Apache Tomcat < 4.1.40 / 5.5.28 / 6.0.20 Multiple Vulnerabilities

This script is Copyright (C) 2010-2014 Tenable Network Security, Inc.


Synopsis :

The remote Apache Tomcat service may be affected by multiple
vulnerabilities.

Description :

According to its self-reported version number, the Apache Tomcat
listening on the remote host is earlier than Tomcat 4.1.40 / 5.5.28 /
6.0.20 and, as such, may be affected by one or more of the following
vulnerabilities :

- The remote service may be vulnerable to a directory
traversal attack if a RequestDispatcher obtained from a
Request object is used. A specially crafted value for a
request parameter can be used to access potentially
sensitive configuration files or other files, e.g.,
files in the WEB-INF directory. (CVE-2008-5515)

- The remote service may be vulnerable to a denial of
service attack if configured to use the Java AJP
connector. An attacker can send a malicious request with
invalid headers which causes the AJP connector to be put
into an error state for a short time. This behavior can
be used as a denial of service attack. (CVE-2009-0033)

- The remote service may be vulnerable to a username
enumeration attack if configured to use FORM
authentication along with the 'MemoryRealm',
'DataSourceRealm', or 'JDBCRealm' authentication realms.
(CVE-2009-0580)

- The remote service may be affected by a script injection
vulnerability if the example JSP application,
'cal2.jsp', is installed. An unauthenticated, remote
attacker may be able to leverage this issue to inject
arbitrary HTML or script code into a user's browser to
be executed within the security context of the affected
site. (CVE-2009-0781)

- The remote service may be vulnerable to unauthorized
modification of 'web.xml', 'context.xml', or TLD files
of arbitrary web applications. This vulnerability could
allow the XML parser, used to process the XML and TLD
files, to be replaced. (CVE-2009-0783)

Note that Nessus did not actually test for these flaws but instead has
relied on the version in Tomcat's banner or error page so this may be
a false positive.

See also :

http://www.securityfocus.com/archive/1/504125
http://tomcat.apache.org/security-4.html#Fixed_in_Apache_Tomcat_4.1.40
http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.28
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.20

Solution :

Update Apache Tomcat to version 4.1.40 / 5.5.28 / 6.0.20 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 46753 ()

Bugtraq ID: 35193
35196
35263
35416

CVE ID: CVE-2008-5515
CVE-2009-0033
CVE-2009-0580
CVE-2009-0781
CVE-2009-0783