Amazon Linux AMI : tomcat8 (ALAS-2017-862)

2017-08-0400:00:00

www.tenable.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

0.009 Low

EPSS

Percentile

82.7%

JSON

Security constrained bypass in error page mechanism :

A vulnerability was discovered in the error page mechanism in Tomcat’s DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin.
This permitted client and server side cache poisoning in some circumstances. (CVE-2017-7674)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2017-862.
#

include("compat.inc");

if (description)
{
  script_id(102177);
  script_version("3.8");
  script_cvs_date("Date: 2018/04/18 15:09:36");

  script_cve_id("CVE-2017-5664", "CVE-2017-7674");
  script_xref(name:"ALAS", value:"2017-862");

  script_name(english:"Amazon Linux AMI : tomcat8 (ALAS-2017-862)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Amazon Linux AMI host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Security constrained bypass in error page mechanism :

A vulnerability was discovered in the error page mechanism in Tomcat's
DefaultServlet implementation. A crafted HTTP request could cause
undesired side effects, possibly including the removal or replacement
of the custom error page. (CVE-2017-5664)

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to
8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP
Vary header indicating that the response varies depending on Origin.
This permitted client and server side cache poisoning in some
circumstances. (CVE-2017-7674)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://alas.aws.amazon.com/ALAS-2017-862.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Run 'yum update tomcat8' to update your system."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-admin-webapps");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-docs-webapp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-el-3.0-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-javadoc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-lib");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-log4j");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-webapps");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/08/03");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/08/04");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
  script_family(english:"Amazon Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "A")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (rpm_check(release:"ALA", reference:"tomcat8-8.0.45-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-admin-webapps-8.0.45-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-docs-webapp-8.0.45-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-el-3.0-api-8.0.45-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-javadoc-8.0.45-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-jsp-2.3-api-8.0.45-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-lib-8.0.45-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-log4j-8.0.45-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-servlet-3.1-api-8.0.45-1.72.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-webapps-8.0.45-1.72.amzn1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tomcat8 / tomcat8-admin-webapps / tomcat8-docs-webapp / etc");
}

VendorProductVersionCPE
amazonlinuxtomcat8p-cpe:/a:amazon:linux:tomcat8
amazonlinuxtomcat8-admin-webappsp-cpe:/a:amazon:linux:tomcat8-admin-webapps
amazonlinuxtomcat8-docs-webappp-cpe:/a:amazon:linux:tomcat8-docs-webapp
amazonlinuxtomcat8-el-3.0-apip-cpe:/a:amazon:linux:tomcat8-el-3.0-api
amazonlinuxtomcat8-javadocp-cpe:/a:amazon:linux:tomcat8-javadoc
amazonlinuxtomcat8-jsp-2.3-apip-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api
amazonlinuxtomcat8-libp-cpe:/a:amazon:linux:tomcat8-lib
amazonlinuxtomcat8-log4jp-cpe:/a:amazon:linux:tomcat8-log4j
amazonlinuxtomcat8-servlet-3.1-apip-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api
amazonlinuxtomcat8-webappsp-cpe:/a:amazon:linux:tomcat8-webapps

Vendor	Product	Version	CPE
amazon	linux	tomcat8	p-cpe:/a:amazon:linux:tomcat8
amazon	linux	tomcat8-admin-webapps	p-cpe:/a:amazon:linux:tomcat8-admin-webapps
amazon	linux	tomcat8-docs-webapp	p-cpe:/a:amazon:linux:tomcat8-docs-webapp
amazon	linux	tomcat8-el-3.0-api	p-cpe:/a:amazon:linux:tomcat8-el-3.0-api
amazon	linux	tomcat8-javadoc	p-cpe:/a:amazon:linux:tomcat8-javadoc
amazon	linux	tomcat8-jsp-2.3-api	p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api
amazon	linux	tomcat8-lib	p-cpe:/a:amazon:linux:tomcat8-lib
amazon	linux	tomcat8-log4j	p-cpe:/a:amazon:linux:tomcat8-log4j
amazon	linux	tomcat8-servlet-3.1-api	p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api
amazon	linux	tomcat8-webapps	p-cpe:/a:amazon:linux:tomcat8-webapps