CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
EPSS
Percentile
99.9%
The remote Solaris system is missing necessary patches to address security updates :
Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30 does not properly handle chunk extensions in chunked transfer coding, which allows remote attackers to cause a denial of service by streaming data. (CVE-2012-3544)
Unspecified vulnerability in the Javadoc component in Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21 and earlier; and OpenJDK 7 allows remote attackers to affect integrity via unknown vectors related to Javadoc.
NOTE: the previous information is from the June 2013 CPU. Oracle has not commented on claims from another vendor that this issue is related to frame injection in HTML that is generated by Javadoc. (CVE-2013-1571)
Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request’s length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a ‘Transfer-Encoding: chunked’ header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090. (CVE-2013-4286)
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544. (CVE-2013-4322)
Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 allows attackers to obtain ‘Tomcat internals’ information by leveraging the presence of an untrusted web application with a context.xml, web.xml,
*.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue. (CVE-2013-4590)
org/apache/catalina/connector/CoyoteAdapter.java in Apache Tomcat 6.0.33 through 6.0.37 does not consider the disableURLRewriting setting when handling a session ID in a URL, which allows remote attackers to conduct session fixation attacks via a crafted URL.
(CVE-2014-0033)
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the Oracle Third Party software advisories.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(80793);
script_version("1.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");
script_cve_id("CVE-2012-3544", "CVE-2013-1571", "CVE-2013-4286", "CVE-2013-4322", "CVE-2013-4590", "CVE-2014-0033");
script_name(english:"Oracle Solaris Third-Party Patch Update : tomcat (multiple_vulnerabilities_in_apache_tomcat4)");
script_summary(english:"Check for the 'entire' version.");
script_set_attribute(
attribute:"synopsis",
value:
"The remote Solaris system is missing a security patch for third-party
software."
);
script_set_attribute(
attribute:"description",
value:
"The remote Solaris system is missing necessary patches to address
security updates :
- Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30
does not properly handle chunk extensions in chunked
transfer coding, which allows remote attackers to cause
a denial of service by streaming data. (CVE-2012-3544)
- Unspecified vulnerability in the Javadoc component in
Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21
and earlier; and OpenJDK 7 allows remote attackers to
affect integrity via unknown vectors related to Javadoc.
NOTE: the previous information is from the June 2013
CPU. Oracle has not commented on claims from another
vendor that this issue is related to frame injection in
HTML that is generated by Javadoc. (CVE-2013-1571)
- Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x
before 8.0.0-RC3, when an HTTP connector or AJP
connector is used, does not properly handle certain
inconsistent HTTP request headers, which allows remote
attackers to trigger incorrect identification of a
request's length and conduct request-smuggling attacks
via (1) multiple Content-Length headers or (2) a
Content-Length header and a 'Transfer-Encoding: chunked'
header. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2005-2090. (CVE-2013-4286)
- Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x
before 8.0.0-RC10 processes chunked transfer coding
without properly handling (1) a large total amount of
chunked data or (2) whitespace characters in an HTTP
header value within a trailer field, which allows remote
attackers to cause a denial of service by streaming
data. NOTE: this vulnerability exists because of an
incomplete fix for CVE-2012-3544. (CVE-2013-4322)
- Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x
before 8.0.0-RC10 allows attackers to obtain 'Tomcat
internals' information by leveraging the presence of an
untrusted web application with a context.xml, web.xml,
*.jspx, *.tagx, or *.tld XML document containing an
external entity declaration in conjunction with an
entity reference, related to an XML External Entity
(XXE) issue. (CVE-2013-4590)
- org/apache/catalina/connector/CoyoteAdapter.java in
Apache Tomcat 6.0.33 through 6.0.37 does not consider
the disableURLRewriting setting when handling a session
ID in a URL, which allows remote attackers to conduct
session fixation attacks via a crafted URL.
(CVE-2014-0033)"
);
# https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?4a913f44"
);
# https://blogs.oracle.com/sunsecurity/multiple-vulnerabilities-in-apache-tomcat
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?ce09309a"
);
script_set_attribute(attribute:"solution", value:"Upgrade to Solaris 11.1.19.6.0.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"exploited_by_malware", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:solaris:11.1");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:solaris:tomcat");
script_set_attribute(attribute:"patch_publication_date", value:"2014/05/22");
script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/19");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Solaris Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/Solaris11/release", "Host/Solaris11/pkg-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("solaris.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Solaris11/release");
if (isnull(release)) audit(AUDIT_OS_NOT, "Solaris11");
pkg_list = solaris_pkg_list_leaves();
if (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, "Solaris pkg-list packages");
if (empty_or_null(egrep(string:pkg_list, pattern:"^tomcat$"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "tomcat");
flag = 0;
if (solaris_check_release(release:"0.5.11-0.175.1.19.0.6.0", sru:"SRU 11.1.19.6.0") > 0) flag++;
if (flag)
{
error_extra = 'Affected package : tomcat\n' + solaris_get_report2();
error_extra = ereg_replace(pattern:"version", replace:"OS version", string:error_extra);
if (report_verbosity > 0) security_warning(port:0, extra:error_extra);
else security_warning(0);
exit(0);
}
else audit(AUDIT_PACKAGE_NOT_AFFECTED, "tomcat");
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3544
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1571
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4286
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4322
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4590
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0033
www.nessus.org/u?4a913f44
www.nessus.org/u?ce09309a