GitHub Advisory DatabaseGHSA-F7W7-6PJC-WWM6Apache Tomcat affected by vulnerability in TLS and SSL protocol
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
6.7 Medium
AI Score
Confidence
Low
0.003 Low
EPSS
Percentile
69.4%
The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a “plaintext injection” attack, aka the “Project Mogul” issue.
Apache Tomcat was affected by this issue and introduced a workaround in versions 7.0.10, 6.0.32, and 5.5.33.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.apache.tomcat:tomcat | lt | 5.5.33 | |
| org.apache.tomcat:tomcat | lt | 6.0.32 | |
| org.apache.tomcat:tomcat | lt | 7.0.10 |
References
archives.neohapsis.com/archives/bugtraq/2013-11/0120.html
blog.g-sec.lu/2009/11/tls-sslv3-renegotiation-vulnerability.html
blogs.iss.net/archive/sslmitmiscsrf.html
blogs.sun.com/security/entry/vulnerability_in_tls_protocol_during
clicky.me/tlsvuln
extendedsubset.com/?p=8
extendedsubset.com/Renegotiating_TLS.pdf
h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01945686
h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02436041
itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02273751
kbase.redhat.com/faq/docs/DOC-20491
lists.apple.com/archives/security-announce/2010//May/msg00001.html
lists.apple.com/archives/security-announce/2010//May/msg00002.html
lists.apple.com/archives/security-announce/2010/Jan/msg00000.html
lists.fedoraproject.org/pipermail/package-announce/2010-April/039561.html
lists.fedoraproject.org/pipermail/package-announce/2010-April/039957.html
lists.fedoraproject.org/pipermail/package-announce/2010-May/040652.html
lists.fedoraproject.org/pipermail/package-announce/2010-October/049455.html
lists.fedoraproject.org/pipermail/package-announce/2010-October/049528.html
lists.fedoraproject.org/pipermail/package-announce/2010-October/049702.html
lists.gnu.org/archive/html/gnutls-devel/2009-11/msg00029.html
lists.opensuse.org/opensuse-security-announce/2009-11/msg00009.html
lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html
lists.opensuse.org/opensuse-security-announce/2010-05/msg00001.html
lists.opensuse.org/opensuse-security-announce/2010-05/msg00002.html
lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.html
lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.html
lists.opensuse.org/opensuse-security-announce/2010-12/msg00005.html
lists.opensuse.org/opensuse-security-announce/2010-12/msg00006.html
lists.opensuse.org/opensuse-security-announce/2011-07/msg00013.html
lists.opensuse.org/opensuse-security-announce/2011-07/msg00014.html
marc.info/?l=apache-httpd-announce&m=125755783724966&w=2
marc.info/?l=bugtraq&m=126150535619567&w=2
marc.info/?l=bugtraq&m=127128920008563&w=2
marc.info/?l=bugtraq&m=127419602507642&w=2
marc.info/?l=bugtraq&m=127557596201693&w=2
marc.info/?l=bugtraq&m=130497311408250&w=2
marc.info/?l=bugtraq&m=132077688910227&w=2
marc.info/?l=bugtraq&m=133469267822771&w=2
marc.info/?l=bugtraq&m=134254866602253&w=2
marc.info/?l=bugtraq&m=142660345230545&w=2
marc.info/?l=cryptography&m=125752275331877&w=2
openbsd.org/errata45.html#010_openssl
openbsd.org/errata46.html#004_openssl
seclists.org/fulldisclosure/2009/Nov/139
security.gentoo.org/glsa/glsa-200912-01.xml
security.gentoo.org/glsa/glsa-201203-22.xml
security.gentoo.org/glsa/glsa-201406-32.xml
slackware.com/security/viewer.php?l=slackware-security&y=2009&m=slackware-security.597446
sunsolve.sun.com/search/document.do?assetkey=1-26-273350-1
sunsolve.sun.com/search/document.do?assetkey=1-66-273029-1
sunsolve.sun.com/search/document.do?assetkey=1-66-274990-1
sunsolve.sun.com/search/document.do?assetkey=1-77-1021653.1-1
sunsolve.sun.com/search/document.do?assetkey=1-77-1021752.1-1
support.apple.com/kb/HT4004
support.apple.com/kb/HT4170
support.apple.com/kb/HT4171
support.avaya.com/css/P8/documents/100070150
support.avaya.com/css/P8/documents/100081611
support.avaya.com/css/P8/documents/100114315
support.avaya.com/css/P8/documents/100114327
support.citrix.com/article/CTX123359
support.zeus.com/zws/media/docs/4.3/RELEASE_NOTES
support.zeus.com/zws/news/2010/01/13/zws_4_3r5_released
sysoev.ru/nginx/patch.cve-2009-3555.txt
tomcat.apache.org/native-doc/miscellaneous/changelog-1.1.x.html
ubuntu.com/usn/usn-923-1
wiki.rpath.com/Advisories:rPSA-2009-0155
www-01.ibm.com/support/docview.wss?uid=swg1IC67848
www-01.ibm.com/support/docview.wss?uid=swg1IC68054
www-01.ibm.com/support/docview.wss?uid=swg1IC68055
www-01.ibm.com/support/docview.wss?uid=swg1PM12247
www-01.ibm.com/support/docview.wss?uid=swg21426108
www-01.ibm.com/support/docview.wss?uid=swg21432298
www-01.ibm.com/support/docview.wss?uid=swg24006386
www-01.ibm.com/support/docview.wss?uid=swg24025312
www-1.ibm.com/support/search.wss?rs=0&q=PM00675&apar=only
www.arubanetworks.com/support/alerts/aid-020810.txt
www.betanews.com/article/1257452450
www.cisco.com/en/US/products/products_security_advisory09186a0080b01d1d.shtml
www.debian.org/security/2009/dsa-1934
www.debian.org/security/2011/dsa-2141
www.debian.org/security/2015/dsa-3253
www.educatedguesswork.org/2009/11/understanding_the_tls_renegoti.html
www.hitachi.co.jp/Prod/comp/soft1/security/info/vuls/HS10-030/index.html
www.ietf.org/mail-archive/web/tls/current/msg03928.html
www.ietf.org/mail-archive/web/tls/current/msg03948.html
www.ingate.com/Relnote.php?ver=481
www.itrc.hp.com/service/cki/docDisplay.do?docId=emr_na-c02512995
www.kb.cert.org/vuls/id/120541
www.links.org/?p=780
www.links.org/?p=786
www.links.org/?p=789
www.mandriva.com/security/advisories?name=MDVSA-2010:076
www.mandriva.com/security/advisories?name=MDVSA-2010:084
www.mandriva.com/security/advisories?name=MDVSA-2010:089
www.mozilla.org/security/announce/2010/mfsa2010-22.html
www.openoffice.org/security/cves/CVE-2009-3555.html
www.openssl.org/news/secadv_20091111.txt
www.openwall.com/lists/oss-security/2009/11/05/3
www.openwall.com/lists/oss-security/2009/11/05/5
www.openwall.com/lists/oss-security/2009/11/06/3
www.openwall.com/lists/oss-security/2009/11/07/3
www.openwall.com/lists/oss-security/2009/11/20/1
www.openwall.com/lists/oss-security/2009/11/23/10
www.opera.com/docs/changelogs/unix/1060
www.opera.com/support/search/view/944
www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html
www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.html
www.proftpd.org/docs/RELEASE_NOTES-1.3.2c
www.redhat.com/support/errata/RHSA-2010-0119.html
www.redhat.com/support/errata/RHSA-2010-0130.html
www.redhat.com/support/errata/RHSA-2010-0155.html
www.redhat.com/support/errata/RHSA-2010-0165.html
www.redhat.com/support/errata/RHSA-2010-0167.html
www.redhat.com/support/errata/RHSA-2010-0337.html
www.redhat.com/support/errata/RHSA-2010-0338.html
www.redhat.com/support/errata/RHSA-2010-0339.html
www.redhat.com/support/errata/RHSA-2010-0768.html
www.redhat.com/support/errata/RHSA-2010-0770.html
www.redhat.com/support/errata/RHSA-2010-0786.html
www.redhat.com/support/errata/RHSA-2010-0807.html
www.redhat.com/support/errata/RHSA-2010-0865.html
www.redhat.com/support/errata/RHSA-2010-0986.html
www.redhat.com/support/errata/RHSA-2010-0987.html
www.redhat.com/support/errata/RHSA-2011-0880.html
www.securegoose.org/2009/11/tls-renegotiation-vulnerability-cve.html
www.tombom.co.uk/blog/?p=85
www.ubuntu.com/usn/USN-1010-1
www.ubuntu.com/usn/USN-927-1
www.ubuntu.com/usn/USN-927-4
www.ubuntu.com/usn/USN-927-5
www.us-cert.gov/cas/techalerts/TA10-222A.html
www.us-cert.gov/cas/techalerts/TA10-287A.html
www.vmware.com/security/advisories/VMSA-2010-0019.html
www.vmware.com/security/advisories/VMSA-2011-0003.html
www.vmware.com/support/vsphere4/doc/vsp_vc41_u1_rel_notes.html
access.redhat.com/errata/RHSA-2009:1579
access.redhat.com/errata/RHSA-2009:1580
access.redhat.com/errata/RHSA-2009:1694
access.redhat.com/errata/RHSA-2010:0011
access.redhat.com/errata/RHSA-2010:0119
access.redhat.com/errata/RHSA-2010:0130
access.redhat.com/errata/RHSA-2010:0155
access.redhat.com/errata/RHSA-2010:0162
access.redhat.com/errata/RHSA-2010:0163
access.redhat.com/errata/RHSA-2010:0164
access.redhat.com/errata/RHSA-2010:0165
access.redhat.com/errata/RHSA-2010:0166
access.redhat.com/errata/RHSA-2010:0167
access.redhat.com/errata/RHSA-2010:0337
access.redhat.com/errata/RHSA-2010:0338
access.redhat.com/errata/RHSA-2010:0339
access.redhat.com/errata/RHSA-2010:0408
access.redhat.com/errata/RHSA-2010:0440
access.redhat.com/errata/RHSA-2010:0768
access.redhat.com/errata/RHSA-2010:0770
access.redhat.com/errata/RHSA-2010:0786
access.redhat.com/errata/RHSA-2010:0807
access.redhat.com/errata/RHSA-2010:0865
access.redhat.com/errata/RHSA-2010:0986
access.redhat.com/errata/RHSA-2010:0987
access.redhat.com/errata/RHSA-2011:0880
access.redhat.com/errata/RHSA-2015:1591
access.redhat.com/security/cve/CVE-2009-3555
bugzilla.mozilla.org/show_bug.cgi?id=526689
bugzilla.mozilla.org/show_bug.cgi?id=545755
bugzilla.redhat.com/show_bug.cgi?id=533125
bz.apache.org/bugzilla/show_bug.cgi?id=50325
docs.microsoft.com/en-us/security-updates/securitybulletins/2010/ms10-049
exchange.xforce.ibmcloud.com/vulnerabilities/54158
github.com/advisories/GHSA-f7w7-6pjc-wwm6
github.com/apache/tomcat/commit/14e4efd925da58b9fa63f20969fb7349b8a9c30d
github.com/apache/tomcat/commit/2d4ca03acc27cc883c404d1745d92f983b6fada3
github.com/apache/tomcat/commit/30af3f5630542a2340781f66553e734a6fd69701
github.com/apache/tomcat/commit/328a523cbb2a2d4cd55283180614d4e03e2f8f02
github.com/apache/tomcat/commit/3d315ac9dfaa2c03b4df82938d78bf5b755766b3
github.com/apache/tomcat/commit/56f67141e82e16f68a860c3af9b7342da35cbe7d
github.com/apache/tomcat/commit/b4e9488629bf03b4b65abf335e536e85386d1366
github.com/apache/tomcat/commit/df9633116b5fec8f47f1f008fb89a6e9d5895cd0
h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150888
kb.bluecoat.com/index?page=content&id=SA50
lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d@<dev.tomcat.apache.org>
lists.apache.org/thread.html/f8e0814e11c7f21f42224b6de111cb3f5e5ab5c15b78924c516d4ec2@<dev.tomcat.apache.org>
lists.apache.org/thread.html/re3b72cbb13e1dfe85c4a06959a3b6ca6d939b407ecca80db12b54220@<dev.tomcat.apache.org>
lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d@<dev.tomcat.apache.org>
nvd.nist.gov/vuln/detail/CVE-2009-3555
oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:10088
oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:11578
oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:11617
oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:7315
oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:7478
oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:7973
oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:8366
oval.cisecurity.org/repository/search/definition/oval:org.mitre.oval:def:8535
support.f5.com/kb/en-us/solutions/public/10000/700/sol10737.html
svn.resiprocate.org/rep/ietf-drafts/ekr/draft-rescorla-tls-renegotiate.txt
tomcat.apache.org/security-5.html
tomcat.apache.org/security-6.html
tomcat.apache.org/security-7.html
www.redhat.com/archives/fedora-package-announce/2009-December/msg00428.html
www.redhat.com/archives/fedora-package-announce/2009-December/msg00442.html
www.redhat.com/archives/fedora-package-announce/2009-December/msg00449.html
www.redhat.com/archives/fedora-package-announce/2009-December/msg00634.html
www.redhat.com/archives/fedora-package-announce/2009-December/msg00645.html
www.redhat.com/archives/fedora-package-announce/2009-December/msg00944.html
www.redhat.com/archives/fedora-package-announce/2009-December/msg01020.html
www.redhat.com/archives/fedora-package-announce/2009-December/msg01029.html
Related
5.8 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:N/I:P/A:P
6.7 Medium
AI Score
Confidence
Low
0.003 Low
EPSS
Percentile
69.4%