Apache Tomcat 8.0.x < 8.0.6 XML Parser Information Disclosure

This script is Copyright (C) 2014 Tenable Network Security, Inc.


Synopsis :

The remote Apache Tomcat service is potentially affected by an
information disclosure vulnerability.

Description :

According to its self-reported version number, the instance of Apache
Tomcat 8.0.x listening on the remote host is a version prior to 8.0.5.
It is, therefore, potentially affected by an information disclosure
vulnerability.

An error exists that could allow undesired XML parsers to be injected
into the application by a malicious web application and allow
bypassing security controls, processing of external XML entities and
information disclosure.

Note that Nessus did not actually test for this flaw but has instead
relied on the version in Tomcat's banner or error page so this could
be a false positive.

See also :

http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.8

Solution :

Update to Apache Tomcat version 8.0.8 or later.

Note that while version 8.0.6 fixes these issues, that version as well
as 8.0.7 were not officially released, and the vendor recommends
upgrading to 8.0.8 or later.

Risk factor :

Low / CVSS Base Score : 3.3
(CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:N)
CVSS Temporal Score : 2.9
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Family: Web Servers

Nessus Plugin ID: 74249 ()

Bugtraq ID: 67669

CVE ID: CVE-2014-0119