Amazon Linux AMI : tomcat8 (ALAS-2018-959)

2018-02-2200:00:00

www.tenable.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0.005 Low

EPSS

Percentile

75.2%

JSON

Incorrect documentation of CGI Servlet search algorithm may lead to misconfiguration

As part of the fix for bug 61201, the documentation for Apache Tomcat included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected. (CVE-2017-15706)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2018-959.
#

include("compat.inc");

if (description)
{
  script_id(106936);
  script_version("3.4");
  script_cvs_date("Date: 2018/04/18 15:09:36");

  script_cve_id("CVE-2017-15706");
  script_xref(name:"ALAS", value:"2018-959");

  script_name(english:"Amazon Linux AMI : tomcat8 (ALAS-2018-959)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Amazon Linux AMI host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Incorrect documentation of CGI Servlet search algorithm may lead to
misconfiguration

As part of the fix for bug 61201, the documentation for Apache Tomcat
included an updated description of the search algorithm used by the
CGI Servlet to identify which script to execute. The update was not
correct. As a result, some scripts may have failed to execute as
expected and other scripts may have been executed unexpectedly. Note
that the behaviour of the CGI servlet has remained unchanged in this
regard. It is only the documentation of the behaviour that was wrong
and has been corrected. (CVE-2017-15706)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://alas.aws.amazon.com/ALAS-2018-959.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Run 'yum update tomcat8' to update your system."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-admin-webapps");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-docs-webapp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-el-3.0-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-javadoc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-lib");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-log4j");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-webapps");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2018/02/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2018/02/22");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2018 Tenable Network Security, Inc.");
  script_family(english:"Amazon Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "A")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (rpm_check(release:"ALA", reference:"tomcat8-8.5.28-1.76.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-admin-webapps-8.5.28-1.76.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-docs-webapp-8.5.28-1.76.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-el-3.0-api-8.5.28-1.76.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-javadoc-8.5.28-1.76.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-jsp-2.3-api-8.5.28-1.76.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-lib-8.5.28-1.76.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-log4j-8.5.28-1.76.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-servlet-3.1-api-8.5.28-1.76.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-webapps-8.5.28-1.76.amzn1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tomcat8 / tomcat8-admin-webapps / tomcat8-docs-webapp / etc");
}

VendorProductVersionCPE
amazonlinuxtomcat8p-cpe:/a:amazon:linux:tomcat8
amazonlinuxtomcat8-admin-webappsp-cpe:/a:amazon:linux:tomcat8-admin-webapps
amazonlinuxtomcat8-docs-webappp-cpe:/a:amazon:linux:tomcat8-docs-webapp
amazonlinuxtomcat8-el-3.0-apip-cpe:/a:amazon:linux:tomcat8-el-3.0-api
amazonlinuxtomcat8-javadocp-cpe:/a:amazon:linux:tomcat8-javadoc
amazonlinuxtomcat8-jsp-2.3-apip-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api
amazonlinuxtomcat8-libp-cpe:/a:amazon:linux:tomcat8-lib
amazonlinuxtomcat8-log4jp-cpe:/a:amazon:linux:tomcat8-log4j
amazonlinuxtomcat8-servlet-3.1-apip-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api
amazonlinuxtomcat8-webappsp-cpe:/a:amazon:linux:tomcat8-webapps

Vendor	Product	Version	CPE
amazon	linux	tomcat8	p-cpe:/a:amazon:linux:tomcat8
amazon	linux	tomcat8-admin-webapps	p-cpe:/a:amazon:linux:tomcat8-admin-webapps
amazon	linux	tomcat8-docs-webapp	p-cpe:/a:amazon:linux:tomcat8-docs-webapp
amazon	linux	tomcat8-el-3.0-api	p-cpe:/a:amazon:linux:tomcat8-el-3.0-api
amazon	linux	tomcat8-javadoc	p-cpe:/a:amazon:linux:tomcat8-javadoc
amazon	linux	tomcat8-jsp-2.3-api	p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api
amazon	linux	tomcat8-lib	p-cpe:/a:amazon:linux:tomcat8-lib
amazon	linux	tomcat8-log4j	p-cpe:/a:amazon:linux:tomcat8-log4j
amazon	linux	tomcat8-servlet-3.1-api	p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api
amazon	linux	tomcat8-webapps	p-cpe:/a:amazon:linux:tomcat8-webapps