java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.

The remote host is affected by the vulnerability described in GLSA-201412-29 (Apache Tomcat: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Tomcat. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker may be able to cause a Denial of Service condition as       well as obtain sensitive information, bypass protection mechanisms and       authentication restrictions.
  Workaround :

    There is no known workaround at this time.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2013:1012 advisory.

  - httpd: multiple XSS flaws due to unescaped hostnames (CVE-2012-3499)

  - tomcat: Limited DoS in chunked transfer encoding input filter (CVE-2012-3544)

  - httpd: XSS flaw in mod_proxy_balancer manager interface (CVE-2012-4558)

  - tomcat: Session fixation in form authenticator (CVE-2013-2067)

  - tomcat: Information disclosure in asynchronous context when using AsyncListeners that threw     RuntimeExceptions (CVE-2013-2071)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Red Hat JBoss Web Server 2.0.1, which fixes multiple security issues and several bugs, is now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

This release serves as a replacement for Red Hat JBoss Web Server 2.0.0, and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.0.1 Release Notes for information on the most significant of these changes, available shortly from https://access.redhat.com/site/documentation/

The following security issues are also fixed with this release :

Cross-site scripting (XSS) flaws were found in the Apache HTTP Server mod_proxy_balancer module's manager web interface. If a remote attacker could trick a user, who was logged into the manager web interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's manager interface session. (CVE-2012-4558)

Cross-site scripting (XSS) flaws were found in the Apache HTTP Server mod_info, mod_status, mod_imagemap, mod_ldap, and mod_proxy_ftp modules. An attacker could possibly use these flaws to perform XSS attacks if they were able to make the victim's browser generate an HTTP request with a specially crafted Host header. (CVE-2012-3499)

A session fixation flaw was found in the Tomcat FormAuthenticator module. During a narrow window of time, if a remote attacker sent requests while a user was logging in, it could possibly result in the attacker's requests being processed as if they were sent by the user.
(CVE-2013-2067)

A denial of service flaw was found in the way the Tomcat chunked transfer encoding input filter processed CRLF sequences. A remote attacker could use this flaw to send an excessively long request, consuming network bandwidth, CPU, and memory on the Tomcat server.
Chunked transfer encoding is enabled by default. (CVE-2012-3544)

A flaw was found in the way the Tomcat 7 asynchronous context implementation performed request management in certain circumstances.
If an application used AsyncListeners and threw RuntimeExceptions, Tomcat could send a reply that contains information from a different user's request, possibly leading to the disclosure of sensitive information. This issue only affected Tomcat 7. (CVE-2013-2071)

Note: Do not install Red Hat JBoss Web Server 2 on a host which has Red Hat JBoss Web Server 1 installed.

Warning: Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).

All users of Red Hat JBoss Web Server 2.0.0 on Red Hat Enterprise Linux 5 are advised to upgrade to Red Hat JBoss Web Server 2.0.1. The JBoss server process must be restarted for this update to take effect.

Tomcat was updated to fix two security issues: CVE-2013-1976: Avoid a potential symlink race during startup of the tomcat server, where a local attacker that gaine access to the tomcat chroot could escalate privileges to root.

CVE-2013-2071:
java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x did not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.

Multiple security issues were found in the Tomcat servlet and JSP engine :

  - CVE-2013-2067     FORM authentication associates the most recent request     requiring authentication with the current session. By     repeatedly sending a request for an authenticated     resource while the victim is completing the login form,     an attacker could inject a request that would be     executed using the victim's credentials.

  - CVE-2013-2071     A runtime exception in AsyncListener.onComplete()     prevents the request from being recycled. This may     expose elements of a previous request to a current     request.

  - CVE-2013-4286     Reject requests with multiple content-length headers or     with a content-length header when chunked encoding is     being used.

  - CVE-2013-4322     When processing a request submitted using the chunked     transfer encoding, Tomcat ignored but did not limit any     extensions that were included. This allows a client to     perform a limited denial of service by streaming an     unlimited amount of data to the server.

  - CVE-2014-0050     Multipart requests with a malformed Content-Type header     could trigger an infinite loop causing a denial of     service.

The remote host has a version of Oracle Secure Global Desktop installed that is affected by multiple vulnerabilities :

  - Specially crafted requests sent with chunked transfer     encoding could allow a remote attacker to perform a     'limited' denial of service attack on the Tomcat server.
    (CVE-2012-3544)

  - The Tomcat server is affected by a session fixation     vulnerability in the FORM authenticator. (CVE-2013-2067)

  - The Apache Tomcat AsyncListener method is affected by a     cross-session information disclosure vulnerability when     handling user requests. (CVE-2013-2071)

  - The Administration Console and Workspace Web     Applications subcomponent is affected by an unspecified,     remote vulnerability. (CVE-2014-0419)

It was discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2012-3544)

It was discovered that Tomcat incorrectly handled certain authentication requests. A remote attacker could possibly use this flaw to inject a request that would get executed with a victim's credentials. This issue only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS, and Ubuntu 12.10. (CVE-2013-2067)

It was discovered that Tomcat sometimes exposed elements of a previous request to the current request. This could allow a remote attacker to possibly obtain sensitive information. This issue only affected Ubuntu 12.10 and Ubuntu 13.04. (CVE-2013-2071).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Updated to 7.0.40

    - Resolves: rhbz 956569 added missing commons-pool link

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Versions of Tomcat 7.0.x earlier than 7.0.40 are potentially affected by an error related to 'AsyncListeners' that throw 'RuntimeExecptions' that could allow elements of certain requests to be disclosed in response to other requests

According to its self-reported version number, the instance of Apache Tomcat 7.0 listening on the remote host is prior to 7.0.40. It is, therefore, affected by multiple vulnerabilities :
 
  - An error exists related to 'AsyncListeners' that throw     'RuntimeExceptions' that allow elements of certain     requests to be disclosed in responses to other requests.
    (CVE-2013-2071)

  - It is possible to upload a malicious JSP to a Tomcat     server and subsequently trigger execution of that JSP.
    (CVE-2013-4444)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
79982	GLSA-201412-29 : Apache Tomcat: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
76238	RHEL 6 : Red Hat JBoss Web Server 2.0.1 update (Moderate) (RHSA-2013:1012)	Nessus	Red Hat Local Security Checks	medium
76237	RHEL 5 : JBoss Web Server (RHSA-2013:1011)	Nessus	Red Hat Local Security Checks	medium
75106	openSUSE Security Update : tomcat (openSUSE-SU-2013:1306-1)	Nessus	SuSE Local Security Checks	medium
73421	Debian DSA-2897-1 : tomcat7 - security update	Nessus	Debian Local Security Checks	high
72339	Oracle Secure Global Desktop Multiple Vulnerabilities (January 2014 CPU)	Nessus	Misc.	medium
69749	Amazon Linux AMI : tomcat7 (ALAS-2013-191)	Nessus	Amazon Linux Local Security Checks	low
66670	Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.04 : tomcat6, tomcat7 vulnerabilities (USN-1841-1)	Nessus	Ubuntu Local Security Checks	medium
66595	Fedora 19 : tomcat-7.0.40-2.fc19 (2013-7979)	Nessus	Fedora Local Security Checks	low
66530	Fedora 17 : tomcat-7.0.40-1.fc17 (2013-7999)	Nessus	Fedora Local Security Checks	low
66529	Fedora 18 : tomcat-7.0.40-1.fc18 (2013-7993)	Nessus	Fedora Local Security Checks	low
800784	Apache Tomcat 7.0.x < 7.0.40 Information Disclosure	Log Correlation Engine	Web Servers	medium
66428	Apache Tomcat 7.0.x < 7.0.40 Multiple Vulnerabilities	Nessus	Web Servers	low

Detections

Analytics

CVE-2013-2071

low

Tenable Plugins

high

medium

medium

medium

high

medium

low

medium

low

low

low

medium

low