Apache Tomcat < 4.1.40 / 5.5.28 / 6.0.20 Multiple Vulnerabilities

This script is Copyright (C) 2010-2016 Tenable Network Security, Inc.


Synopsis :

The remote Apache Tomcat server is affected by multiple
vulnerabilities.

Description :

According to its self-reported version number, the Apache Tomcat
server listening on the remote host is prior to 4.1.40, 5.5.28, or
6.0.20. It is, therefore, affected by the following vulnerabilities :

- The remote server is affected by a directory traversal
vulnerability if a RequestDispatcher obtained from a
Request object is used. A specially crafted value for a
request parameter can be used to access potentially
sensitive configuration files or other files, e.g.,
files in the WEB-INF directory. (CVE-2008-5515)

- The remote server is affected by a denial of service
vulnerability if configured to use the Java AJP
connector. An attacker can send a malicious request with
invalid headers which causes the AJP connector to be put
into an error state for a short time. This behavior can
be used as a denial of service attack. (CVE-2009-0033)

- The remote server is affected by a username enumeration
vulnerability if configured to use FORM authentication
along with the 'MemoryRealm', 'DataSourceRealm', or
'JDBCRealm' authentication realms. (CVE-2009-0580)

- The remote server is affected by a script injection
vulnerability if the example JSP application,
'cal2.jsp', is installed. An unauthenticated, remote
attacker can exploit this issue to inject arbitrary HTML
or script code into a user's browser to be executed
within the security context of the affected site.
(CVE-2009-0781)

- The remote server is vulnerable to unauthorized
modification of 'web.xml', 'context.xml', or TLD files
of arbitrary web applications. This vulnerability allows
the XML parser, used to process the XML and TLD files,
to be replaced. (CVE-2009-0783)

Note that Nessus has not tested for these issues but has instead
relied only on the application's self-reported version number.

See also :

http://www.securityfocus.com/archive/1/504125
http://tomcat.apache.org/security-4.html#Fixed_in_Apache_Tomcat_4.1.40
http://tomcat.apache.org/security-5.html#Fixed_in_Apache_Tomcat_5.5.28
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.20

Solution :

Upgrade to Apache Tomcat version 4.1.40 / 5.5.28 / 6.0.20 or later.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 3.6
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 46753 ()

Bugtraq ID: 35193
35196
35263
35416

CVE ID: CVE-2008-5515
CVE-2009-0033
CVE-2009-0580
CVE-2009-0781
CVE-2009-0783