CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
55.1%
The version of Tomcat installed on the remote host is prior to 9.0.0.M10. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.0.m10_security-9 advisory.
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)
A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)
When a SecurityManager is configured, a web application’s ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
(CVE-2016-0762)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##
include('compat.inc');
if (description)
{
script_id(197842);
script_version("1.1");
script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/23");
script_cve_id(
"CVE-2016-0762",
"CVE-2016-5018",
"CVE-2016-6794",
"CVE-2016-6796",
"CVE-2016-6797"
);
script_name(english:"Apache Tomcat 9.0.0.M1 < 9.0.0.M10 multiple vulnerabilities");
script_set_attribute(attribute:"synopsis", value:
"The remote Apache Tomcat server is affected by multiple vulnerabilities");
script_set_attribute(attribute:"description", value:
"The version of Tomcat installed on the remote host is prior to 9.0.0.M10. It is, therefore, affected by multiple
vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.0.m10_security-9 advisory.
- The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to
8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources
to those resources explicitly linked to the web application. Therefore, it was possible for a web
application to access any global JNDI resource whether an explicit ResourceLink had been configured or
not. (CVE-2016-6797)
- A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to
8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via
manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)
- When a SecurityManager is configured, a web application's ability to read system properties should be
controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to
8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files
could be used by a malicious web application to bypass the SecurityManager and read system properties that
should not be visible. (CVE-2016-6794)
- In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to
6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility
method that was accessible to web applications. (CVE-2016-5018)
- The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to
8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user
name did not exist. This made a timing attack possible to determine valid user names. Note that the
default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
(CVE-2016-0762)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://svn.apache.org/viewvc?view=rev&rev=1757271");
script_set_attribute(attribute:"see_also", value:"https://svn.apache.org/viewvc?view=rev&rev=1758487");
script_set_attribute(attribute:"see_also", value:"https://svn.apache.org/viewvc?view=rev&rev=1763232");
script_set_attribute(attribute:"see_also", value:"https://svn.apache.org/viewvc?view=rev&rev=1754445");
script_set_attribute(attribute:"see_also", value:"https://svn.apache.org/viewvc?view=rev&rev=1754714");
script_set_attribute(attribute:"see_also", value:"https://svn.apache.org/viewvc?view=rev&rev=1760300");
script_set_attribute(attribute:"see_also", value:"https://svn.apache.org/viewvc?view=rev&rev=1758499");
# https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.0.M10
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d2a167f2");
script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Tomcat version 9.0.0.M10 or later.");
script_set_attribute(attribute:"agent", value:"all");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-5018");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"vuln_publication_date", value:"2016/09/05");
script_set_attribute(attribute:"patch_publication_date", value:"2016/09/05");
script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/23");
script_set_attribute(attribute:"plugin_type", value:"combined");
script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat:9");
script_set_attribute(attribute:"generated_plugin", value:"former");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Web Servers");
script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("os_fingerprint.nasl", "tomcat_error_version.nasl", "tomcat_win_installed.nbin", "apache_tomcat_nix_installed.nbin");
script_require_keys("installed_sw/Apache Tomcat");
exit(0);
}
include('vcf_extras.inc');
vcf::tomcat::initialize();
var app_info = vcf::combined_get_app_info(app:'Apache Tomcat');
var constraints = [
{ 'min_version' : '9.0.0.M1', 'max_version' : '9.0.0.M9', 'fixed_version' : '9.0.0.M10' }
];
vcf::check_all_backporting(app_info:app_info);
vcf::check_granularity(app_info:app_info, sig_segments:3);
vcf::check_version_and_report(
app_info:app_info,
constraints:constraints,
severity:SECURITY_WARNING
);
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0762
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5018
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6794
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6796
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6797
www.nessus.org/u?d2a167f2
svn.apache.org/viewvc?view=rev&rev=1754445
svn.apache.org/viewvc?view=rev&rev=1754714
svn.apache.org/viewvc?view=rev&rev=1757271
svn.apache.org/viewvc?view=rev&rev=1758487
svn.apache.org/viewvc?view=rev&rev=1758499
svn.apache.org/viewvc?view=rev&rev=1760300
svn.apache.org/viewvc?view=rev&rev=1763232
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
AI Score
Confidence
Low
EPSS
Percentile
55.1%