nessus
via4
|
NASL family | CGI abuses | NASL id | MYSQL_ENTERPRISE_MONITOR_3_1_5_7958.NASL | description | According to its self-reported version, the MySQL Enterprise Monitor
application running on the remote host is 3.1.x prior to 3.1.5.7958.
It is, therefore, affected by multiple vulnerabilities :
- An information disclosure vulnerability exists in the
bundled version of Apache Tomcat in the Manager and Host
Manager web applications due to a flaw in the index page
when issuing redirects in response to unauthenticated
requests for the root directory of the application. An
authenticated, remote attacker can exploit this to gain
access to the XSRF token information stored in the index
page. (CVE-2015-5351)
- A remote code execution vulnerability exists in the
Framework subcomponent that allows an authenticated,
remote attacker to execute arbitrary code.
(CVE-2016-0635)
- An information disclosure vulnerability exists in the
bundled version of Apache Tomcat that allows a specially
crafted web application to load the
StatusManagerServlet. An authenticated, remote attacker
can exploit this to gain unauthorized access to a list
of all deployed applications and a list of the HTTP
request lines for all requests currently being
processed. (CVE-2016-0706)
- A remote code execution vulnerability exists in the
bundled version of Apache Tomcat due to a flaw in the
StandardManager, PersistentManager, and cluster
implementations that is triggered when handling
persistent sessions. An authenticated, remote attacker
can exploit this, via a crafted object in a session, to
bypass the security manager and execute arbitrary code.
(CVE-2016-0714)
- A security bypass vulnerability exists in the bundled
version of Apache Tomcat due to a failure to consider
whether ResourceLinkFactory.setGlobalContext callers are
authorized. An authenticated, remote attacker can
exploit this, via a web application that sets a crafted
global context, to bypass intended SecurityManager
restrictions and read or write to arbitrary application
data or cause a denial of service condition.
(CVE-2016-0763)
- Multiple integer overflow conditions exist in the
bundled version of OpenSSL in s3_srvr.c, ssl_sess.c, and
t1_lib.c due to improper use of pointer arithmetic for
heap-buffer boundary checks. An unauthenticated, remote
attacker can exploit this to cause a denial of service.
(CVE-2016-2177)
- An information disclosure vulnerability exists in the
bundled version of OpenSSL in the dsa_sign_setup()
function in dsa_ossl.c due to a failure to properly
ensure the use of constant-time operations. An
unauthenticated, remote attacker can exploit this, via a
timing side-channel attack, to disclose DSA key
information. (CVE-2016-2178)
- A denial of service vulnerability exists in the bundled
version of OpenSSL in the DTLS implementation due to a
failure to properly restrict the lifetime of queue
entries associated with unused out-of-order messages. An
unauthenticated, remote attacker can exploit this, by
maintaining multiple crafted DTLS sessions
simultaneously, to exhaust memory. (CVE-2016-2179)
- An out-of-bounds read error exists in the bundled
version of OpenSSL in the X.509 Public Key
Infrastructure Time-Stamp Protocol (TSP) implementation.
An unauthenticated, remote attacker can exploit this,
via a crafted time-stamp file that is mishandled by the
'openssl ts' command, to cause denial of service or to
disclose sensitive information. (CVE-2016-2180)
- A denial of service vulnerability exists in the bundled
version of OpenSSL in the Anti-Replay feature in the
DTLS implementation due to improper handling of epoch
sequence numbers in records. An unauthenticated, remote
attacker can exploit this, via spoofed DTLS records, to
cause legitimate packets to be dropped. (CVE-2016-2181)
- An overflow condition exists in the bundled version of
OpenSSL in the BN_bn2dec() function in bn_print.c due to
improper validation of user-supplied input when handling
BIGNUM values. An unauthenticated, remote attacker can
exploit this to crash the process. (CVE-2016-2182)
- A vulnerability exists, known as SWEET32, in the bundled
version of OpenSSL in the 3DES and Blowfish algorithms
due to the use of weak 64-bit block ciphers by default.
A man-in-the-middle attacker who has sufficient
resources can exploit this vulnerability, via a
'birthday' attack, to detect a collision that leaks the
XOR between the fixed secret and a known plaintext,
allowing the disclosure of the secret text, such as
secure HTTPS cookies, and possibly resulting in the
hijacking of an authenticated session. (CVE-2016-2183)
- A flaw exists in the bundled version of OpenSSL in the
tls_decrypt_ticket() function in t1_lib.c due to
improper handling of ticket HMAC digests. An
unauthenticated, remote attacker can exploit this, via a
ticket that is too short, to crash the process,
resulting in a denial of service. (CVE-2016-6302)
- An integer overflow condition exists in the bundled
version of OpenSSL in the MDC2_Update() function in
mdc2dgst.c due to improper validation of user-supplied
input. An unauthenticated, remote attacker can exploit
this to cause a heap-based buffer overflow, resulting in
a denial of service condition or possibly the execution
of arbitrary code. (CVE-2016-6303)
- A denial of service vulnerability exists in the bundled
version of OpenSSL in the ssl_parse_clienthello_tlsext()
function in t1_lib.c due to improper handling of overly
large OCSP Status Request extensions from clients. An
unauthenticated, remote attacker can exploit this, via
large OCSP Status Request extensions, to exhaust memory
resources. (CVE-2016-6304)
- An out-of-bounds read error exists in the bundled
version of OpenSSL in the certificate parser that allows
an unauthenticated, remote attacker to cause a denial of
service via crafted certificate operations.
(CVE-2016-6306) | last seen | 2019-01-16 | modified | 2018-06-14 | plugin id | 96767 | published | 2017-01-25 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=96767 | title | MySQL Enterprise Monitor 3.1.x < 3.1.5.7958 Multiple Vulnerabilities (SWEET32) (January 2017 CPU) |
NASL family | FreeBSD Local Security Checks | NASL id | FREEBSD_PKG_7BBC3016DE6311E58FA814DAE9D210B8.NASL | description | Mark Thomas reports :
- CVE-2015-5346 Apache Tomcat Session fixation
- CVE-2015-5351 Apache Tomcat CSRF token leak
- CVE-2016-0763 Apache Tomcat Security Manager Bypass | last seen | 2018-11-13 | modified | 2018-11-10 | plugin id | 89010 | published | 2016-02-29 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=89010 | title | FreeBSD : tomcat -- multiple vulnerabilities (7bbc3016-de63-11e5-8fa8-14dae9d210b8) |
NASL family | Web Servers | NASL id | TOMCAT_XSRF_TOKEN_DISCLOSURE.NASL | description | The remote Apache Tomcat web server is affected by an information
disclosure vulnerability in the index page of the Manager and Host
Manager applications. An unauthenticated, remote attacker can exploit
this vulnerability to obtain a valid cross-site request forgery (XSRF)
token during the redirect issued when requesting /manager/ or
/host-manager/. This token can be utilized by an attacker to construct
an XSRF attack.
Note that there are reportedly several additional vulnerabilities;
however, Nessus has not tested for these. | last seen | 2019-01-16 | modified | 2018-11-15 | plugin id | 90318 | published | 2016-04-05 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=90318 | title | Apache Tomcat XSRF Token Disclosure |
NASL family | Debian Local Security Checks | NASL id | DEBIAN_DSA-3530.NASL | description | Multiple security vulnerabilities have been fixed in the Tomcat
servlet and JSP engine, which may result on bypass of security manager
restrictions, information disclosure, denial of service or session
fixation. | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 90205 | published | 2016-03-28 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=90205 | title | Debian DSA-3530-1 : tomcat6 - security update |
NASL family | Gentoo Local Security Checks | NASL id | GENTOO_GLSA-201705-09.NASL | description | The remote host is affected by the vulnerability described in GLSA-201705-09
(Apache Tomcat: Multiple vulnerabilities)
Multiple vulnerabilities have been discovered in Tomcat. Please review
the CVE identifiers referenced below for details.
Impact :
A remote attacker may be able to cause a Denial of Service condition,
obtain sensitive information, bypass protection mechanisms and
authentication restrictions.
A local attacker, who is a tomcat’s system user or belongs to
tomcat’s group, could potentially escalate privileges.
Workaround :
There is no known workaround at this time. | last seen | 2019-01-16 | modified | 2018-01-26 | plugin id | 100262 | published | 2017-05-18 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=100262 | title | GLSA-201705-09 : Apache Tomcat: Multiple vulnerabilities |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2016-1088.NASL | description | Red Hat JBoss Web Server 3.0.3 is now available for Red Hat Enterprise
Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the
Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat
Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and
the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement
for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and
enhancements, which are documented in the Release Notes documented
linked to in the References.
Security Fix(es) :
* A session fixation flaw was found in the way Tomcat recycled the
requestedSessionSSL field. If at least one web application was
configured to use the SSL session ID as the HTTP session ID, an
attacker could reuse a previously used session ID for further
requests. (CVE-2015-5346)
* A CSRF flaw was found in Tomcat's the index pages for the Manager
and Host Manager applications. These applications included a valid
CSRF token when issuing a redirect as a result of an unauthenticated
request to the root of the web application. This token could then be
used by an attacker to perform a CSRF attack. (CVE-2015-5351)
* It was found that several Tomcat session persistence mechanisms
could allow a remote, authenticated user to bypass intended
SecurityManager restrictions and execute arbitrary code in a
privileged context via a web application that placed a crafted object
in a session. (CVE-2016-0714)
* A security manager bypass flaw was found in Tomcat that could allow
remote, authenticated users to access arbitrary application data,
potentially resulting in a denial of service. (CVE-2016-0763)
* It was found that Tomcat could reveal the presence of a directory
even when that directory was protected by a security constraint. A
user could make a request to a directory via a URL not ending with a
slash and, depending on whether Tomcat redirected that request, could
confirm whether that directory existed. (CVE-2015-5345)
* It was found that Tomcat allowed the StatusManagerServlet to be
loaded by a web application when a security manager was configured.
This allowed a web application to list all deployed web applications
and expose sensitive information such as session IDs. (CVE-2016-0706) | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 91246 | published | 2016-05-19 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=91246 | title | RHEL 7 : JBoss Web Server (RHSA-2016:1088) |
NASL family | Huawei Local Security Checks | NASL id | EULEROS_SA-2016-1054.NASL | description | According to the versions of the tomcat packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :
- Directory traversal vulnerability in RequestUtil.java
in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65,
and 8.x before 8.0.27 allows remote authenticated users
to bypass intended SecurityManager restrictions and
list a parent directory via a /.. (slash dot dot) in a
pathname used by a web application in a getResource,
getResourceAsStream, or getResourcePaths call, as
demonstrated by the $CATALINA_BASE/webapps
directory.(CVE-2015-5174)
- The Mapper component in Apache Tomcat 6.x before
6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x
before 9.0.0.M2 processes redirects before considering
security constraints and Filters, which allows remote
attackers to determine the existence of a directory via
a URL that lacks a trailing / (slash)
character.(CVE-2015-5345)
- The (1) Manager and (2) Host Manager applications in
Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and
9.x before 9.0.0.M2 establish sessions and send CSRF
tokens for arbitrary new requests, which allows remote
attackers to bypass a CSRF protection mechanism by
using a token.(CVE-2015-5351)
- Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x
before 8.0.31, and 9.x before 9.0.0.M2 does not place
org.apache.catalina.manager.StatusManagerServlet on the
org/apache/catalina/core/RestrictedServlets.properties
list, which allows remote authenticated users to bypass
intended SecurityManager restrictions and read
arbitrary HTTP requests, and consequently discover
session ID values, via a crafted web
application.(CVE-2016-0706)
- The session-persistence implementation in Apache Tomcat
6.x before 6.0.45, 7.x before 7.0.68, 8.x before
8.0.31, and 9.x before 9.0.0.M2 mishandles session
attributes, which allows remote authenticated users to
bypass intended SecurityManager restrictions and
execute arbitrary code in a privileged context via a
web application that places a crafted object in a
session.(CVE-2016-0714)
- The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in
Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and
9.x before 9.0.0.M3 does not consider whether
ResourceLinkFactory.setGlobalContext callers are
authorized, which allows remote authenticated users to
bypass intended SecurityManager restrictions and read
or write to arbitrary application data, or cause a
denial of service (application disruption), via a web
application that sets a crafted global
context.(CVE-2016-0763)
- The MultipartStream class in Apache Commons Fileupload
before 1.3.2, as used in Apache Tomcat 7.x before
7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x
before 9.0.0.M7 and other products, allows remote
attackers to cause a denial of service (CPU
consumption) via a long boundary string.(CVE-2016-3092)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-11-14 | plugin id | 99816 | published | 2017-05-01 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=99816 | title | EulerOS 2.0 SP1 : tomcat (EulerOS-SA-2016-1054) |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2016-2599.NASL | description | An update for tomcat is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
Apache Tomcat is a servlet container for the Java Servlet and
JavaServer Pages (JSP) technologies.
The following packages have been upgraded to a newer upstream version:
tomcat (7.0.69). (BZ#1287928)
Security Fix(es) :
* A CSRF flaw was found in Tomcat's the index pages for the Manager
and Host Manager applications. These applications included a valid
CSRF token when issuing a redirect as a result of an unauthenticated
request to the root of the web application. This token could then be
used by an attacker to perform a CSRF attack. (CVE-2015-5351)
* It was found that several Tomcat session persistence mechanisms
could allow a remote, authenticated user to bypass intended
SecurityManager restrictions and execute arbitrary code in a
privileged context via a web application that placed a crafted object
in a session. (CVE-2016-0714)
* A security manager bypass flaw was found in Tomcat that could allow
remote, authenticated users to access arbitrary application data,
potentially resulting in a denial of service. (CVE-2016-0763)
* A denial of service vulnerability was identified in Commons
FileUpload that occurred when the length of the multipart boundary was
just below the size of the buffer (4096 bytes) used to read the
uploaded file if the boundary was the typical tens of bytes long.
(CVE-2016-3092)
* A directory traversal flaw was found in Tomcat's RequestUtil.java. A
remote, authenticated user could use this flaw to bypass intended
SecurityManager restrictions and list a parent directory via a '/..'
in a pathname used by a web application in a getResource,
getResourceAsStream, or getResourcePaths call. (CVE-2015-5174)
* It was found that Tomcat could reveal the presence of a directory
even when that directory was protected by a security constraint. A
user could make a request to a directory via a URL not ending with a
slash and, depending on whether Tomcat redirected that request, could
confirm whether that directory existed. (CVE-2015-5345)
* It was found that Tomcat allowed the StatusManagerServlet to be
loaded by a web application when a security manager was configured.
This allowed a web application to list all deployed web applications
and expose sensitive information such as session IDs. (CVE-2016-0706)
Additional Changes :
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.3 Release Notes linked from the References section. | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 94562 | published | 2016-11-04 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94562 | title | RHEL 7 : tomcat (RHSA-2016:2599) |
NASL family | CentOS Local Security Checks | NASL id | CENTOS_RHSA-2016-2599.NASL | description | An update for tomcat is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
Apache Tomcat is a servlet container for the Java Servlet and
JavaServer Pages (JSP) technologies.
The following packages have been upgraded to a newer upstream version:
tomcat (7.0.69). (BZ#1287928)
Security Fix(es) :
* A CSRF flaw was found in Tomcat's the index pages for the Manager
and Host Manager applications. These applications included a valid
CSRF token when issuing a redirect as a result of an unauthenticated
request to the root of the web application. This token could then be
used by an attacker to perform a CSRF attack. (CVE-2015-5351)
* It was found that several Tomcat session persistence mechanisms
could allow a remote, authenticated user to bypass intended
SecurityManager restrictions and execute arbitrary code in a
privileged context via a web application that placed a crafted object
in a session. (CVE-2016-0714)
* A security manager bypass flaw was found in Tomcat that could allow
remote, authenticated users to access arbitrary application data,
potentially resulting in a denial of service. (CVE-2016-0763)
* A denial of service vulnerability was identified in Commons
FileUpload that occurred when the length of the multipart boundary was
just below the size of the buffer (4096 bytes) used to read the
uploaded file if the boundary was the typical tens of bytes long.
(CVE-2016-3092)
* A directory traversal flaw was found in Tomcat's RequestUtil.java. A
remote, authenticated user could use this flaw to bypass intended
SecurityManager restrictions and list a parent directory via a '/..'
in a pathname used by a web application in a getResource,
getResourceAsStream, or getResourcePaths call. (CVE-2015-5174)
* It was found that Tomcat could reveal the presence of a directory
even when that directory was protected by a security constraint. A
user could make a request to a directory via a URL not ending with a
slash and, depending on whether Tomcat redirected that request, could
confirm whether that directory existed. (CVE-2015-5345)
* It was found that Tomcat allowed the StatusManagerServlet to be
loaded by a web application when a security manager was configured.
This allowed a web application to list all deployed web applications
and expose sensitive information such as session IDs. (CVE-2016-0706)
Additional Changes :
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.3 Release Notes linked from the References section. | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 95345 | published | 2016-11-28 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95345 | title | CentOS 7 : tomcat (CESA-2016:2599) |
NASL family | Scientific Linux Local Security Checks | NASL id | SL_20161103_TOMCAT_ON_SL7_X.NASL | description | The following packages have been upgraded to a newer upstream version:
tomcat (7.0.69).
Security Fix(es) :
- A CSRF flaw was found in Tomcat's the index pages for
the Manager and Host Manager applications. These
applications included a valid CSRF token when issuing a
redirect as a result of an unauthenticated request to
the root of the web application. This token could then
be used by an attacker to perform a CSRF attack.
(CVE-2015-5351)
- It was found that several Tomcat session persistence
mechanisms could allow a remote, authenticated user to
bypass intended SecurityManager restrictions and execute
arbitrary code in a privileged context via a web
application that placed a crafted object in a session.
(CVE-2016-0714)
- A security manager bypass flaw was found in Tomcat that
could allow remote, authenticated users to access
arbitrary application data, potentially resulting in a
denial of service. (CVE-2016-0763)
- A denial of service vulnerability was identified in
Commons FileUpload that occurred when the length of the
multipart boundary was just below the size of the buffer
(4096 bytes) used to read the uploaded file if the
boundary was the typical tens of bytes long.
(CVE-2016-3092)
- A directory traversal flaw was found in Tomcat's
RequestUtil.java. A remote, authenticated user could use
this flaw to bypass intended SecurityManager
restrictions and list a parent directory via a '/..' in
a pathname used by a web application in a getResource,
getResourceAsStream, or getResourcePaths call.
(CVE-2015-5174)
- It was found that Tomcat could reveal the presence of a
directory even when that directory was protected by a
security constraint. A user could make a request to a
directory via a URL not ending with a slash and,
depending on whether Tomcat redirected that request,
could confirm whether that directory existed.
(CVE-2015-5345)
- It was found that Tomcat allowed the
StatusManagerServlet to be loaded by a web application
when a security manager was configured. This allowed a
web application to list all deployed web applications
and expose sensitive information such as session IDs.
(CVE-2016-0706)
Additional Changes : | last seen | 2019-01-16 | modified | 2018-12-28 | plugin id | 95863 | published | 2016-12-15 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95863 | title | Scientific Linux Security Update : tomcat on SL7.x (noarch) |
NASL family | SuSE Local Security Checks | NASL id | OPENSUSE-2016-384.NASL | description | This update for tomcat fixes the following issues :
Tomcat 8 was updated from 8.0.23 to 8.0.32, to fix bugs and security
issues.
Fixed security issues :
- CVE-2015-5174: Directory traversal vulnerability in
RequestUtil.java in Apache Tomcat allowed remote
authenticated users to bypass intended SecurityManager
restrictions and list a parent directory via a /..
(slash dot dot) in a pathname used by a web application
in a getResource, getResourceAsStream, or
getResourcePaths call, as demonstrated by the
$CATALINA_BASE/webapps directory. (bsc#967967)
- CVE-2015-5346: Session fixation vulnerability in Apache
Tomcat when different session settings are used for
deployments of multiple versions of the same web
application, might have allowed remote attackers to
hijack web sessions by leveraging use of a
requestedSessionSSL field for an unintended request,
related to CoyoteAdapter.java and Request.java.
(bsc#967814)
- CVE-2015-5345: The Mapper component in Apache Tomcat
processes redirects before considering security
constraints and Filters, which allowed remote attackers
to determine the existence of a directory via a URL that
lacks a trailing / (slash) character. (bsc#967965)
- CVE-2015-5351: The (1) Manager and (2) Host Manager
applications in Apache Tomcat established sessions and
send CSRF tokens for arbitrary new requests, which
allowed remote attackers to bypass a CSRF protection
mechanism by using a token. (bsc#967812)
- CVE-2016-0706: Apache Tomcat did not place
org.apache.catalina.manager.StatusManagerServlet on the
org/apache/catalina/core/RestrictedServlets.properties
list, which allowed remote authenticated users to bypass
intended SecurityManager restrictions and read arbitrary
HTTP requests, and consequently discover session ID
values, via a crafted web application. (bsc#967815)
- CVE-2016-0714: The session-persistence implementation in
Apache Tomcat mishandled session attributes, which
allowed remote authenticated users to bypass intended
SecurityManager restrictions and execute arbitrary code
in a privileged context via a web application that
places a crafted object in a session. (bsc#967964)
- CVE-2016-0763: The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in
Apache Tomcat did not consider whether
ResourceLinkFactory.setGlobalContext callers are
authorized, which allowed remote authenticated users to
bypass intended SecurityManager restrictions and read or
write to arbitrary application data, or cause a denial
of service (application disruption), via a web
application that sets a crafted global context.
(bsc#967966)
The full changes can be read on:
http://tomcat.apache.org/tomcat-8.0-doc/changelog.html
This update was imported from the SUSE:SLE-12-SP1:Update update
project. | last seen | 2019-01-16 | modified | 2016-11-04 | plugin id | 90136 | published | 2016-03-24 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=90136 | title | openSUSE Security Update : tomcat (openSUSE-2016-384) |
NASL family | Ubuntu Local Security Checks | NASL id | UBUNTU_USN-3024-1.NASL | description | It was discovered that Tomcat incorrectly handled pathnames used by
web applications in a getResource, getResourceAsStream, or
getResourcePaths call. A remote attacker could use this issue to
possibly list a parent directory . This issue only affected Ubuntu
12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-5174)
It was discovered that the Tomcat mapper component incorrectly handled
redirects. A remote attacker could use this issue to determine the
existence of a directory. This issue only affected Ubuntu 12.04 LTS,
Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-5345)
It was discovered that Tomcat incorrectly handled different session
settings when multiple versions of the same web application was
deployed. A remote attacker could possibly use this issue to hijack
web sessions. This issue only affected Ubuntu 14.04 LTS and Ubuntu
15.10. (CVE-2015-5346)
It was discovered that the Tomcat Manager and Host Manager
applications incorrectly handled new requests. A remote attacker could
possibly use this issue to bypass CSRF protection mechanisms. This
issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-5351)
It was discovered that Tomcat did not place StatusManagerServlet on
the RestrictedServlets list. A remote attacker could possibly use this
issue to read arbitrary HTTP requests, including session ID values.
This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu
15.10. (CVE-2016-0706)
It was discovered that the Tomcat session-persistence implementation
incorrectly handled session attributes. A remote attacker could
possibly use this issue to execute arbitrary code in a privileged
context. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS
and Ubuntu 15.10. (CVE-2016-0714)
It was discovered that the Tomcat setGlobalContext method incorrectly
checked if callers were authorized. A remote attacker could possibly
use this issue to read or wite to arbitrary application data, or cause
a denial of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu
14.04 LTS and Ubuntu 15.10. (CVE-2016-0763)
It was discovered that the Tomcat Fileupload library incorrectly
handled certain upload requests. A remote attacker could possibly use
this issue to cause a denial of service. (CVE-2016-3092).
Note that Tenable Network Security has extracted the preceding
description block directly from the Ubuntu security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues. | last seen | 2019-01-16 | modified | 2018-12-01 | plugin id | 91954 | published | 2016-07-06 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=91954 | title | Ubuntu 12.04 LTS / 14.04 LTS / 15.10 / 16.04 LTS : tomcat6, tomcat7 vulnerabilities (USN-3024-1) |
NASL family | Web Servers | NASL id | TOMCAT_7_0_68.NASL | description | According to its self-reported version number, the Apache Tomcat
service running on the remote host is 7.0.x prior to 7.0.68. It is,
therefore, affected by multiple vulnerabilities :
- An information disclosure vulnerability exists due to
a failure to enforce access restrictions when handling
directory requests that are missing trailing slashes. An
unauthenticated, remote attacker can exploit this to
enumerate valid directories. (CVE-2015-5345)
- An information disclosure vulnerability exists in the
Manager and Host Manager web applications due to a flaw
in the index page when issuing redirects in response to
unauthenticated requests for the root directory of the
application. An unauthenticated, remote attacker can
exploit this to gain access to the XSRF token
information stored in the index page. Note that the
Apache Tomcat advisory does not list Tomcat version
7.0.0 as affected by this vulnerability. (CVE-2015-5351)
- An information disclosure vulnerability exists that
allows a specially crafted web application to load the
StatusManagerServlet. An attacker can exploit this to
gain unauthorized access to a list of all deployed
applications and a list of the HTTP request lines for
all requests currently being processed. (CVE-2016-0706)
- A security bypass vulnerability exists due to a flaw
in the StandardManager, PersistentManager, and cluster
implementations that is triggered when handling
persistent sessions. An unauthenticated, remote attacker
can exploit this, via a crafted object in a session, to
bypass the security manager and execute arbitrary code.
(CVE-2016-0714)
- A flaw exists due to the setGlobalContext() method of
ResourceLinkFactory being accessible to web applications
even when run under a security manager. An
unauthenticated, remote attacker can exploit this to
inject malicious global context, allowing data owned by
other web applications to be read or written to.
(CVE-2016-0763)
Note that Nessus has not attempted to exploit these issues but has
instead relied only on the application's self-reported version number. | last seen | 2019-01-16 | modified | 2018-08-01 | plugin id | 88936 | published | 2016-02-24 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=88936 | title | Apache Tomcat 7.0.x < 7.0.68 Multiple Vulnerabilities |
NASL family | CGI abuses | NASL id | MYSQL_ENTERPRISE_MONITOR_3_2_2_1075.NASL | description | According to its self-reported version, the MySQL Enterprise Monitor
application running on the remote host is 3.2.x prior to 3.2.2.1075.
It is, therefore, affected by multiple vulnerabilities :
- An information disclosure vulnerability exists in the
bundled version of Apache Tomcat in the Manager and Host
Manager web applications due to a flaw in the index page
when issuing redirects in response to unauthenticated
requests for the root directory of the application. An
authenticated, remote attacker can exploit this to gain
access to the XSRF token information stored in the index
page. (CVE-2015-5351)
- A remote code execution vulnerability exists in the
JMXInvokerServlet interface due to improper validation
of Java objects before deserialization. An
authenticated, remote attacker can exploit this to
execute arbitrary code. (CVE-2015-7501)
- A remote code execution vulnerability exists in the
Framework subcomponent that allows an authenticated,
remote attacker to execute arbitrary code.
(CVE-2016-0635)
- An information disclosure vulnerability exists in the
bundled version of Apache Tomcat that allows a specially
crafted web application to load the
StatusManagerServlet. An authenticated, remote attacker
can exploit this to gain unauthorized access to a list
of all deployed applications and a list of the HTTP
request lines for all requests currently being
processed. (CVE-2016-0706)
- A remote code execution vulnerability exists in the
bundled version of Apache Tomcat due to a flaw in the
StandardManager, PersistentManager, and cluster
implementations that is triggered when handling
persistent sessions. An authenticated, remote attacker
can exploit this, via a crafted object in a session, to
bypass the security manager and execute arbitrary code.
(CVE-2016-0714)
- A security bypass vulnerability exists in the bundled
version of Apache Tomcat due to a failure to consider
whether ResourceLinkFactory.setGlobalContext callers are
authorized. An authenticated, remote attacker can
exploit this, via a web application that sets a crafted
global context, to bypass intended SecurityManager
restrictions and read or write to arbitrary application
data or cause a denial of service condition.
(CVE-2016-0763) | last seen | 2019-01-16 | modified | 2018-11-15 | plugin id | 96769 | published | 2017-01-25 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=96769 | title | MySQL Enterprise Monitor 3.2.x < 3.2.2.1075 Multiple Vulnerabilities (January 2017 CPU) |
NASL family | Debian Local Security Checks | NASL id | DEBIAN_DLA-435.NASL | description | Tomcat 6, an implementation of the Java Servlet and the JavaServer
Pages (JSP) specifications and a pure Java web server environment, was
affected by multiple security issues prior version 6.0.45.
CVE-2015-5174 Directory traversal vulnerability in RequestUtil.java in
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before
8.0.27 allows remote authenticated users to bypass intended
SecurityManager restrictions and list a parent directory via a /..
(slash dot dot) in a pathname used by a web application in a
getResource, getResourceAsStream, or getResourcePaths call, as
demonstrated by the $CATALINA_BASE/webapps directory.
CVE-2015-5345 The Mapper component in Apache Tomcat 6.x before 6.0.45,
7.x before 7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2
processes redirects before considering security constraints and
Filters, which allows remote attackers to determine the existence of a
directory via a URL that lacks a trailing / (slash) character.
CVE-2015-5351 The Manager and Host Manager applications in Apache
Tomcat establish sessions and send CSRF tokens for arbitrary new
requests, which allows remote attackers to bypass a CSRF protection
mechanism by using a token.
CVE-2016-0706 Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x
before 8.0.31, and 9.x before 9.0.0.M2 does not place
org.apache.catalina.manager.StatusManagerServlet on the org/apache
/catalina/core/RestrictedServlets.properties list, which allows remote
authenticated users to bypass intended SecurityManager restrictions
and read arbitrary HTTP requests, and consequently discover session ID
values, via a crafted web application.
CVE-2016-0714 The session-persistence implementation in Apache Tomcat
6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x
before 9.0.0.M2 mishandles session attributes, which allows remote
authenticated users to bypass intended SecurityManager restrictions
and execute arbitrary code in a privileged context via a web
application that places a crafted object in a session.
CVE-2016-0763 The setGlobalContext method in org/apache/naming/factory
/ResourceLinkFactory.java in Apache Tomcat does not consider whether
ResourceLinkFactory.setGlobalContext callers are authorized, which
allows remote authenticated users to bypass intended SecurityManager
restrictions and read or write to arbitrary application data, or cause
a denial of service (application disruption), via a web application
that sets a crafted global context.
For Debian 6 'Squeeze', these problems have been fixed in version
6.0.45-1~deb6u1.
We recommend that you upgrade your tomcat6 packages.
NOTE: Tenable Network Security has extracted the preceding description
block directly from the DLA security advisory. Tenable has attempted
to automatically clean and format it as much as possible without
introducing additional issues. | last seen | 2019-01-16 | modified | 2018-07-06 | plugin id | 88996 | published | 2016-02-29 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=88996 | title | Debian DLA-435-1 : tomcat6 security update |
NASL family | Debian Local Security Checks | NASL id | DEBIAN_DSA-3609.NASL | description | Multiple security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine, which may result in information disclosure,
the bypass of CSRF protections, bypass of the SecurityManager or
denial of service. | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 91906 | published | 2016-07-01 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=91906 | title | Debian DSA-3609-1 : tomcat8 - security update |
NASL family | Amazon Linux Local Security Checks | NASL id | ALA_ALAS-2016-679.NASL | description | ResourceLinkFactory.setGlobalContext() is a public method and was
discovered to be accessible by web applications running under a
security manager without any checks. This allowed a malicious web
application to inject a malicious global context that could in turn be
used to disrupt other web applications and/or read and write data
owned by other web applications. (CVE-2016-0763)
A session fixation vulnerability was discovered that might allow
remote attackers to hijack web sessions by leveraging use of a
requestedSessionSSL field for an unintended request when different
session settings are used for deployments of multiple versions of the
same web application. (CVE-2015-5346)
The Manager and Host Manager applications were discovered to establish
sessions and send CSRF tokens for arbitrary new requests, which allows
remote attackers to bypass a CSRF protection mechanism by using a
token. (CVE-2015-5351)
The session-persistence implementation was discovered to mishandle
session attributes, which allows remote authenticated users to bypass
intended SecurityManager restrictions and execute arbitrary code in a
privileged context via a web application that places a crafted object
in a session. (CVE-2016-0714)
It was discovered that
org.apache.catalina.manager.StatusManagerServlet was not placed on the
org/apache/catalina/core/RestrictedServlets.properties list, which
allows remote authenticated users to bypass intended SecurityManager
restrictions and read arbitrary HTTP requests, and consequently
discover session ID values, via a crafted web application.
(CVE-2016-0706) | last seen | 2019-01-16 | modified | 2018-04-18 | plugin id | 90272 | published | 2016-04-01 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=90272 | title | Amazon Linux AMI : tomcat8 (ALAS-2016-679) |
NASL family | Debian Local Security Checks | NASL id | DEBIAN_DSA-3552.NASL | description | Multiple security vulnerabilities have been discovered in the Tomcat
servlet and JSP engine, which may result in information disclosure,
the bypass of CSRF protections and bypass of the SecurityManager. | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 90552 | published | 2016-04-18 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=90552 | title | Debian DSA-3552-1 : tomcat7 - security update |
NASL family | Web Servers | NASL id | TOMCAT_9_0_0_M3.NASL | description | According to its self-reported version number, the Apache Tomcat
instance listening on the remote host is prior to 9.0.0.M3. It is,
therefore, affected by multiple vulnerabilities:
- An information disclosure vulnerability exists due to
a failure to enforce access restrictions when handling
directory requests that are missing trailing slashes. An
unauthenticated, remote attacker can exploit this to
enumerate valid directories. (CVE-2015-5345)
- A flaw exists due to a failure to invalidate a previous
session ID when assigning an ID to a new session. An
attacker can exploit this, via a crafted request that
uses the requestedSessionSSL field to fixate the session
ID, to ensure that the user authenticates with a known
session ID, allowing the session to be subsequently
hijacked. (CVE-2015-5346)
- An information disclosure vulnerability exists in the
Manager and Host Manager web applications due to a flaw
in the index page when issuing redirects in response to
unauthenticated requests for the root directory of the
application. An unauthenticated, remote attacker can
exploit this to gain access to the XSRF token
information stored in the index page. (CVE-2015-5351)
- An information disclosure vulnerability exists that
allows a specially crafted web application to load the
StatusManagerServlet. An attacker can exploit this to
gain unauthorized access to a list of all deployed
applications and a list of the HTTP request lines for
all requests currently being processed. (CVE-2016-0706)
- A security bypass vulnerability exists due to a flaw
in the StandardManager, PersistentManager, and cluster
implementations that is triggered when handling
persistent sessions. An unauthenticated, remote attacker
can exploit this, via a crafted object in a session, to
bypass the security manager and execute arbitrary code.
(CVE-2016-0714)
- A flaw exists due to the setGlobalContext() method of
ResourceLinkFactory being accessible to web applications
even when run under a security manager. An
unauthenticated, remote attacker can exploit this to
inject malicious global context, allowing data owned by
other web applications to be read or written to.
(CVE-2016-0763)
Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number. | last seen | 2019-01-16 | modified | 2019-01-11 | plugin id | 121125 | published | 2019-01-11 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=121125 | title | Apache Tomcat < 9.0.0.M3 Multiple Vulnerabilities |
NASL family | Oracle Linux Local Security Checks | NASL id | ORACLELINUX_ELSA-2016-2599.NASL | description | From Red Hat Security Advisory 2016:2599 :
An update for tomcat is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security
impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
Apache Tomcat is a servlet container for the Java Servlet and
JavaServer Pages (JSP) technologies.
The following packages have been upgraded to a newer upstream version:
tomcat (7.0.69). (BZ#1287928)
Security Fix(es) :
* A CSRF flaw was found in Tomcat's the index pages for the Manager
and Host Manager applications. These applications included a valid
CSRF token when issuing a redirect as a result of an unauthenticated
request to the root of the web application. This token could then be
used by an attacker to perform a CSRF attack. (CVE-2015-5351)
* It was found that several Tomcat session persistence mechanisms
could allow a remote, authenticated user to bypass intended
SecurityManager restrictions and execute arbitrary code in a
privileged context via a web application that placed a crafted object
in a session. (CVE-2016-0714)
* A security manager bypass flaw was found in Tomcat that could allow
remote, authenticated users to access arbitrary application data,
potentially resulting in a denial of service. (CVE-2016-0763)
* A denial of service vulnerability was identified in Commons
FileUpload that occurred when the length of the multipart boundary was
just below the size of the buffer (4096 bytes) used to read the
uploaded file if the boundary was the typical tens of bytes long.
(CVE-2016-3092)
* A directory traversal flaw was found in Tomcat's RequestUtil.java. A
remote, authenticated user could use this flaw to bypass intended
SecurityManager restrictions and list a parent directory via a '/..'
in a pathname used by a web application in a getResource,
getResourceAsStream, or getResourcePaths call. (CVE-2015-5174)
* It was found that Tomcat could reveal the presence of a directory
even when that directory was protected by a security constraint. A
user could make a request to a directory via a URL not ending with a
slash and, depending on whether Tomcat redirected that request, could
confirm whether that directory existed. (CVE-2015-5345)
* It was found that Tomcat allowed the StatusManagerServlet to be
loaded by a web application when a security manager was configured.
This allowed a web application to list all deployed web applications
and expose sensitive information such as session IDs. (CVE-2016-0706)
Additional Changes :
For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.3 Release Notes linked from the References section. | last seen | 2019-01-16 | modified | 2018-10-03 | plugin id | 94718 | published | 2016-11-11 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=94718 | title | Oracle Linux 7 : tomcat (ELSA-2016-2599) |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2016-1087.NASL | description | Red Hat JBoss Web Server 3.0.3 is now available for Red Hat Enterprise
Linux 6.
Red Hat Product Security has rated this update as having a security
impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the
Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat
Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and
the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement
for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and
enhancements, which are documented in the Release Notes documented
linked to in the References.
Security Fix(es) :
* A session fixation flaw was found in the way Tomcat recycled the
requestedSessionSSL field. If at least one web application was
configured to use the SSL session ID as the HTTP session ID, an
attacker could reuse a previously used session ID for further
requests. (CVE-2015-5346)
* A CSRF flaw was found in Tomcat's the index pages for the Manager
and Host Manager applications. These applications included a valid
CSRF token when issuing a redirect as a result of an unauthenticated
request to the root of the web application. This token could then be
used by an attacker to perform a CSRF attack. (CVE-2015-5351)
* It was found that several Tomcat session persistence mechanisms
could allow a remote, authenticated user to bypass intended
SecurityManager restrictions and execute arbitrary code in a
privileged context via a web application that placed a crafted object
in a session. (CVE-2016-0714)
* A security manager bypass flaw was found in Tomcat that could allow
remote, authenticated users to access arbitrary application data,
potentially resulting in a denial of service. (CVE-2016-0763)
* It was found that Tomcat could reveal the presence of a directory
even when that directory was protected by a security constraint. A
user could make a request to a directory via a URL not ending with a
slash and, depending on whether Tomcat redirected that request, could
confirm whether that directory existed. (CVE-2015-5345)
* It was found that Tomcat allowed the StatusManagerServlet to be
loaded by a web application when a security manager was configured.
This allowed a web application to list all deployed web applications
and expose sensitive information such as session IDs. (CVE-2016-0706) | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 91245 | published | 2016-05-19 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=91245 | title | RHEL 6 : JBoss Web Server (RHSA-2016:1087) |
NASL family | Amazon Linux Local Security Checks | NASL id | ALA_ALAS-2016-680.NASL | description | ResourceLinkFactory.setGlobalContext() is a public method and was
discovered to be accessible by web applications running under a
security manager without any checks. This allowed a malicious web
application to inject a malicious global context that could in turn be
used to disrupt other web applications and/or read and write data
owned by other web applications. (CVE-2016-0763)
The Manager and Host Manager applications were discovered to establish
sessions and send CSRF tokens for arbitrary new requests, which allows
remote attackers to bypass a CSRF protection mechanism by using a
token. (CVE-2015-5351)
The Mapper component processes redirects before considering security
constraints and Filters, which allows remote attackers to determine
the existence of a directory via a URL that lacks a trailing / (slash)
character. (CVE-2015-5345)
The session-persistence implementation was discovered to mishandle
session attributes, which allows remote authenticated users to bypass
intended SecurityManager restrictions and execute arbitrary code in a
privileged context via a web application that places a crafted object
in a session. (CVE-2016-0714)
It was discovered that
org.apache.catalina.manager.StatusManagerServlet was not placed on the
org/apache/catalina/core/RestrictedServlets.properties list, which
allows remote authenticated users to bypass intended SecurityManager
restrictions and read arbitrary HTTP requests, and consequently
discover session ID values, via a crafted web application.
(CVE-2016-0706) | last seen | 2019-01-16 | modified | 2018-04-18 | plugin id | 90273 | published | 2016-04-01 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=90273 | title | Amazon Linux AMI : tomcat7 (ALAS-2016-680) |
NASL family | Red Hat Local Security Checks | NASL id | REDHAT-RHSA-2016-2807.NASL | description | An update is now available for Red Hat JBoss Enterprise Web Server 2
for RHEL 6 and Red Hat JBoss Enterprise Web Server 2 for RHEL 7.
Red Hat Product Security has rated this update as having a security
impact of Important. A Common Vulnerability Scoring System (CVSS) base
score, which gives a detailed severity rating, is available for each
vulnerability from the CVE link(s) in the References section.
Apache Tomcat is a servlet container for the Java Servlet and
JavaServer Pages (JSP) technologies.
This release of Red Hat JBoss Web Server 2.1.2 serves as a replacement
for Red Hat JBoss Web Server 2.1.1. It contains security fixes for the
Tomcat 7 component. Only users of the Tomcat 7 component in JBoss Web
Server need to apply the fixes delivered in this release.
Security Fix(es) :
* A CSRF flaw was found in Tomcat's the index pages for the Manager
and Host Manager applications. These applications included a valid
CSRF token when issuing a redirect as a result of an unauthenticated
request to the root of the web application. This token could then be
used by an attacker to perform a CSRF attack. (CVE-2015-5351)
* It was found that several Tomcat session persistence mechanisms
could allow a remote, authenticated user to bypass intended
SecurityManager restrictions and execute arbitrary code in a
privileged context via a web application that placed a crafted object
in a session. (CVE-2016-0714)
* A security manager bypass flaw was found in Tomcat that could allow
remote, authenticated users to access arbitrary application data,
potentially resulting in a denial of service. (CVE-2016-0763)
* A denial of service vulnerability was identified in Commons
FileUpload that occurred when the length of the multipart boundary was
just below the size of the buffer (4096 bytes) used to read the
uploaded file if the boundary was the typical tens of bytes long.
(CVE-2016-3092)
* A session fixation flaw was found in the way Tomcat recycled the
requestedSessionSSL field. If at least one web application was
configured to use the SSL session ID as the HTTP session ID, an
attacker could reuse a previously used session ID for further
requests. (CVE-2015-5346)
* It was found that Tomcat allowed the StatusManagerServlet to be
loaded by a web application when a security manager was configured.
This allowed a web application to list all deployed web applications
and expose sensitive information such as session IDs. (CVE-2016-0706) | last seen | 2019-01-16 | modified | 2018-11-10 | plugin id | 95024 | published | 2016-11-21 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=95024 | title | RHEL 6 / 7 : JBoss Web Server (RHSA-2016:2807) |
NASL family | Web Servers | NASL id | TOMCAT_8_0_32.NASL | description | According to its self-reported version number, the Apache Tomcat
service running on the remote host is 8.0.x prior to 8.0.32. It is,
therefore, affected by multiple vulnerabilities :
- A flaw exists due to a failure to invalidate a previous
session ID when assigning an ID to a new session. An
attacker can exploit this, via a crafted request that
uses the requestedSessionSSL field to fixate the session
ID, to ensure that the user authenticates with a known
session ID, allowing the session to be subsequently
hijacked. (CVE-2015-5346)
- An information disclosure vulnerability exists in the
Manager and Host Manager web applications due to a flaw
in the index page when issuing redirects in response to
unauthenticated requests for the root directory of the
application. An unauthenticated, remote attacker can
exploit this to gain access to the XSRF token
information stored in the index page. (CVE-2015-5351)
- An information disclosure vulnerability exists that
allows a specially crafted web application to load the
StatusManagerServlet. An attacker can exploit this to
gain unauthorized access to a list of all deployed
applications and a list of the HTTP request lines for
all requests currently being processed. (CVE-2016-0706)
- A security bypass vulnerability exists due to a flaw
in the StandardManager, PersistentManager, and cluster
implementations that is triggered when handling
persistent sessions. An unauthenticated, remote attacker
can exploit this, via a crafted object in a session, to
bypass the security manager and execute arbitrary code.
(CVE-2016-0714)
- A flaw exists due to the setGlobalContext() method of
ResourceLinkFactory being accessible to web applications
even when run under a security manager. An
unauthenticated, remote attacker can exploit this to
inject malicious global context, allowing data owned by
other web applications to be read or written to.
(CVE-2016-0763)
Note that Nessus has not attempted to exploit these issues but has
instead relied only on the application's self-reported version number. | last seen | 2019-01-16 | modified | 2018-08-01 | plugin id | 88937 | published | 2016-02-24 | reporter | Tenable | source | https://www.tenable.com/plugins/index.php?view=single&id=88937 | title | Apache Tomcat 8.0.0.RC1 < 8.0.32 Multiple Vulnerabilities |
|