GLSA-201206-24 : Apache Tomcat: Multiple vulnerabilities

This script is Copyright (C) 2012-2016 Tenable Network Security, Inc.


Synopsis :

The remote Gentoo host is missing one or more security-related
patches.

Description :

The remote host is affected by the vulnerability described in GLSA-201206-24
(Apache Tomcat: Multiple vulnerabilities)

Multiple vulnerabilities have been discovered in Apache Tomcat. Please
review the CVE identifiers referenced below for details.

Impact :

The vulnerabilities allow an attacker to cause a Denial of Service, to
hijack a session, to bypass authentication, to inject webscript, to
enumerate valid usernames, to read, modify and overwrite arbitrary files,
to bypass intended access restrictions, to delete work-directory files,
to discover the server&rsquo
s hostname or IP, to bypass read permissions for
files or HTTP headers, to read or write files outside of the intended
working directory, and to obtain sensitive information by reading a log
file.

Workaround :

There is no known workaround at this time.

See also :

https://security.gentoo.org/glsa/201206-24

Solution :

All Apache Tomcat 6.0.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=www-servers/tomcat-6.0.35'
All Apache Tomcat 7.0.x users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose '>=www-servers/tomcat-7.0.23'

Risk factor :

High / CVSS Base Score : 7.5
(CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVSS Temporal Score : 6.5
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : true

Ready to Scan Unlimited IPs & Run Compliance Checks?

Upgrade to Nessus Professional today!

Buy Now

Combine the Power of Nessus with the Ease of Cloud

Start your free Nessus Cloud trial now!

Begin Free Trial