ID CVE-2016-5388
Summary Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
References
Vulnerable Configurations
  • RedHat Enterprise Linux Desktop 7.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:7.0
  • RedHat Enterprise Linux HPC Node 7.0
    cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0
  • Red Hat Enterprise Linux HPC Node EUS 7.2
    cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2
  • RedHat Enterprise Linux Server 7.0
    cpe:2.3:o:redhat:enterprise_linux_server:7.0
  • Red Hat Enterprise Linux Server AUS 7.2
    cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2
  • Red Hat Enterprise Linux Server EUS 7.2
    cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2
  • cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2
    cpe:2.3:o:redhat:enterprise_linux_server_tus:7.2
  • RedHat Enterprise Linux Workstation 7.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:7.0
  • cpe:2.3:a:hp:system_management_homepage:7.5.5.0
    cpe:2.3:a:hp:system_management_homepage:7.5.5.0
  • Red Hat Enterprise Linux Desktop 6.0
    cpe:2.3:o:redhat:enterprise_linux_desktop:6.0
  • RedHat Enterprise Linux HPC Node 6.0
    cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0
  • Red Hat Enterprise Linux Server 6.0
    cpe:2.3:o:redhat:enterprise_linux_server:6.0
  • Red Hat Enterprise Linux Workstation 6.0
    cpe:2.3:o:redhat:enterprise_linux_workstation:6.0
  • Oracle Linux 6.0
    cpe:2.3:o:oracle:linux:6.0
  • Oracle Linux 7.0
    cpe:2.3:o:oracle:linux:7.0
  • Apache Software Foundation Tomcat 6.0
    cpe:2.3:a:apache:tomcat:6.0
  • Apache Software Foundation Tomcat 6.0.0
    cpe:2.3:a:apache:tomcat:6.0.0
  • Apache Software Foundation Tomcat 6.0.0 alpha
    cpe:2.3:a:apache:tomcat:6.0.0:alpha
  • Apache Software Foundation Tomcat 6.0.1
    cpe:2.3:a:apache:tomcat:6.0.1
  • Apache Software Foundation Tomcat 6.0.1 alpha
    cpe:2.3:a:apache:tomcat:6.0.1:alpha
  • Apache Software Foundation Tomcat 6.0.2
    cpe:2.3:a:apache:tomcat:6.0.2
  • Apache Software Foundation Tomcat 6.0.2 alpha
    cpe:2.3:a:apache:tomcat:6.0.2:alpha
  • Apache Software Foundation Tomcat 6.0.2 beta
    cpe:2.3:a:apache:tomcat:6.0.2:beta
  • Apache Software Foundation Tomcat 6.0.3
    cpe:2.3:a:apache:tomcat:6.0.3
  • Apache Software Foundation Tomcat 6.0.4
    cpe:2.3:a:apache:tomcat:6.0.4
  • Apache Software Foundation Tomcat 6.0.4 alpha
    cpe:2.3:a:apache:tomcat:6.0.4:alpha
  • Apache Software Foundation Tomcat 6.0.5
    cpe:2.3:a:apache:tomcat:6.0.5
  • Apache Software Foundation Tomcat 6.0.6
    cpe:2.3:a:apache:tomcat:6.0.6
  • Apache Software Foundation Tomcat 6.0.6 alpha
    cpe:2.3:a:apache:tomcat:6.0.6:alpha
  • Apache Software Foundation Tomcat 6.0.7
    cpe:2.3:a:apache:tomcat:6.0.7
  • Apache Software Foundation Tomcat 6.0.7 alpha
    cpe:2.3:a:apache:tomcat:6.0.7:alpha
  • Apache Software Foundation Tomcat 6.0.7 beta
    cpe:2.3:a:apache:tomcat:6.0.7:beta
  • Apache Software Foundation Tomcat 6.0.8
    cpe:2.3:a:apache:tomcat:6.0.8
  • Apache Software Foundation Tomcat 6.0.8 alpha
    cpe:2.3:a:apache:tomcat:6.0.8:alpha
  • Apache Software Foundation Tomcat 6.0.9
    cpe:2.3:a:apache:tomcat:6.0.9
  • Apache Software Foundation Tomcat 6.0.9 beta
    cpe:2.3:a:apache:tomcat:6.0.9:beta
  • Apache Software Foundation Tomcat 6.0.10
    cpe:2.3:a:apache:tomcat:6.0.10
  • Apache Software Foundation Tomcat 6.0.11
    cpe:2.3:a:apache:tomcat:6.0.11
  • Apache Software Foundation Tomcat 6.0.12
    cpe:2.3:a:apache:tomcat:6.0.12
  • Apache Software Foundation Tomcat 6.0.13
    cpe:2.3:a:apache:tomcat:6.0.13
  • Apache Software Foundation Tomcat 6.0.14
    cpe:2.3:a:apache:tomcat:6.0.14
  • Apache Software Foundation Tomcat 6.0.15
    cpe:2.3:a:apache:tomcat:6.0.15
  • Apache Software Foundation Tomcat 6.0.16
    cpe:2.3:a:apache:tomcat:6.0.16
  • Apache Software Foundation Tomcat 6.0.17
    cpe:2.3:a:apache:tomcat:6.0.17
  • Apache Software Foundation Tomcat 6.0.18
    cpe:2.3:a:apache:tomcat:6.0.18
  • Apache Software Foundation Tomcat 6.0.19
    cpe:2.3:a:apache:tomcat:6.0.19
  • Apache Software Foundation Tomcat 6.0.20
    cpe:2.3:a:apache:tomcat:6.0.20
  • Apache Software Foundation Tomcat 6.0.21
    cpe:2.3:a:apache:tomcat:6.0.21
  • Apache Software Foundation Tomcat 6.0.22
    cpe:2.3:a:apache:tomcat:6.0.22
  • Apache Software Foundation Tomcat 6.0.23
    cpe:2.3:a:apache:tomcat:6.0.23
  • Apache Software Foundation Tomcat 6.0.24
    cpe:2.3:a:apache:tomcat:6.0.24
  • Apache Software Foundation Tomcat 6.0.25
    cpe:2.3:a:apache:tomcat:6.0.25
  • Apache Software Foundation Tomcat 6.0.26
    cpe:2.3:a:apache:tomcat:6.0.26
  • Apache Software Foundation Tomcat 6.0.27
    cpe:2.3:a:apache:tomcat:6.0.27
  • Apache Software Foundation Tomcat 6.0.28
    cpe:2.3:a:apache:tomcat:6.0.28
  • Apache Software Foundation Tomcat 6.0.29
    cpe:2.3:a:apache:tomcat:6.0.29
  • Apache Software Foundation Tomcat 6.0.30
    cpe:2.3:a:apache:tomcat:6.0.30
  • Apache Software Foundation Tomcat 6.0.31
    cpe:2.3:a:apache:tomcat:6.0.31
  • Apache Software Foundation Tomcat 6.0.32
    cpe:2.3:a:apache:tomcat:6.0.32
  • Apache Software Foundation Tomcat 6.0.33
    cpe:2.3:a:apache:tomcat:6.0.33
  • Apache Software Foundation Tomcat 6.0.34
    cpe:2.3:a:apache:tomcat:6.0.34
  • Apache Software Foundation Tomcat 6.0.35
    cpe:2.3:a:apache:tomcat:6.0.35
  • Apache Software Foundation Tomcat 6.0.36
    cpe:2.3:a:apache:tomcat:6.0.36
  • Apache Software Foundation Tomcat 6.0.37
    cpe:2.3:a:apache:tomcat:6.0.37
  • Apache Software Foundation Tomcat 6.0.38
    cpe:2.3:a:apache:tomcat:6.0.38
  • Apache Software Foundation Tomcat 6.0.40
    cpe:2.3:a:apache:tomcat:6.0.40
  • Apache Software Foundation Tomcat 6.0.41
    cpe:2.3:a:apache:tomcat:6.0.41
  • Apache Software Foundation Tomcat 6.0.42
    cpe:2.3:a:apache:tomcat:6.0.42
  • Apache Software Foundation Tomcat 6.0.43
    cpe:2.3:a:apache:tomcat:6.0.43
  • Apache Tomcat 6.0.44
    cpe:2.3:a:apache:tomcat:6.0.44
  • Apache Software Foundation Tomcat 6.0.45
    cpe:2.3:a:apache:tomcat:6.0.45
  • Apache Software Foundation Tomcat 7.0
    cpe:2.3:a:apache:tomcat:7.0
  • Apache Software Foundation Tomcat 7.0.0
    cpe:2.3:a:apache:tomcat:7.0.0
  • Apache Software Foundation Tomcat 7.0.0 beta
    cpe:2.3:a:apache:tomcat:7.0.0:beta
  • Apache Software Foundation Tomcat 7.0.1
    cpe:2.3:a:apache:tomcat:7.0.1
  • Apache Software Foundation Tomcat 7.0.2
    cpe:2.3:a:apache:tomcat:7.0.2
  • Apache Software Foundation Tomcat 7.0.2 beta
    cpe:2.3:a:apache:tomcat:7.0.2:beta
  • Apache Software Foundation Tomcat 7.0.3
    cpe:2.3:a:apache:tomcat:7.0.3
  • Apache Software Foundation Tomcat 7.0.4
    cpe:2.3:a:apache:tomcat:7.0.4
  • Apache Software Foundation Tomcat 7.0.4 beta
    cpe:2.3:a:apache:tomcat:7.0.4:beta
  • Apache Software Foundation Tomcat 7.0.5
    cpe:2.3:a:apache:tomcat:7.0.5
  • Apache Tomcat 7.0.5 Beta
    cpe:2.3:a:apache:tomcat:7.0.5:beta
  • Apache Software Foundation Tomcat 7.0.6
    cpe:2.3:a:apache:tomcat:7.0.6
  • Apache Software Foundation Tomcat 7.0.7
    cpe:2.3:a:apache:tomcat:7.0.7
  • Apache Software Foundation Tomcat 7.0.8
    cpe:2.3:a:apache:tomcat:7.0.8
  • Apache Software Foundation Tomcat 7.0.9
    cpe:2.3:a:apache:tomcat:7.0.9
  • Apache Software Foundation Tomcat 7.0.10
    cpe:2.3:a:apache:tomcat:7.0.10
  • Apache Software Foundation Tomcat 7.0.11
    cpe:2.3:a:apache:tomcat:7.0.11
  • Apache Software Foundation Tomcat 7.0.12
    cpe:2.3:a:apache:tomcat:7.0.12
  • Apache Software Foundation Tomcat 7.0.13
    cpe:2.3:a:apache:tomcat:7.0.13
  • Apache Software Foundation Tomcat 7.0.14
    cpe:2.3:a:apache:tomcat:7.0.14
  • Apache Software Foundation Tomcat 7.0.15
    cpe:2.3:a:apache:tomcat:7.0.15
  • Apache Software Foundation Tomcat 7.0.16
    cpe:2.3:a:apache:tomcat:7.0.16
  • Apache Software Foundation Tomcat 7.0.17
    cpe:2.3:a:apache:tomcat:7.0.17
  • Apache Software Foundation Tomcat 7.0.18
    cpe:2.3:a:apache:tomcat:7.0.18
  • Apache Software Foundation Tomcat 7.0.19
    cpe:2.3:a:apache:tomcat:7.0.19
  • Apache Software Foundation Tomcat 7.0.20
    cpe:2.3:a:apache:tomcat:7.0.20
  • Apache Software Foundation Tomcat 7.0.21
    cpe:2.3:a:apache:tomcat:7.0.21
  • Apache Software Foundation Tomcat 7.0.22
    cpe:2.3:a:apache:tomcat:7.0.22
  • Apache Software Foundation Tomcat 7.0.23
    cpe:2.3:a:apache:tomcat:7.0.23
  • Apache Software Foundation Tomcat 7.0.24
    cpe:2.3:a:apache:tomcat:7.0.24
  • Apache Software Foundation Tomcat 7.0.25
    cpe:2.3:a:apache:tomcat:7.0.25
  • Apache Software Foundation Tomcat 7.0.26
    cpe:2.3:a:apache:tomcat:7.0.26
  • Apache Software Foundation Tomcat 7.0.27
    cpe:2.3:a:apache:tomcat:7.0.27
  • Apache Software Foundation Tomcat 7.0.28
    cpe:2.3:a:apache:tomcat:7.0.28
  • Apache Software Foundation Tomcat 7.0.29
    cpe:2.3:a:apache:tomcat:7.0.29
  • Apache Software Foundation Tomcat 7.0.30
    cpe:2.3:a:apache:tomcat:7.0.30
  • Apache Software Foundation Tomcat 7.0.31
    cpe:2.3:a:apache:tomcat:7.0.31
  • Apache Software Foundation Tomcat 7.0.32
    cpe:2.3:a:apache:tomcat:7.0.32
  • Apache Software Foundation Tomcat 7.0.33
    cpe:2.3:a:apache:tomcat:7.0.33
  • Apache Software Foundation Tomcat 7.0.34
    cpe:2.3:a:apache:tomcat:7.0.34
  • Apache Software Foundation Tomcat 7.0.35
    cpe:2.3:a:apache:tomcat:7.0.35
  • Apache Software Foundation Tomcat 7.0.36
    cpe:2.3:a:apache:tomcat:7.0.36
  • Apache Software Foundation Tomcat 7.0.37
    cpe:2.3:a:apache:tomcat:7.0.37
  • Apache Software Foundation Tomcat 7.0.38
    cpe:2.3:a:apache:tomcat:7.0.38
  • Apache Software Foundation Tomcat 7.0.39
    cpe:2.3:a:apache:tomcat:7.0.39
  • Apache Software Foundation Tomcat 7.0.40
    cpe:2.3:a:apache:tomcat:7.0.40
  • Apache Software Foundation Tomcat 7.0.41
    cpe:2.3:a:apache:tomcat:7.0.41
  • Apache Software Foundation Tomcat 7.0.42
    cpe:2.3:a:apache:tomcat:7.0.42
  • Apache Software Foundation Tomcat 7.0.43
    cpe:2.3:a:apache:tomcat:7.0.43
  • Apache Software Foundation Tomcat 7.0.44
    cpe:2.3:a:apache:tomcat:7.0.44
  • Apache Software Foundation Tomcat 7.0.45
    cpe:2.3:a:apache:tomcat:7.0.45
  • Apache Software Foundation Tomcat 7.0.46
    cpe:2.3:a:apache:tomcat:7.0.46
  • Apache Software Foundation Tomcat 7.0.47
    cpe:2.3:a:apache:tomcat:7.0.47
  • Apache Software Foundation Tomcat 7.0.48
    cpe:2.3:a:apache:tomcat:7.0.48
  • Apache Software Foundation Tomcat 7.0.49
    cpe:2.3:a:apache:tomcat:7.0.49
  • Apache Software Foundation Tomcat 7.0.50
    cpe:2.3:a:apache:tomcat:7.0.50
  • Apache Software Foundation Tomcat 7.0.51
    cpe:2.3:a:apache:tomcat:7.0.51
  • Apache Software Foundation Tomcat 7.0.52
    cpe:2.3:a:apache:tomcat:7.0.52
  • Apache Software Foundation Tomcat 7.0.53
    cpe:2.3:a:apache:tomcat:7.0.53
  • Apache Software Foundation Tomcat 7.0.54
    cpe:2.3:a:apache:tomcat:7.0.54
  • Apache Software Foundation Tomcat 7.0.55
    cpe:2.3:a:apache:tomcat:7.0.55
  • Apache Software Foundation Tomcat 7.0.56
    cpe:2.3:a:apache:tomcat:7.0.56
  • Apache Software Foundation Tomcat 7.0.57
    cpe:2.3:a:apache:tomcat:7.0.57
  • Apache Software Foundation Tomcat 7.0.58
    cpe:2.3:a:apache:tomcat:7.0.58
  • Apache Tomcat 7.0.59
    cpe:2.3:a:apache:tomcat:7.0.59
  • Apache Software Foundation Tomcat 7.0.60
    cpe:2.3:a:apache:tomcat:7.0.60
  • Apache Tomcat 7.0.61
    cpe:2.3:a:apache:tomcat:7.0.61
  • Apache Tomcat 7.0.62
    cpe:2.3:a:apache:tomcat:7.0.62
  • Apache Tomcat 7.0.63
    cpe:2.3:a:apache:tomcat:7.0.63
  • Apache Tomcat 7.0.64
    cpe:2.3:a:apache:tomcat:7.0.64
  • Apache Software Foundation Tomcat 7.0.65
    cpe:2.3:a:apache:tomcat:7.0.65
  • Apache Software Foundation Tomcat 7.0.66
    cpe:2.3:a:apache:tomcat:7.0.66
  • Apache Software Foundation Tomcat 7.0.67
    cpe:2.3:a:apache:tomcat:7.0.67
  • Apache Software Foundation Tomcat 7.0.68
    cpe:2.3:a:apache:tomcat:7.0.68
  • Apache Software Foundation Tomcat 7.0.69
    cpe:2.3:a:apache:tomcat:7.0.69
  • Apache Software Foundation Tomcat 7.0.70
    cpe:2.3:a:apache:tomcat:7.0.70
  • Apache Software Foundation Tomcat 8.0
    cpe:2.3:a:apache:tomcat:8.0
  • Apache Software Foundation Tomcat 8.0.0 Release Candidate 1
    cpe:2.3:a:apache:tomcat:8.0.0:rc1
  • Apache Software Foundation Tomcat 8.0.0 release candidate 10
    cpe:2.3:a:apache:tomcat:8.0.0:rc10
  • Apache Software Foundation Tomcat 8.0.0 Release Candidate 2
    cpe:2.3:a:apache:tomcat:8.0.0:rc2
  • Apache Software Foundation Tomcat 8.0.0 release candidate 5
    cpe:2.3:a:apache:tomcat:8.0.0:rc5
  • Apache Software Foundation Tomcat 8.0.1
    cpe:2.3:a:apache:tomcat:8.0.1
  • Apache Software Foundation Tomcat 8.0.2
    cpe:2.3:a:apache:tomcat:8.0.2
  • Apache Software Foundation Tomcat 8.0.3
    cpe:2.3:a:apache:tomcat:8.0.3
  • Apache Software Foundation Tomcat 8.0.4
    cpe:2.3:a:apache:tomcat:8.0.4
  • Apache Software Foundation Tomcat 8.0.5
    cpe:2.3:a:apache:tomcat:8.0.5
  • Apache Software Foundation Tomcat 8.0.6
    cpe:2.3:a:apache:tomcat:8.0.6
  • Apache Software Foundation Tomcat 8.0.7
    cpe:2.3:a:apache:tomcat:8.0.7
  • Apache Software Foundation Tomcat 8.0.8
    cpe:2.3:a:apache:tomcat:8.0.8
  • Apache Software Foundation Tomcat 8.0.9
    cpe:2.3:a:apache:tomcat:8.0.9
  • Apache Software Foundation Tomcat 8.0.10
    cpe:2.3:a:apache:tomcat:8.0.10
  • Apache Software Foundation Tomcat 8.0.11
    cpe:2.3:a:apache:tomcat:8.0.11
  • Apache Software Foundation Tomcat 8.0.12
    cpe:2.3:a:apache:tomcat:8.0.12
  • Apache Software Foundation Tomcat 8.0.13
    cpe:2.3:a:apache:tomcat:8.0.13
  • Apache Software Foundation Tomcat 8.0.14
    cpe:2.3:a:apache:tomcat:8.0.14
  • Apache Software Foundation Tomcat 8.0.15
    cpe:2.3:a:apache:tomcat:8.0.15
  • Apache Software Foundation Tomcat 8.0.16
    cpe:2.3:a:apache:tomcat:8.0.16
  • Apache Tomcat 8.0.17
    cpe:2.3:a:apache:tomcat:8.0.17
  • Apache Tomcat 8.0.18
    cpe:2.3:a:apache:tomcat:8.0.18
  • Apache Software Foundation Tomcat 8.0.19
    cpe:2.3:a:apache:tomcat:8.0.19
  • Apache Tomcat 8.0.20
    cpe:2.3:a:apache:tomcat:8.0.20
  • Apache Tomcat 8.0.21
    cpe:2.3:a:apache:tomcat:8.0.21
  • Apache Tomcat 8.0.22
    cpe:2.3:a:apache:tomcat:8.0.22
  • Apache Tomcat 8.0.23
    cpe:2.3:a:apache:tomcat:8.0.23
  • Apache Tomcat 8.0.24
    cpe:2.3:a:apache:tomcat:8.0.24
  • Apache Software Foundation Tomcat 8.0.25
    cpe:2.3:a:apache:tomcat:8.0.25
  • Apache Tomcat 8.0.26
    cpe:2.3:a:apache:tomcat:8.0.26
  • Apache Software Foundation Tomcat 8.0.27
    cpe:2.3:a:apache:tomcat:8.0.27
  • Apache Software Foundation Tomcat 8.0.28
    cpe:2.3:a:apache:tomcat:8.0.28
  • Apache Software Foundation Tomcat 8.0.29
    cpe:2.3:a:apache:tomcat:8.0.29
  • Apache Software Foundation Tomcat 8.0.30
    cpe:2.3:a:apache:tomcat:8.0.30
  • Apache Software Foundation Tomcat 8.0.31
    cpe:2.3:a:apache:tomcat:8.0.31
  • Apache Software Foundation Tomcat 8.0.32
    cpe:2.3:a:apache:tomcat:8.0.32
  • Apache Software Foundation Tomcat 8.0.33
    cpe:2.3:a:apache:tomcat:8.0.33
  • Apache Software Foundation Tomcat 8.0.34
    cpe:2.3:a:apache:tomcat:8.0.34
  • Apache Software Foundation Tomcat 8.0.35
    cpe:2.3:a:apache:tomcat:8.0.35
  • Apache Software Foundation Tomcat 8.0.36
    cpe:2.3:a:apache:tomcat:8.0.36
  • Apache Software Foundation Tomcat 8.0.37
    cpe:2.3:a:apache:tomcat:8.0.37
  • Apache Software Foundation Tomcat 8.0.38
    cpe:2.3:a:apache:tomcat:8.0.38
  • Apache Software Foundation Tomcat 8.0.39
    cpe:2.3:a:apache:tomcat:8.0.39
  • Apache Software Foundation Tomcat 8.0.40
    cpe:2.3:a:apache:tomcat:8.0.40
  • Apache Software Foundation Tomcat 8.0.41
    cpe:2.3:a:apache:tomcat:8.0.41
  • Apache Software Foundation Tomcat 8.0.42
    cpe:2.3:a:apache:tomcat:8.0.42
  • Apache Software Foundation Tomcat 8.0.43
    cpe:2.3:a:apache:tomcat:8.0.43
  • Apache Software Foundation Tomcat 8.0.44
    cpe:2.3:a:apache:tomcat:8.0.44
  • Apache Software Foundation Tomcat 8.0.45
    cpe:2.3:a:apache:tomcat:8.0.45
  • Apache Software Foundation Tomcat 8.0.46
    cpe:2.3:a:apache:tomcat:8.0.46
  • Apache Software Foundation Tomcat 8.0.47
    cpe:2.3:a:apache:tomcat:8.0.47
  • Apache Software Foundation Tomcat 8.0.48
    cpe:2.3:a:apache:tomcat:8.0.48
  • Apache Software Foundation Tomcat 8.0.49
    cpe:2.3:a:apache:tomcat:8.0.49
  • Apache Software Foundation Tomcat 8.0.50
    cpe:2.3:a:apache:tomcat:8.0.50
  • Apache Software Foundation Tomcat 8.0.51
    cpe:2.3:a:apache:tomcat:8.0.51
  • Apache Software Foundation Tomcat 8.0.52
    cpe:2.3:a:apache:tomcat:8.0.52
  • Apache Software Foundation Tomcat 8.0.53
    cpe:2.3:a:apache:tomcat:8.0.53
  • Apache Software Foundation Tomcat 8.5.0
    cpe:2.3:a:apache:tomcat:8.5.0
  • Apache Software Foundation Tomcat 8.5.1
    cpe:2.3:a:apache:tomcat:8.5.1
  • Apache Software Foundation Tomcat 8.5.2
    cpe:2.3:a:apache:tomcat:8.5.2
  • Apache Software Foundation Tomcat 8.5.3
    cpe:2.3:a:apache:tomcat:8.5.3
  • Apache Software Foundation Tomcat 8.5.4
    cpe:2.3:a:apache:tomcat:8.5.4
CVSS
Base: 5.1 (as of 02-11-2016 - 10:41)
Impact:
Exploitability:
CWE CWE-284
CAPEC
  • Embedding Scripts within Scripts
    An attack of this type exploits a programs' vulnerabilities that are brought on by allowing remote hosts to execute scripts. The attacker leverages this capability to execute scripts to execute his/her own script by embedding it within other scripts that the target software is likely to execute. The attacker must have the ability to inject script into script that is likely to be executed. If this is done, then the attacker can potentially launch a variety of probes and attacks against the web server's local environment, in many cases the so-called DMZ, back end resources the web server can communicate with, and other hosts. With the proliferation of intermediaries, such as Web App Firewalls, network devices, and even printers having JVMs and Web servers, there are many locales where an attacker can inject malicious scripts. Since this attack pattern defines scripts within scripts, there are likely privileges to execute said attack on the host. Of course, these attacks are not solely limited to the server side, client side scripts like Ajax and client side JavaScript can contain malicious scripts as well. In general all that is required is for there to be sufficient privileges to execute a script, but not protected against writing.
  • Signature Spoofing by Key Theft
    An attacker obtains an authoritative or reputable signer's private signature key by theft and then uses this key to forge signatures from the original signer to mislead a victim into performing actions that benefit the attacker.
Access
VectorComplexityAuthentication
NETWORK HIGH NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1056.NASL
    description This update for tomcat fixes the following issues : - CVE-2016-3092: Usage of vulnerable FileUpload package can result in denial of service. (bsc#986359) - CVE-2016-5388: Setting HTTP_PROXY environment variable via Proxy header. (bsc#988489) This update was imported from the SUSE:SLE-12-SP1:Update project.
    last seen 2019-02-21
    modified 2016-10-24
    plugin id 93362
    published 2016-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93362
    title openSUSE Security Update : tomcat (openSUSE-2016-1056) (httpoxy)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-2046.NASL
    description From Red Hat Security Advisory 2016:2046 : An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 93948
    published 2016-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93948
    title Oracle Linux 7 : tomcat (ELSA-2016-2046) (httpoxy)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-1635.NASL
    description Updated packages that provide Red Hat JBoss Web Server 3.0.3 Service Pack 1 and fixes two security issues and a bug with ajp processors are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. This release of Red Hat JBoss Web Server 3.0.3 Service Pack 1 serves as a update for Red Hat JBoss Web Server 3.0.3 httpd and tomcat. Security Fix(es) : * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) Note: After this update, httpd will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 93043
    published 2016-08-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93043
    title RHEL 7 : Red Hat JBoss Web Server 3.0.3 Service Pack 1 (RHSA-2016:1635) (httpoxy)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-2046.NASL
    description An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed configuration file / usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 93966
    published 2016-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93966
    title CentOS 7 : tomcat (CESA-2016:2046) (httpoxy)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-1636.NASL
    description Updated packages that provide Red Hat JBoss Web Server 3.0.3 Service Pack 1 and fixes two security issues and a bug with ajp processors are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. This release of Red Hat JBoss Web Server 3.0.3 Service Pack 1 serves as a update for Red Hat JBoss Web Server 3.0.3 httpd and tomcat. Security Fix(es) : * It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) Note: After this update, httpd will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable. Red Hat would like to thank Scott Geary (VendHQ) for reporting these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 93044
    published 2016-08-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93044
    title RHEL 6 : Red Hat JBoss Web Server 3.0.3 Service Pack 1 (RHSA-2016:1636) (httpoxy)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1049.NASL
    description According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.(CVE-2014-7810) - Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.(CVE-2015-5346) - Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an 'httpoxy' issue. NOTE: the vendor states 'A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388'; in other words, this is not a CVE ID for a vulnerability.(CVE-2016-5388) - It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.(CVE-2016-5425) - It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.(CVE-2016-6325) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-14
    plugin id 99812
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99812
    title EulerOS 2.0 SP1 : tomcat (EulerOS-SA-2016-1049)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20161010_TOMCAT_ON_SL7_X.NASL
    description Security Fix(es) : - It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) - It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) - It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) - It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) - A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 94005
    published 2016-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94005
    title Scientific Linux Security Update : tomcat on SL7.x (noarch) (httpoxy)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2016-722.NASL
    description Tomcat's CGI support used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request (known as the 'httpoxy' class of vulnerabilities).
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 92469
    published 2016-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92469
    title Amazon Linux AMI : tomcat6 / tomcat7,tomcat8 (ALAS-2016-722) (httpoxy)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-C1B01B9278.NASL
    description This updates includes a rebase from tomcat 8.0.36 up to 8.0.38 which resolves multiple CVEs and a problem that 8.0.37 introduces to freeipa : - rhbz#1375581 - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header - rhbz#1390532 - CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 tomcat: various flaws and includes two additional CVE fixes along with one bug fix : - rhbz#1383210 - CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service - rhbz#1383216 - CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation - rhbz#1370262 - catalina.out is no longer in use in the main package, but still gets rotated Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-05
    plugin id 94748
    published 2016-11-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94748
    title Fedora 24 : 1:tomcat (2016-c1b01b9278) (httpoxy)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3177-1.NASL
    description It was discovered that the Tomcat realm implementations incorrectly handled passwords when a username didn't exist. A remote attacker could possibly use this issue to enumerate usernames. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-0762) Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly limited use of a certain utility method. A malicious application could possibly use this to bypass Security Manager restrictions. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5018) It was discovered that Tomcat did not protect applications from untrusted data in the HTTP_PROXY environment variable. A remote attacker could possibly use this issue to redirect outbound traffic to an arbitrary proxy server. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5388) It was discovered that Tomcat incorrectly controlled reading system properties. A malicious application could possibly use this to bypass Security Manager restrictions. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6794) It was discovered that Tomcat incorrectly controlled certain configuration parameters. A malicious application could possibly use this to bypass Security Manager restrictions. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6796) It was discovered that Tomcat incorrectly limited access to global JNDI resources. A malicious application could use this to access any global JNDI resource without an explicit ResourceLink. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6797) Regis Leroy discovered that Tomcat incorrectly filtered certain invalid characters from the HTTP request line. A remote attacker could possibly use this issue to inject data into HTTP responses. (CVE-2016-6816) Pierre Ernst discovered that the Tomcat JmxRemoteLifecycleListener did not implement a recommended fix. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2016-8735) It was discovered that Tomcat incorrectly handled error handling in the send file code. A remote attacker could possibly use this issue to access information from other requests. (CVE-2016-8745) Paul Szabo discovered that the Tomcat package incorrectly handled upgrades and removals. A local attacker could possibly use this issue to obtain root privileges. (CVE-2016-9774, CVE-2016-9775). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 96720
    published 2017-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96720
    title Ubuntu 12.04 LTS / 14.04 LTS / 16.04 LTS / 16.10 : tomcat6, tomcat7, tomcat8 vulnerabilities (USN-3177-1) (httpoxy)
  • NASL family Misc.
    NASL id ORACLE_ENTERPRISE_MANAGER_JUL_2017_CPU.NASL
    description The version of Oracle Enterprise Manager Grid Control installed on the remote host is missing a security patch. It is, therefore, affected by multiple vulnerabilities : - A flaw exists in the Bouncy Castle Java library due to improper validation of a point within the elliptic curve. An unauthenticated, remote attacker can exploit this to obtain private keys by using a series of specially crafted elliptic curve Diffie-Hellman (ECDH) key exchanges, also known as an 'invalid curve attack.' (CVE-2015-7940) - A flaw exists in the PathTools module for Perl in the File::Spec::canonpath() function that is triggered as strings are returned as untainted even when passing tainted input. An unauthenticated, remote attacker can exploit this to pass unvalidated user input to sensitive or insecure areas. (CVE-2015-8607) - An overflow condition exists in Perl in the MapPathA() function due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to cause a denial of service condition or the execution of arbitrary code. (CVE-2015-8608) - A remote code execution vulnerability exists in the Apache Struts component due to improper handling of multithreaded access to an ActionForm instance. An unauthenticated, remote attacker can exploit this, via a specially crafted multipart request, to execute arbitrary code or cause a denial of service condition. (CVE-2016-1181) - A flaw exists in Perl that is triggered during the handling of variables that appear twice in the environment (envp), causing the last value to appear in %ENV, while getenv would return the first. An unauthenticated, remote attacker can exploit this to cause variables to be incorrectly propagated to subprocesses, regardless of the protections offered by taint checking. (CVE-2016-2381) - A denial of service vulnerability exists in the Apache Commons FileUpload component due to improper handling of boundaries in content-type headers when handling file upload requests. An unauthenticated, remote attacker can exploit this to cause processes linked against the library to become unresponsive. (CVE-2016-3092) - A man-in-the-middle vulnerability exists in various components, known as 'httpoxy', due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5385, CVE-2016-5386, CVE-2016-5387, CVE-2016-5388) - A carry propagating error exists in the OpenSSL component in the x86_64 Montgomery squaring implementation that may cause the BN_mod_exp() function to produce incorrect results. An unauthenticated, remote attacker with sufficient resources can exploit this to obtain sensitive information regarding private keys. Moreover, the attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. For example, this can occur by default in OpenSSL DHE based SSL/TLS cipher suites. (CVE-2017-3732) - An unspecified flaw exists in the UI Framework component that allows authenticated, remote attacker to have an impact on integrity. (CVE-2017-10091)
    last seen 2019-02-21
    modified 2018-07-16
    plugin id 101837
    published 2017-07-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=101837
    title Oracle Enterprise Manager Grid Control Multiple Vulnerabilities (July 2017 CPU) (httpoxy)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20161010_TOMCAT6_ON_SL6_X.NASL
    description Security Fix(es) : - It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) - It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) - It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) - A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174) - It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345) - It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706) Bug Fix(es) : - Due to a bug in the tomcat6 spec file, the catalina.out file's md5sum, size, and mtime attributes were compared to the file's attributes at installation time. Because these attributes change after the service is started, the 'rpm -V' command previously failed. With this update, the attributes mentioned above are ignored in the RPM verification and the catalina.out file now passes the verification check.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 94004
    published 2016-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94004
    title Scientific Linux Security Update : tomcat6 on SL6.x (noarch) (httpoxy)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-38E5B05260.NASL
    description This updates includes a rebase from tomcat 8.0.36 up to 8.0.38 which resolves multiple CVEs and a problem that 8.0.37 introduces to freeipa : - rhbz#1375581 - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header - rhbz#1390532 - CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 tomcat: various flaws and includes two additional CVE fixes along with one bug fix : - rhbz#1383210 - CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service - rhbz#1383216 - CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation - rhbz#1370262 - catalina.out is no longer in use in the main package, but still gets rotated Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-05
    plugin id 94997
    published 2016-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94997
    title Fedora 25 : 1:tomcat (2016-38e5b05260) (httpoxy)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-4094BD4AD6.NASL
    description This updates includes a rebase from tomcat 8.0.36 up to 8.0.38 which resolves multiple CVEs and a problem that 8.0.37 introduces to freeipa : - rhbz#1375581 - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header - rhbz#1390532 - CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 tomcat: various flaws and includes two additional CVE fixes along with one bug fix : - rhbz#1383210 - CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service - rhbz#1383216 - CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation - rhbz#1370262 - catalina.out is no longer in use in the main package, but still gets rotated Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-05
    plugin id 94747
    published 2016-11-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94747
    title Fedora 23 : 1:tomcat (2016-4094bd4ad6) (httpoxy)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2046.NASL
    description An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed configuration file / usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425) * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346) Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 93951
    published 2016-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93951
    title RHEL 7 : tomcat (RHSA-2016:2046) (httpoxy)
  • NASL family Web Servers
    NASL id HTTP_HTTPOXY.NASL
    description The web application running on the remote web server is affected by a man-in-the-middle vulnerability known as 'httpoxy' due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. An unauthenticated, remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 92539
    published 2016-07-25
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92539
    title HTTP_PROXY Environment Variable Namespace Collision Vulnerability (httpoxy)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-3177-2.NASL
    description USN-3177-1 fixed vulnerabilities in Tomcat. The update introduced a regression in environments where Tomcat is started with a security manager. This update fixes the problem. We apologize for the inconvenience. It was discovered that the Tomcat realm implementations incorrectly handled passwords when a username didn't exist. A remote attacker could possibly use this issue to enumerate usernames. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-0762) Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly limited use of a certain utility method. A malicious application could possibly use this to bypass Security Manager restrictions. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5018) It was discovered that Tomcat did not protect applications from untrusted data in the HTTP_PROXY environment variable. A remote attacker could possibly use this issue to redirect outbound traffic to an arbitrary proxy server. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5388) It was discovered that Tomcat incorrectly controlled reading system properties. A malicious application could possibly use this to bypass Security Manager restrictions. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6794) It was discovered that Tomcat incorrectly controlled certain configuration parameters. A malicious application could possibly use this to bypass Security Manager restrictions. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6796) It was discovered that Tomcat incorrectly limited access to global JNDI resources. A malicious application could use this to access any global JNDI resource without an explicit ResourceLink. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6797) Regis Leroy discovered that Tomcat incorrectly filtered certain invalid characters from the HTTP request line. A remote attacker could possibly use this issue to inject data into HTTP responses. (CVE-2016-6816) Pierre Ernst discovered that the Tomcat JmxRemoteLifecycleListener did not implement a recommended fix. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2016-8735) It was discovered that Tomcat incorrectly handled error handling in the send file code. A remote attacker could possibly use this issue to access information from other requests. (CVE-2016-8745) Paul Szabo discovered that the Tomcat package incorrectly handled upgrades and removals. A local attacker could possibly use this issue to obtain root privileges. (CVE-2016-9774, CVE-2016-9775). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 96978
    published 2017-02-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=96978
    title Ubuntu 12.04 LTS / 14.04 LTS : tomcat6, tomcat7 regression (USN-3177-2) (httpoxy)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2045.NASL
    description An update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174) * It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345) * It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706) Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security. Bug Fix(es) : * Due to a bug in the tomcat6 spec file, the catalina.out file's md5sum, size, and mtime attributes were compared to the file's attributes at installation time. Because these attributes change after the service is started, the 'rpm -V' command previously failed. With this update, the attributes mentioned above are ignored in the RPM verification and the catalina.out file now passes the verification check. (BZ#1357123)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 93950
    published 2016-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93950
    title RHEL 6 : tomcat6 (RHSA-2016:2045) (httpoxy)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-2045.NASL
    description An update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174) * It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345) * It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706) Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security. Bug Fix(es) : * Due to a bug in the tomcat6 spec file, the catalina.out file's md5sum, size, and mtime attributes were compared to the file's attributes at installation time. Because these attributes change after the service is started, the 'rpm -V' command previously failed. With this update, the attributes mentioned above are ignored in the RPM verification and the catalina.out file now passes the verification check. (BZ#1357123)
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 93965
    published 2016-10-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93965
    title CentOS 6 : tomcat6 (CESA-2016:2045) (httpoxy)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-2045.NASL
    description From Red Hat Security Advisory 2016:2045 : An update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es) : * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325) * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714) * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388) * A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174) * It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345) * It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706) Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security. Bug Fix(es) : * Due to a bug in the tomcat6 spec file, the catalina.out file's md5sum, size, and mtime attributes were compared to the file's attributes at installation time. Because these attributes change after the service is started, the 'rpm -V' command previously failed. With this update, the attributes mentioned above are ignored in the RPM verification and the catalina.out file now passes the verification check. (BZ#1357123)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 93947
    published 2016-10-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93947
    title Oracle Linux 6 : tomcat6 (ELSA-2016-2045) (httpoxy)
  • NASL family Web Servers
    NASL id HPSMH_7_6.NASL
    description According to its banner, the version of HP System Management Homepage (SMH) hosted on the remote web server is prior to 7.6. It is, therefore, affected by the following vulnerabilities : - A heap buffer overflow condition exists in OpenSSL in the EVP_EncodeUpdate() function within file crypto/evp/encode.c that is triggered when handling a large amount of input data. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2105) - A heap buffer overflow condition exists in OpenSSL in the EVP_EncryptUpdate() function within file crypto/evp/evp_enc.c that is triggered when handling a large amount of input data after a previous call occurs to the same function with a partial block. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-2106) - Multiple flaws exist OpenSSL in the aesni_cbc_hmac_sha1_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha1.c and the aesni_cbc_hmac_sha256_cipher() function in file crypto/evp/e_aes_cbc_hmac_sha256.c that are triggered when the connection uses an AES-CBC cipher and AES-NI is supported by the server. A man-in-the-middle attacker can exploit these to conduct a padding oracle attack, resulting in the ability to decrypt the network traffic. (CVE-2016-2107) - Multiple unspecified flaws exist in OpenSSL in the d2i BIO functions when reading ASN.1 data from a BIO due to invalid encoding causing a large allocation of memory. An unauthenticated, remote attacker can exploit these to cause a denial of service condition through resource exhaustion. (CVE-2016-2109) - A certificate validation bypass vulnerability exists in cURL and libcurl due to improper validation of TLS certificates. A man-in-the-middle attacker can exploit this, via a spoofed certificate that appears valid, to disclose or manipulate transmitted data. (CVE-2016-3739) - An integer overflow condition exists in PHP in the php_raw_url_encode() function within file ext/standard/url.c due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this to have an unspecified impact. (CVE-2016-4070) - A flaw exists in PHP in the php_snmp_error() function within file ext/snmp/snmp.c that is triggered when handling format string specifiers. An unauthenticated, remote attacker can exploit this, via a crafted SNMP object, to cause a denial of service or to execute arbitrary code. (CVE-2016-4071) - An invalid memory write error exists in PHP when handling the path of phar file names that allows an attacker to have an unspecified impact. (CVE-2016-4072) - A remote code execution vulnerability exists in PHP in phar_object.c due to improper handling of zero-length uncompressed data. An unauthenticated, remote attacker can exploit this, via a specially crafted TAR, ZIP, or PHAR file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4342) - A remote code execution vulnerability exists in PHP in the phar_make_dirstream() function within file ext/phar/dirstream.c due to improper handling of ././@LongLink files. An unauthenticated, remote attacker can exploit this, via a specially crafted TAR file, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4343) - A cross-site scripting (XSS) vulnerability exists due to improper validation of user-supplied input. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to execute arbitrary script code in a user's browser session. (CVE-2016-4393) - An unspecified HTTP Strict Transport Security (HSTS) bypass vulnerability exists that allows authenticated, remote attackers to disclose sensitive information. (CVE-2016-4394) - A remote code execution vulnerability exists due to an overflow condition in the mod_smh_config.so library caused by improper validation of user-supplied input when parsing the admin-group parameter supplied to the /proxy/SetSMHData endpoint. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4395) - A remote code execution vulnerability exists due to an overflow condition in the mod_smh_config.so library caused by improper validation of user-supplied input when parsing the TKN parameter supplied to the /Proxy/SSO endpoint. An unauthenticated, remote attacker can exploit this, via a specially crafted request, to cause a denial of service condition or the execution of arbitrary code. (CVE-2016-4396) - An out-of-bounds read error exists in PHP in the php_str2num() function in bcmath.c when handling negative scales. An unauthenticated, remote attacker can exploit this, via a crafted call, to cause a denial of service condition or the disclosure of memory contents. (CVE-2016-4537) - A flaw exists in PHP the bcpowmod() function in bcmath.c due to modifying certain data structures without considering whether they are copies of the _zero_, _one_, or _two_ global variables. An unauthenticated, remote attacker can exploit this, via a crafted call, to cause a denial of service condition. (CVE-2016-4538) - A flaw exists in PHP in the xml_parse_into_struct() function in xml.c when handling specially crafted XML contents. An unauthenticated, remote attacker can exploit this to cause a denial of service condition. (CVE-2016-4539) - Multiple out-of-bounds read errors exist in PHP within file ext/intl/grapheme/grapheme_string.c when handling negative offsets in the zif_grapheme_stripos() and zif_grapheme_strpos() functions. An unauthenticated, remote attacker can exploit these issues to cause a denial of service condition or disclose memory contents. (CVE-2016-4540, CVE-2016-4541) - A flaw exists in PHP in the exif_process_IFD_TAG() function in exif.c due to improper construction of spprintf arguments. An unauthenticated, remote attacker can exploit this, via crafted header data, to cause an out-of-bounds read error, resulting in a denial of service condition or the disclosure of memory contents. (CVE-2016-4542) - A flaw exists in PHP in the exif_process_IFD_in_JPEG() function in exif.c due to improper validation of IFD sizes. An unauthenticated, remote attacker can exploit this, via crafted header data, to cause an out-of-bounds read error, resulting in a denial of service condition or the disclosure of memory contents. (CVE-2016-4543) - A man-in-the-middle vulnerability exists, known as 'httpoxy', in the Apache Tomcat, Apache HTTP Server, and PHP components due to a failure to properly resolve namespace conflicts in accordance with RFC 3875 section 4.1.18. The HTTP_PROXY environment variable is set based on untrusted user data in the 'Proxy' header of HTTP requests. The HTTP_PROXY environment variable is used by some web client libraries to specify a remote proxy server. A remote attacker can exploit this, via a crafted 'Proxy' header in an HTTP request, to redirect an application's internal HTTP traffic to an arbitrary proxy server where it may be observed or manipulated. (CVE-2016-5385, CVE-2016-5387, CVE-2016-5388) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 94654
    published 2016-11-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94654
    title HP System Management Homepage < 7.6 Multiple Vulnerabilities (HPSBMU03653) (httpoxy)
redhat via4
advisories
  • rhsa
    id RHSA-2016:1624
  • rhsa
    id RHSA-2016:1635
  • rhsa
    id RHSA-2016:1636
  • rhsa
    id RHSA-2016:2045
  • rhsa
    id RHSA-2016:2046
rpms
  • tomcat6-0:6.0.24-98.el6_8
  • tomcat6-admin-webapps-0:6.0.24-98.el6_8
  • tomcat6-docs-webapp-0:6.0.24-98.el6_8
  • tomcat6-el-2.1-api-0:6.0.24-98.el6_8
  • tomcat6-javadoc-0:6.0.24-98.el6_8
  • tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8
  • tomcat6-lib-0:6.0.24-98.el6_8
  • tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8
  • tomcat6-webapps-0:6.0.24-98.el6_8
  • tomcat-0:7.0.54-8.el7_2
  • tomcat-admin-webapps-0:7.0.54-8.el7_2
  • tomcat-docs-webapp-0:7.0.54-8.el7_2
  • tomcat-el-2.2-api-0:7.0.54-8.el7_2
  • tomcat-javadoc-0:7.0.54-8.el7_2
  • tomcat-jsp-2.2-api-0:7.0.54-8.el7_2
  • tomcat-jsvc-0:7.0.54-8.el7_2
  • tomcat-lib-0:7.0.54-8.el7_2
  • tomcat-servlet-3.0-api-0:7.0.54-8.el7_2
  • tomcat-webapps-0:7.0.54-8.el7_2
refmap via4
bid 91818
cert-vn VU#797896
confirm
misc https://httpoxy.org/
sectrack 1036331
suse openSUSE-SU-2016:2252
Last major update 16-02-2017 - 21:59
Published 18-07-2016 - 22:00
Last modified 13-08-2019 - 18:15
Back to Top