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/129186 title EulerOS 2.0 SP5 : tomcat (EulerOS-SA-2019-1992) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-0131.NASL description An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and Red Hat JBoss Web Server 3.1 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 5 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * tomcat: host name verification missing in WebSocket client (CVE-2018-8034) * tomcat: Open redirect in default servlet (CVE-2018-11784) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. last seen 2020-03-18 modified 2019-01-23 plugin id 121325 published 2019-01-23 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121325 title RHEL 6 / 7 : Red Hat JBoss Web Server 3.1 Service Pack 6 (RHSA-2019:0131) NASL family Web Servers NASL id TOMCAT_7_0_89.NASL description The version of Apache Tomcat installed on the remote host is at least 7.0.41 and prior to 7.0.90. It is, therefore, affected by multiple vulnerabilities. last seen 2020-03-18 modified 2018-07-24 plugin id 111066 published 2018-07-24 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111066 title Apache Tomcat 7.0.41 < 7.0.90 Multiple Vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-1161.NASL description An update is now available for Red Hat JBoss Enterprise Application Platform 6.4 for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.22 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.21, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * admin-cli: wildfly-core: Cross-site scripting (XSS) in JBoss Management Console (CVE-2018-10934) * dom4j: XML Injection in Class: Element. Methods: addElement, addAttribute which can impact the integrity of XML documents (CVE-2018-1000632) * jbossweb: tomcat: host name verification missing in WebSocket client (CVE-2018-8034) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. All users of Red Hat JBoss Enterprise Application Platform 6.4 on Red Hat Enterprise Linux 7 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect. last seen 2020-06-01 modified 2020-06-02 plugin id 125035 published 2019-05-14 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125035 title RHEL 7 : JBoss EAP (RHSA-2019:1161) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-0451.NASL description An update is now available for Red Hat JBoss Web Server 5.0 for RHEL 6 and Red Hat JBoss Web Server 5.0 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.0 Service Pack 2 serves as a replacement for Red Hat JBoss Web Server 5.0 Service Pack 1, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * tomcat: Insecure defaults in CORS filter enable last seen 2020-06-01 modified 2020-06-02 plugin id 122606 published 2019-03-05 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/122606 title RHEL 6 / 7 : Red Hat JBoss Web Server 5.0 Service Pack 2 (RHSA-2019:0451) NASL family Databases NASL id ORACLE_RDBMS_CPU_OCT_2019.NASL description The remote Oracle Database Server is missing the October 2019 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities : - An unspecified vulnerability in the Java VM component of Oracle Database Server, which could allow an unauthenticated, remote attacker to manipulate Java VM accessible data. (CVE-2019-2909) - An unspecified vulnerability in the Core RDBMS (jackson-databind) component of Oracle Database Server, which could allow an authenticated, remote attacker to cause a denial of serivce of Core RDBMS. (CVE-2019-2956) - An unspecified vulnerability in the Core RDBMS component of Oracle Database Server, which could allow an authenticated, remote attacker to read a subset of Core RDBMS accessible data. (CVE-2019-2913) It is also affected by additional vulnerabilities; see the vendor advisory for more information. last seen 2020-06-02 modified 2019-10-18 plugin id 130058 published 2019-10-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/130058 title Oracle Database Server Multiple Vulnerabilities (Oct 2019 CPU) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2019-2205.NASL description An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305) * tomcat: Insecure defaults in CORS filter enable last seen 2020-06-01 modified 2020-06-02 plugin id 127697 published 2019-08-12 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127697 title RHEL 7 : tomcat (RHSA-2019:2205) NASL family Web Servers NASL id TOMCAT_8_0_53.NASL description The version of Apache Tomcat installed on the remote host is 8.0.x prior to 8.0.53. It is, therefore, affected by multiple vulnerabilities. last seen 2020-03-18 modified 2018-07-13 plugin id 111067 published 2018-07-13 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111067 title Apache Tomcat 8.0.0 < 8.0.53 Security Constraint Weakness NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2019-2205.NASL description An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304) * tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305) * tomcat: Insecure defaults in CORS filter enable last seen 2020-06-01 modified 2020-06-02 plugin id 128376 published 2019-08-30 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/128376 title CentOS 7 : tomcat (CESA-2019:2205) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-770.NASL description This update for tomcat to version 9.0.10 fixes the following issues : Security issues fixed : - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters could have lead to an infinite loop in the decoder causing a Denial of Service (bsc#1102400). - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697). - CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (bsc#1102379). - CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could have resulted in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also have resulted in a user seeing a response intended for another user (bsc#1102410). Bug fixes : - Avoid overwriting of customer last seen 2020-06-01 modified 2020-06-02 plugin id 123330 published 2019-03-27 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123330 title openSUSE Security Update : tomcat (openSUSE-2019-770) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-3723-1.NASL description It was discovered that Tomcat incorrectly handled decoding certain UTF-8 strings. A remote attacker could possibly use this issue to cause Tomcat to crash, resulting in a denial of service. (CVE-2018-1336) It was discovered that the Tomcat WebSocket client incorrectly performed hostname verification. A remote attacker could possibly use this issue to intercept sensitive information. (CVE-2018-8034). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 111349 published 2018-07-26 reporter Ubuntu Security Notice (C) 2018-2019 Canonical, Inc. / NASL script (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111349 title Ubuntu 14.04 LTS / 16.04 LTS : tomcat7, tomcat8 vulnerabilities (USN-3723-1) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1491.NASL description Two security issues have been discovered in the Tomcat servlet and JSP engine. CVE-2018-1336 An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. CVE-2018-8034 The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. For Debian 8 last seen 2020-06-01 modified 2020-06-02 plugin id 112230 published 2018-09-04 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112230 title Debian DLA-1491-1 : tomcat8 security update NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-2675.NASL description According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.(CVE-2018-1305) - The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.(CVE-2018-8034) - The URL pattern of last seen 2020-05-08 modified 2019-12-18 plugin id 132210 published 2019-12-18 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132210 title EulerOS 2.0 SP3 : tomcat (EulerOS-SA-2019-2675) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4281.NASL description Several issues were discovered in the Tomcat servlet and JSP engine. They could lead to unauthorized access to protected resources, denial-of-service, or information leak. last seen 2020-06-01 modified 2020-06-02 plugin id 112185 published 2018-08-30 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/112185 title Debian DSA-4281-1 : tomcat8 - security update NASL family CGI abuses NASL id ORACLE_PRIMAVERA_P6_EPPM_CPU_APR_2019.NASL description According to its self-reported version number, the Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) installation running on the remote web server is 8.4 prior to 8.4.15.10, 15.x prior to 15.2.18.4, 16.x prior to 16.2.17.2, 17.x prior to 17.12.12.0, or 18.x prior to 18.8.8.0. It is, therefore, affected by multiple vulnerabilities: - A deserialization vulnerability in Apache Commons FileUpload allows for remote code execution. (CVE-2016-1000031) - A denial of service vulnerability in the bundled third-party component OpenSSL library last seen 2020-06-01 modified 2020-06-02 plugin id 124169 published 2019-04-19 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/124169 title Oracle Primavera P6 Enterprise Project Portfolio Management (EPPM) Multiple Vulnerabilities (Apr 2019 CPU) NASL family Fedora Local Security Checks NASL id FEDORA_2018-B1832101B8.NASL description This update includes a rebase from 8.5.30 up to 8.5.32 which resolves two CVEs along with various other bugs/features : - rhbz#1579612 CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable last seen 2020-06-05 modified 2019-01-03 plugin id 120717 published 2019-01-03 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/120717 title Fedora 28 : 1:tomcat (2018-b1832101b8) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-1056.NASL description The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable last seen 2020-06-01 modified 2020-06-02 plugin id 111611 published 2018-08-10 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/111611 title Amazon Linux AMI : tomcat8 (ALAS-2018-1056)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
The Hacker News
| id | THN:D761F7EF41472ED13C52BD3AF1E1F9BA |
| last seen | 2018-07-24 |
| modified | 2018-07-24 |
| published | 2018-07-24 |
| reporter | The Hacker News |
| source | https://thehackernews.com/2018/07/apache-tomcat-server.html |
| title | Apache Tomcat Patches Important Security Vulnerabilities |
References
- https://usn.ubuntu.com/3723-1/
- https://lists.debian.org/debian-lts-announce/2018/07/msg00047.html
- http://www.securitytracker.com/id/1041374
- http://www.securityfocus.com/bid/104895
- https://security.netapp.com/advisory/ntap-20180817-0001/
- https://www.debian.org/security/2018/dsa-4281
- https://lists.debian.org/debian-lts-announce/2018/09/msg00001.html
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- https://access.redhat.com/errata/RHSA-2019:0131
- https://access.redhat.com/errata/RHSA-2019:0130
- https://access.redhat.com/errata/RHSA-2019:0451
- https://access.redhat.com/errata/RHSA-2019:0450
- https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
- https://access.redhat.com/errata/RHSA-2019:1162
- https://access.redhat.com/errata/RHSA-2019:1161
- https://access.redhat.com/errata/RHSA-2019:1160
- https://access.redhat.com/errata/RHSA-2019:1159
- https://access.redhat.com/errata/RHSA-2019:1529
- https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
- https://access.redhat.com/errata/RHSA-2019:2205
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://access.redhat.com/errata/RHSA-2019:3892
- https://www.oracle.com/security-alerts/cpuapr2020.html
- http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722091057.GA70283%40minotaur.apache.org%3E
- https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4%40%3Cissues.activemq.apache.org%3E
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E