Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in the following components :

  - Apache Geronimo
  - Apache Tomcat
  - Apache Xerces2
  - cURL/libcURL
  - ISC BIND
  - Libxml2
  - Linux kernel
  - Linux kernel 64-bit
  - Linux kernel Common Internet File System
  - Linux kernel eCryptfs
  - NTP
  - Python
  - Java Runtime Environment (JRE)
  - Java SE Development Kit (JDK)
  - Java SE Abstract Window Toolkit (AWT)
  - Java SE Plugin
  - Java SE Provider
  - Java SE Swing
  - Java SE Web Start

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2009-1164 advisory.

    - add patch for CVE-2007-5333       Resolves: rhbz#427779
    - add patch for CVE-2008-5515       Resolves: rhbz#504758
    - add patch for CVE-2009-0033
    - add patch for CVE-2009-0580       Resolves: rhbz#503980

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It was discovered that a prior security errata for Tomcat version tomcat5-5.5.23-0jpp.3.0.2.el5 did not address all possible flaws in the way Tomcat handles certain characters and character sequences in cookie values. A remote attacker could use this flaw to obtain sensitive information, such as session IDs, and then use this information for session hijacking attacks. (CVE-2007-5333)

Note: The fix for the CVE-2007-5333 flaw changes the default cookie processing behavior: with this update, version 0 cookies that contain values that must be quoted to be valid are automatically changed to version 1 cookies. To reactivate the previous, but insecure behavior, add the following entry to the '/etc/tomcat5/catalina.properties' file :

org.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH=false

It was discovered that request dispatchers did not properly normalize user requests that have trailing query strings, allowing remote attackers to send specially crafted requests that would cause an information leak. (CVE-2008-5515)

A flaw was found in the way the Tomcat AJP (Apache JServ Protocol) connector processes AJP connections. An attacker could use this flaw to send specially crafted requests that would cause a temporary denial of service. (CVE-2009-0033)

It was discovered that the error checking methods of certain authentication classes did not have sufficient error checking, allowing remote attackers to enumerate (via brute-force methods) usernames registered with applications running on Tomcat when FORM-based authentication was used. (CVE-2009-0580)

A cross-site scripting (XSS) flaw was found in the examples calendar application. With some web browsers, remote attackers could use this flaw to inject arbitrary web script or HTML via the 'time' parameter.
(CVE-2009-0781)

It was discovered that web applications containing their own XML parsers could replace the XML parser Tomcat uses to parse configuration files. A malicious web application running on a Tomcat instance could read or, potentially, modify the configuration and XML-based data of other web applications deployed on the same Tomcat instance. (CVE-2009-0783)

The remote host is affected by the vulnerability described in GLSA-201206-24 (Apache Tomcat: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Apache Tomcat. Please       review the CVE identifiers referenced below for details.
  Impact :

    The vulnerabilities allow an attacker to cause a Denial of Service, to       hijack a session, to bypass authentication, to inject webscript, to       enumerate valid usernames, to read, modify and overwrite arbitrary files,       to bypass intended access restrictions, to delete work-directory files,       to discover the server&rsquo;s hostname or IP, to bypass read permissions for       files or HTTP headers, to read or write files outside of the intended       working directory, and to obtain sensitive information by reading a log       file.
  Workaround :

    There is no known workaround at this time.

Various vulnerabilities have been discovered in the Tomcat Servlet and JSP engine, resulting in denial of service, cross-site scripting, information disclosure and WAR file traversal. Further details on the individual security issues can be found on the Apache Tomcat 5 vulnerabilities page.

Multiple vulnerabilities has been found and corrected in tomcat5 :

Apache Tomcat 6.0.0 through 6.0.14, 5.5.0 through 5.5.25, and 4.1.0 through 4.1.36 does not properly handle (1) double quote (') characters or (2) %5C (encoded backslash) sequences in a cookie value, which might cause sensitive information such as session IDs to be leaked to remote attackers and enable session hijacking attacks. NOTE:
this issue exists because of an incomplete fix for CVE-2007-3385 (CVE-2007-5333).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request (CVE-2008-5515).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header (CVE-2009-0033).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter (CVE-2009-0580).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application (CVE-2009-0783).

Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to create or overwrite arbitrary files via a .. (dot dot) in an entry in a WAR file, as demonstrated by a ../../bin/catalina.bat entry (CVE-2009-2693).

The autodeployment process in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20, when autoDeploy is enabled, deploys appBase files that remain from a failed undeploy, which might allow remote attackers to bypass intended authentication requirements via HTTP requests (CVE-2009-2901).

Directory traversal vulnerability in Apache Tomcat 5.5.0 through 5.5.28 and 6.0.0 through 6.0.20 allows remote attackers to delete work-directory files via directory traversal sequences in a WAR filename, as demonstrated by the ...war filename (CVE-2009-2902).

Apache Tomcat 5.5.0 through 5.5.29 and 6.0.0 through 6.0.26 might allow remote attackers to discover the server's hostname or IP address by sending a request for a resource that requires (1) BASIC or (2) DIGEST authentication, and then reading the realm field in the WWW-Authenticate header in the reply (CVE-2010-1157).

Apache Tomcat 5.5.0 through 5.5.29, 6.0.0 through 6.0.27, and 7.0.0 beta does not properly handle an invalid Transfer-Encoding header, which allows remote attackers to cause a denial of service (application outage) or obtain sensitive information via a crafted header that interferes with recycling of a buffer. (CVE-2010-2227)

Packages for 2008.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more:
http://store.mandriva.com/product_info.php?cPath=149&amp;products_id=4 90

The updated packages have been patched to correct these issues.

According to its self-reported version number, the Apache Tomcat server listening on the remote host is prior to 4.1.40, 5.5.28, or 6.0.20. It is, therefore, affected by the following vulnerabilities :

  - The remote server is affected by a directory traversal     vulnerability if a RequestDispatcher obtained from a     Request object is used. A specially crafted value for a     request parameter can be used to access potentially     sensitive configuration files or other files, e.g.,     files in the WEB-INF directory. (CVE-2008-5515)

  - The remote server is affected by a denial of service     vulnerability if configured to use the Java AJP     connector. An attacker can send a malicious request with     invalid headers which causes the AJP connector to be put     into an error state for a short time. This behavior can     be used as a denial of service attack. (CVE-2009-0033)

  - The remote server is affected by a username enumeration     vulnerability if configured to use FORM authentication     along with the 'MemoryRealm', 'DataSourceRealm', or     'JDBCRealm' authentication realms. (CVE-2009-0580)

  - The remote server is affected by a script injection     vulnerability if the example JSP application,     'cal2.jsp', is installed. An unauthenticated, remote     attacker can exploit this issue to inject arbitrary HTML     or script code into a user's browser to be executed     within the security context of the affected site.
    (CVE-2009-0781)

  - The remote server is vulnerable to unauthorized     modification of 'web.xml', 'context.xml', or TLD files     of arbitrary web applications. This vulnerability allows     the XML parser, used to process the XML and TLD files,     to be replaced. (CVE-2009-0783)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is running a version of Mac OS X 10.6 that is older than version 10.6.3.  Mac OS X 10.6.3 contains security fixes for the following products :

  - AFP Server

  - Apache

  - CoreAudio

  - CoreMedia

  - CoreTypes

  - CUPS

  - DesktopServices

  - Disk Images

  - Directory Services

  - Dovecot

  - Event Monitor

  - FreeRADIUS

  - FTP Server

  - iChat Server

  - ImageIO

  - Image RAW

  - Libsystem

  - Mail

  - MySQL

  - OS Services

  - Password Server

  - PHP

  - Podcast Producer

  - Preferences

  - PS Normalizer

  - QuickTime

  - Ruby

  - Server Admin

  - SMB

  - Tomcat

  - Wiki Server

  - X11

The remote host is running a version of Mac OS X 10.5 that does not have Security Update 2010-002 applied.

This security update contains fixes for the following products :

  - AppKit
  - Application Firewall
  - AFP Server
  - Apache
  - ClamAV
  - CoreTypes
  - CUPS
  - curl
  - Cyrus IMAP
  - Cyrus SASL
  - Disk Images
  - Directory Services
  - Event Monitor
  - FreeRADIUS
  - FTP Server
  - iChat Server
  - Image RAW
  - Libsystem
  - Mail
  - Mailman
  - OS Services
  - Password Server
  - perl
  - PHP
  - PS Normalizer
  - Ruby
  - Server Admin
  - SMB
  - Tomcat
  - unzip
  - vim
  - Wiki Server
  - X11
  - xar

The remote host is running a version of Mac OS X 10.6.x that is prior to 10.6.3.

Mac OS X 10.6.3 contains security fixes for the following products :

  - AFP Server
  - Apache
  - CoreAudio
  - CoreMedia
  - CoreTypes
  - CUPS
  - DesktopServices
  - Disk Images
  - Directory Services
  - Dovecot
  - Event Monitor
  - FreeRADIUS
  - FTP Server
  - iChat Server
  - ImageIO
  - Image RAW
  - Libsystem
  - Mail
  - MySQL
  - OS Services
  - Password Server
  - PHP
  - Podcast Producer
  - Preferences
  - PS Normalizer
  - QuickTime
  - Ruby
  - Server Admin
  - SMB
  - Tomcat
  - Wiki Server
  - X11

An updated tomcat package that fixes several security issues is now available for Red Hat Network Satellite Server 5.1.

This update has been rated as having low security impact by the Red Hat Security Response Team.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

This update corrects several security vulnerabilities in the Tomcat component shipped as part of Red Hat Network Satellite Server. In a typical operating environment, Tomcat is not exposed to users of Satellite Server in a vulnerable manner: By default, only Satellite Server applications are running on Tomcat. This update will reduce risk in unique Satellite Server environments.

It was discovered that request dispatchers did not properly normalize user requests that have trailing query strings, allowing remote attackers to send specially crafted requests that would cause an information leak. (CVE-2008-5515)

A flaw was found in the way the Tomcat AJP (Apache JServ Protocol) connector processes AJP connections. An attacker could use this flaw to send specially crafted requests that would cause a temporary denial of service. (CVE-2009-0033)

It was discovered that web applications containing their own XML parsers could replace the XML parser Tomcat uses to parse configuration files. A malicious web application running on a Tomcat instance could read or, potentially, modify the configuration and XML-based data of other web applications deployed on the same Tomcat instance. (CVE-2009-0783)

Users of Red Hat Network Satellite Server 5.1 are advised to upgrade to this updated tomcat package, which contains backported patches to resolve these issues. Tomcat must be restarted for this update to take effect.

Updated tomcat packages that fix several security issues are now available for Red Hat Network Satellite Server 5.2 and 5.3.

This update has been rated as having low security impact by the Red Hat Security Response Team.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

This update corrects several security vulnerabilities in the Tomcat component shipped as part of Red Hat Network Satellite Server. In a typical operating environment, Tomcat is not exposed to users of Satellite Server in a vulnerable manner: By default, only Satellite Server applications are running on Tomcat. This update will reduce risk in unique Satellite Server environments.

It was discovered that the Red Hat Security Advisory RHSA-2007:1069 did not address all possible flaws in the way Tomcat handles certain characters and character sequences in cookie values. A remote attacker could use this flaw to obtain sensitive information, such as session IDs, and then use this information for session hijacking attacks.
(CVE-2007-5333)

Note: The fix for the CVE-2007-5333 flaw changes the default cookie processing behavior: With this update, version 0 cookies that contain values that must be quoted to be valid are automatically changed to version 1 cookies. To reactivate the previous, but insecure behavior, add the following entry to the '/etc/tomcat5/catalina.properties' file :

org.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH=false

It was discovered that request dispatchers did not properly normalize user requests that have trailing query strings, allowing remote attackers to send specially crafted requests that would cause an information leak. (CVE-2008-5515)

A flaw was found in the way the Tomcat AJP (Apache JServ Protocol) connector processes AJP connections. An attacker could use this flaw to send specially crafted requests that would cause a temporary denial of service. (CVE-2009-0033)

It was discovered that the error checking methods of certain authentication classes did not have sufficient error checking, allowing remote attackers to enumerate (via brute-force methods) usernames registered with applications running on Tomcat when FORM-based authentication was used. (CVE-2009-0580)

It was discovered that web applications containing their own XML parsers could replace the XML parser Tomcat uses to parse configuration files. A malicious web application running on a Tomcat instance could read or, potentially, modify the configuration and XML-based data of other web applications deployed on the same Tomcat instance. (CVE-2009-0783)

Users of Red Hat Network Satellite Server 5.2 and 5.3 are advised to upgrade to these updated tomcat packages, which contain backported patches to resolve these issues. Tomcat must be restarted for this update to take effect.

Updated tomcat packages that fix several security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

It was discovered that the Red Hat Security Advisory RHSA-2007:0871 did not address all possible flaws in the way Tomcat handles certain characters and character sequences in cookie values. A remote attacker could use this flaw to obtain sensitive information, such as session IDs, and then use this information for session hijacking attacks.
(CVE-2007-5333)

Note: The fix for the CVE-2007-5333 flaw changes the default cookie processing behavior: with this update, version 0 cookies that contain values that must be quoted to be valid are automatically changed to version 1 cookies. To reactivate the previous, but insecure behavior, add the following entry to the '/etc/tomcat5/catalina.properties' file :

org.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH=false

It was discovered that request dispatchers did not properly normalize user requests that have trailing query strings, allowing remote attackers to send specially crafted requests that would cause an information leak. (CVE-2008-5515)

A flaw was found in the way the Tomcat AJP (Apache JServ Protocol) connector processes AJP connections. An attacker could use this flaw to send specially crafted requests that would cause a temporary denial of service. (CVE-2009-0033)

It was discovered that the error checking methods of certain authentication classes did not have sufficient error checking, allowing remote attackers to enumerate (via brute-force methods) usernames registered with applications running on Tomcat when FORM-based authentication was used. (CVE-2009-0580)

A cross-site scripting (XSS) flaw was found in the examples calendar application. With some web browsers, remote attackers could use this flaw to inject arbitrary web script or HTML via the 'time' parameter.
(CVE-2009-0781)

It was discovered that web applications containing their own XML parsers could replace the XML parser Tomcat uses to parse configuration files. A malicious web application running on a Tomcat instance could read or, potentially, modify the configuration and XML-based data of other web applications deployed on the same Tomcat instance. (CVE-2009-0783)

Users of Tomcat should upgrade to these updated packages, which contain backported patches to resolve these issues. Tomcat must be restarted for this update to take effect.

Fix for CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, and CVE-2009-0783.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

a. JRE Security Update

  JRE update to version 1.5.0_20, which addresses multiple security   issues that existed in earlier releases of JRE.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   JRE 1.5.0_18: CVE-2009-1093, CVE-2009-1094, CVE-2009-1095,   CVE-2009-1096, CVE-2009-1097, CVE-2009-1098, CVE-2009-1099,   CVE-2009-1100, CVE-2009-1101, CVE-2009-1102, CVE-2009-1103,   CVE-2009-1104, CVE-2009-1105, CVE-2009-1106, and CVE-2009-1107.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   JRE 1.5.0_20: CVE-2009-2625, CVE-2009-2670, CVE-2009-2671,   CVE-2009-2672, CVE-2009-2673, CVE-2009-2675, CVE-2009-2676,   CVE-2009-2716, CVE-2009-2718, CVE-2009-2719, CVE-2009-2720,   CVE-2009-2721, CVE-2009-2722, CVE-2009-2723, CVE-2009-2724.

b. Update Apache Tomcat version

  Update for VirtualCenter and ESX patch update the Tomcat package to   version 6.0.20 (vSphere 4.0) or version 5.5.28 (VirtualCenter 2.5)   which addresses multiple security issues that existed   in the previous version of Apache Tomcat.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.20 and Tomcat 5.5.28: CVE-2008-5515,   CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.18:  CVE-2008-1232, CVE-2008-1947, CVE-2008-2370.

  The Common Vulnerabilities and Exposures project (cve.mitre.org) has   assigned the following names to the security issues fixed in   Apache Tomcat 6.0.16:  CVE-2007-5333, CVE-2007-5342, CVE-2007-5461,   CVE-2007-6286, CVE-2008-0002.
  c. Third-party library update for ntp.
   The Network Time Protocol (NTP) is used to synchronize a computer's   time with a referenced time source.
   ESXi 3.5 and ESXi 4.0 have a ntp client that is affected by the   following security issue. Note that the same security issue is   present in the ESX Service Console as described in section d. of   this advisory.
   A buffer overflow flaw was discovered in the ntpd daemon's NTPv4   authentication code. If ntpd was configured to use public key   cryptography for NTP packet authentication, a remote attacker could   use this flaw to send a specially crafted request packet that could   crash ntpd or, potentially, execute arbitrary code with the   privileges of the 'ntp' user.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-1252 to this issue.
   The NTP security issue identified by CVE-2009-0159 is not relevant   for ESXi 3.5 and ESXi 4.0.
 d. Service Console update for ntp

  Service Console package ntp updated to version ntp-4.2.2pl-9el5_3.2    The Network Time Protocol (NTP) is used to synchronize a computer's   time with a referenced time source.
   The Service Console present in ESX is affected by the following   security issues.
   A buffer overflow flaw was discovered in the ntpd daemon's NTPv4   authentication code. If ntpd was configured to use public key   cryptography for NTP packet authentication, a remote attacker could   use this flaw to send a specially crafted request packet that could   crash ntpd or, potentially, execute arbitrary code with the   privileges of the 'ntp' user.
   NTP authentication is not enabled by default on the Service Console.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-1252 to this issue.
   A buffer overflow flaw was found in the ntpq diagnostic command. A   malicious, remote server could send a specially crafted reply to an   ntpq request that could crash ntpq or, potentially, execute   arbitrary code with the privileges of the user running the ntpq   command.
   The Common Vulnerabilities and Exposures Project (cve.mitre.org)   has assigned the name CVE-2009-0159 to this issue.
  e. Updated Service Console package kernel

  Updated Service Console package kernel addresses the security   issues listed below.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2008-3528, CVE-2008-5700, CVE-2009-0028,   CVE-2009-0269, CVE-2009-0322, CVE-2009-0675, CVE-2009-0676,   CVE-2009-0778 to the security issues fixed in kernel   2.6.18-128.1.6.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2008-4307, CVE-2009-0834, CVE-2009-1337,   CVE-2009-0787, CVE-2009-1336 to the security issues fixed in   kernel 2.6.18-128.1.10.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-1439, CVE-2009-1633, CVE-2009-1072,   CVE-2009-1630, CVE-2009-1192 to the security issues fixed in   kernel 2.6.18-128.1.14.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2007-5966, CVE-2009-1385, CVE-2009-1388,   CVE-2009-1389, CVE-2009-1895, CVE-2009-2406, CVE-2009-2407 to the   security issues fixed in kernel 2.6.18-128.4.1.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-2692, CVE-2009-2698 to the   security issues fixed in kernel 2.6.18-128.7.1.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-0745, CVE-2009-0746, CVE-2009-0747,   CVE-2009-0748, CVE-2009-2847, CVE-2009-2848 to the security issues   fixed in kernel 2.6.18-164.

 f. Updated Service Console package python

  Service Console package Python update to version 2.4.3-24.el5.

  When the assert() system call was disabled, an input sanitization   flaw was revealed in the Python string object implementation that   led to a buffer overflow. The missing check for negative size values   meant the Python memory allocator could allocate less memory than   expected. This could result in arbitrary code execution with the   Python interpreter's privileges.

  Multiple buffer and integer overflow flaws were found in the Python   Unicode string processing and in the Python Unicode and string   object implementations. An attacker could use these flaws to cause   a denial of service.

  Multiple integer overflow flaws were found in the Python imageop   module. If a Python application used the imageop module to   process untrusted images, it could cause the application to   disclose sensitive information, crash or, potentially, execute   arbitrary code with the Python interpreter's privileges.

  Multiple integer underflow and overflow flaws were found in the   Python snprintf() wrapper implementation. An attacker could use   these flaws to cause a denial of service (memory corruption).

  Multiple integer overflow flaws were found in various Python   modules. An attacker could use these flaws to cause a denial of   service.

  An integer signedness error, leading to a buffer overflow, was   found in the Python zlib extension module. If a Python application   requested the negative byte count be flushed for a decompression   stream, it could cause the application to crash or, potentially,   execute arbitrary code with the Python interpreter's privileges.

  A flaw was discovered in the strxfrm() function of the Python   locale module. Strings generated by this function were not properly   NULL-terminated, which could possibly cause disclosure of data   stored in the memory of a Python application using this function.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2007-2052 CVE-2007-4965 CVE-2008-1721   CVE-2008-1887 CVE-2008-2315 CVE-2008-3142 CVE-2008-3143   CVE-2008-3144 CVE-2008-4864 CVE-2008-5031 to these issues.

 g. Updated Service Console package bind

  Service Console package bind updated to version 9.3.6-4.P1.el5

  The Berkeley Internet Name Domain (BIND) is an implementation of the   Domain Name System (DNS) protocols. BIND includes a DNS server   (named); a resolver library (routines for applications to use when   interfacing with DNS); and tools for verifying that the DNS server   is operating correctly.

  A flaw was found in the way BIND handles dynamic update message   packets containing the 'ANY' record type. A remote attacker could   use this flaw to send a specially crafted dynamic update packet   that could cause named to exit with an assertion failure.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-0696 to this issue.

 h. Updated Service Console package libxml2

  Service Console package libxml2 updated to version 2.6.26-2.1.2.8.

  libxml is a library for parsing and manipulating XML files. A   Document Type Definition (DTD) defines the legal syntax (and also   which elements can be used) for certain types of files, such as XML   files.

  A stack overflow flaw was found in the way libxml processes the   root XML document element definition in a DTD. A remote attacker   could provide a specially crafted XML file, which once opened by a   local, unsuspecting user, would lead to denial of service.

  Multiple use-after-free flaws were found in the way libxml parses   the Notation and Enumeration attribute types. A remote attacker   could provide a specially crafted XML file, which once opened by a   local, unsuspecting user, would lead to denial of service.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the names CVE-2009-2414 and CVE-2009-2416 to these   issues.

 i. Updated Service Console package curl

  Service Console package curl updated to version 7.15.5-2.1.el5_3.5

  A cURL is affected by the previously published 'null prefix attack',   caused by incorrect handling of NULL characters in X.509   certificates. If an attacker is able to get a carefully-crafted   certificate signed by a trusted Certificate Authority, the attacker   could use the certificate during a man-in-the-middle attack and   potentially confuse cURL into accepting it by mistake.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-2417 to this issue

 j. Updated Service Console package gnutls

  Service Console package gnutil updated to version 1.4.1-3.el5_3.5

  A flaw was discovered in the way GnuTLS handles NULL characters in   certain fields of X.509 certificates. If an attacker is able to get   a carefully-crafted certificate signed by a Certificate Authority   trusted by an application using GnuTLS, the attacker could use the   certificate during a man-in-the-middle attack and potentially   confuse the application into accepting it by mistake.

  The Common Vulnerabilities and Exposures project (cve.mitre.org)   has assigned the name CVE-2009-2730 to this issue

This update of tomcat fixes several vulnerabilities :

  - CVE-2008-5515: RequestDispatcher usage can lead to     information leakage

  - CVE-2009-0033: denial of service via AJP connection

  - CVE-2009-0580: some authentication classes allow user     enumeration

  - CVE-2009-0781: XSS bug in example application cal2.jsp

  - CVE-2009-0783: replacing XML parser leads to information     leakage Additionally, non-security bugs were fixed.

This update of tomcat fixes several vulnerabilities :

  - RequestDispatcher usage can lead to information leakage.
    (CVE-2008-5515)

  - denial of service via AJP connection. (CVE-2009-0033)

  - some authentication classes allow user enumeration.
    (CVE-2009-0580)

  - XSS bug in example application cal2.jsp. (CVE-2009-0781)

  - replacing XML parser leads to information leakage     Additionally, non-security bugs were fixed.
    (CVE-2009-0783)

This update of tomcat fixes several vulnerabilities :

  - RequestDispatcher usage can lead to information leakage.
    (CVE-2008-5515)

  - denial of service via AJP connection. (CVE-2009-0033)

  - some authentication classes allow user enumeration.
    (CVE-2009-0580)

  - XSS bug in example application cal2.jsp. (CVE-2009-0781)

  - replacing XML parser leads to information leakage.
    (CVE-2009-0783)

Additionally, non-security bugs were fixed.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2009:1164 advisory.

    Apache Tomcat is a servlet container for the Java Servlet and JavaServer     Pages (JSP) technologies.

    It was discovered that the Red Hat Security Advisory RHSA-2007:0871 did not     address all possible flaws in the way Tomcat handles certain characters and     character sequences in cookie values. A remote attacker could use this flaw     to obtain sensitive information, such as session IDs, and then use this     information for session hijacking attacks. (CVE-2007-5333)

    Note: The fix for the CVE-2007-5333 flaw changes the default cookie     processing behavior: with this update, version 0 cookies that contain     values that must be quoted to be valid are automatically changed to version     1 cookies. To reactivate the previous, but insecure behavior, add the     following entry to the /etc/tomcat5/catalina.properties file:

    org.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH=false

    It was discovered that request dispatchers did not properly normalize user     requests that have trailing query strings, allowing remote attackers to     send specially-crafted requests that would cause an information leak.
    (CVE-2008-5515)

    A flaw was found in the way the Tomcat AJP (Apache JServ Protocol)     connector processes AJP connections. An attacker could use this flaw to     send specially-crafted requests that would cause a temporary denial of     service. (CVE-2009-0033)

    It was discovered that the error checking methods of certain authentication     classes did not have sufficient error checking, allowing remote attackers     to enumerate (via brute force methods) usernames registered with     applications running on Tomcat when FORM-based authentication was used.
    (CVE-2009-0580)

    A cross-site scripting (XSS) flaw was found in the examples calendar     application. With some web browsers, remote attackers could use this flaw     to inject arbitrary web script or HTML via the time parameter.
    (CVE-2009-0781)

    It was discovered that web applications containing their own XML parsers     could replace the XML parser Tomcat uses to parse configuration files. A     malicious web application running on a Tomcat instance could read or,     potentially, modify the configuration and XML-based data of other web     applications deployed on the same Tomcat instance. (CVE-2009-0783)

    Users of Tomcat should upgrade to these updated packages, which contain     backported patches to resolve these issues. Tomcat must be restarted for     this update to take effect.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple security vulnerabilities has been identified and fixed in tomcat5 :

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request (CVE-2008-5515).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header (CVE-2009-0033).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter (CVE-2009-0580).

The calendar application in the examples web application contains an XSS flaw due to invalid HTML which renders the XSS filtering protection ineffective (CVE-2009-0781).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application (CVE-2009-0783).

The updated packages have been patched to prevent this. Additionally Apache Tomcat has been upgraded to the latest 5.5.27 version for 2009.0.

Multiple security vulnerabilities has been identified and fixed in tomcat5 :

When Tomcat's WebDAV servlet is configured for use with a context and has been enabled for write, some WebDAV requests that specify an entity with a SYSTEM tag can result in the contents of arbitary files being returned to the client (CVE-2007-5461).

Apache Tomcat 5.5.11 through 5.5.25 and 6.0.0 through 6.0.15, when the native APR connector is used, does not properly handle an empty request to the SSL port, which allows remote attackers to trigger handling of a duplicate copy of one of the recent requests, as demonstrated by using netcat to send the empty request (CVE-2007-6286).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18, and possibly earlier versions normalizes the target pathname before filtering the query string when using the RequestDispatcher method, which allows remote attackers to bypass intended access restrictions and conduct directory traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a Request (CVE-2008-5515).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when the Java AJP connector and mod_jk load balancing are used, allows remote attackers to cause a denial of service (application outage) via a crafted request with invalid headers, related to temporary blocking of connectors that have encountered errors, as demonstrated by an error involving a malformed HTTP Host header (CVE-2009-0033).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18, when FORM authentication is used, allows remote attackers to enumerate valid usernames via requests to /j_security_check with malformed URL encoding of passwords, related to improper error checking in the (1) MemoryRealm, (2) DataSourceRealm, and (3) JDBCRealm authentication realms, as demonstrated by a % (percent) value for the j_password parameter (CVE-2009-0580).

The calendar application in the examples web application contains an XSS flaw due to invalid HTML which renders the XSS filtering protection ineffective (CVE-2009-0781).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0 through 6.0.18 permits web applications to replace an XML parser used for other web applications, which allows local users to read or modify the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web applications via a crafted application that is loaded earlier than the target application (CVE-2009-0783).

The updated packages have been patched to prevent this.

Iida Minehiko discovered that Tomcat did not properly normalise paths.
A remote attacker could send specially crafted requests to the server and bypass security restrictions, gaining access to sensitive content.
(CVE-2008-5515)

Yoshihito Fukuyama discovered that Tomcat did not properly handle errors when the Java AJP connector and mod_jk load balancing are used.
A remote attacker could send specially crafted requests containing invalid headers to the server and cause a temporary denial of service.
(CVE-2009-0033)

D. Matscheko and T. Hackner discovered that Tomcat did not properly handle malformed URL encoding of passwords when FORM authentication is used. A remote attacker could exploit this in order to enumerate valid usernames. (CVE-2009-0580)

Deniz Cevik discovered that Tomcat did not properly escape certain parameters in the example calendar application which could result in browsers becoming vulnerable to cross-site scripting attacks when processing the output. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data (such as passwords), within the same domain. (CVE-2009-0781)

Philippe Prados discovered that Tomcat allowed web applications to replace the XML parser used by other web applications. Local users could exploit this to bypass security restrictions and gain access to certain sensitive files. (CVE-2009-0783).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
89117	VMware ESX / ESXi Multiple Vulnerabilities (VMSA-2009-0016) (remote check)	Nessus	Misc.	critical
67895	Oracle Linux 5 : tomcat (ELSA-2009-1164)	Nessus	Oracle Linux Local Security Checks	medium
60621	Scientific Linux Security Update : tomcat on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
59677	GLSA-201206-24 : Apache Tomcat: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
53212	Debian DSA-2207-1 : tomcat5.5 - several vulnerabilities	Nessus	Debian Local Security Checks	medium
49206	Mandriva Linux Security Advisory : tomcat5 (MDVSA-2010:176)	Nessus	Mandriva Local Security Checks	medium
46753	Apache Tomcat < 4.1.40 / 5.5.28 / 6.0.20 Multiple Vulnerabilities	Nessus	Web Servers	medium
5489	Mac OS X < 10.6.3 Multiple Vulnerabilities	Nessus Network Monitor	Generic	critical
45373	Mac OS X Multiple Vulnerabilities (Security Update 2010-002)	Nessus	MacOS X Local Security Checks	critical
45372	Mac OS X 10.6.x < 10.6.3 Multiple Vulnerabilities	Nessus	MacOS X Local Security Checks	critical
43845	RHEL 4 : tomcat in Satellite Server (RHSA-2009:1617)	Nessus	Red Hat Local Security Checks	medium
43844	RHEL 4 : tomcat in Satellite Server (RHSA-2009:1616)	Nessus	Red Hat Local Security Checks	medium
43770	CentOS 5 : tomcat (CESA-2009:1164)	Nessus	CentOS Local Security Checks	medium
42903	Fedora 11 : tomcat6-6.0.20-1.fc11 (2009-11374)	Nessus	Fedora Local Security Checks	medium
42902	Fedora 10 : tomcat6-6.0.20-1.fc10 (2009-11356)	Nessus	Fedora Local Security Checks	medium
42901	Fedora 12 : tomcat6-6.0.20-1.fc12 (2009-11352)	Nessus	Fedora Local Security Checks	medium
42870	VMSA-2009-0016 : VMware vCenter and ESX update release and vMA patch release address multiple security issues in third party components.	Nessus	VMware ESX Local Security Checks	medium
42037	openSUSE 10 Security Update : tomcat55 (tomcat55-6369)	Nessus	SuSE Local Security Checks	medium
41592	SuSE 10 Security Update : Tomcat 5 (ZYPP Patch Number 6352)	Nessus	SuSE Local Security Checks	medium
41314	SuSE9 Security Update : Tomcat (YOU Patch Number 12460)	Nessus	SuSE Local Security Checks	medium
40342	RHEL 5 : tomcat (RHSA-2009:1164)	Nessus	Red Hat Local Security Checks	medium
40316	openSUSE Security Update : tomcat6 (tomcat6-999)	Nessus	SuSE Local Security Checks	medium
40144	openSUSE Security Update : tomcat6 (tomcat6-999)	Nessus	SuSE Local Security Checks	medium
39486	Mandriva Linux Security Advisory : tomcat5 (MDVSA-2009:138)	Nessus	Mandriva Local Security Checks	medium
39485	Mandriva Linux Security Advisory : tomcat5 (MDVSA-2009:136)	Nessus	Mandriva Local Security Checks	medium
39419	Ubuntu 8.10 / 9.04 : tomcat6 vulnerabilities (USN-788-1)	Nessus	Ubuntu Local Security Checks	medium

Detections

Analytics

CVE-2009-0033

high

Tenable Plugins

critical

medium

medium

medium

medium

medium

medium

critical

critical

critical

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium