Apache Tomcat 4.x < 4.1.37 Multiple Vulnerabilities

This script is Copyright (C) 2010-2014 Tenable Network Security, Inc.


Synopsis :

The remote Apache Tomcat service may be affected by multiple
vulnerabilities.

Description :

According to its self-reported version number, the instance of Apache
Tomcat 4.x listening on the remote host is earlier than 4.1.37 and,
therefore, may be affected by the following vulnerabilities :

- The remote Apache Tomcat install may be vulnerable to an
information disclosure attack if the deprecated AJP
connector processes a client request having a non-zero
Content-Length and the client disconnects before
sending the request body. (CVE-2005-3164)

- The remote Apache Tomcat install may be vulnerable to
a cross-site scripting attack if the JSP and Servlet
examples are enabled. Several of these examples do
not properly validate user input.
(CVE-2007-1355, CVE-2007-2449)

- The remote Apache Tomcat install may be vulnerable to
a cross-site scripting attack if the Manager web
application is enabled as it fails to escape input
data. (CVE-2007-2450)

- The remote Apache Tomcat install may be vulnerable to an
information disclosure attack via cookies. Apache Tomcat
treats the single quote character in a cookie as a
delimiter which can lead to information, such as session
ID, to be disclosed. (CVE-2007-3382)

- The remote Apache Tomcat install may be vulnerable to
a cross-site scripting attack if the SendMailServlet is
enabled. The SendMailServlet is a part of the examples
web application and, when reporting error messages,
fails to escape user provided data. (CVE-2007-3383)

- The remote Apache Tomcat install may be vulnerable to an
information disclosure attack via cookies. The previous
fix for CVE-2007-3385 was incomplete and did not account
for the use of quotes or '%5C' in cookie values.
(CVE-2007-3385, CVE-2007-5333)

- The remote Apache Tomcat install may be vulnerable to an
information disclosure attack via the WebDAV servlet.
Certain WebDAV requests, containing an entity with a
SYSTEM tag, can result in the disclosure of arbitrary
file contents. (CVE-2007-5461)

Note that Nessus did not actually test for the flaws but instead has
relied on the version in Tomcat's banner or error page so this may be
a false positive.

See also :

http://tomcat.apache.org/security-4.html#Fixed_in_Apache_Tomcat_4.1.37
http://www.securityfocus.com/archive/1/archive/1/469067/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/471351/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/471357/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/476442/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/474413/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/476444/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/487822/100/0/threaded
http://www.securityfocus.com/archive/1/archive/1/507985/100/0/threaded

Solution :

Update to Apache Tomcat version 4.1.37 or later.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVSS Temporal Score : 4.1
(CVSS2#E:F/RL:OF/RC:C)
Public Exploit Available : true