Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header. NOTE: this vulnerability exists because of an incomplete fix for CVE-2005-2090.

According to its self-reported version number, the Apache Tomcat instance listening on the remote host is 7.0.x prior to 7.0.47 or 8.0.x prior to 8.0.0-RC3. It is, therefore, affected by the following vulnerability:
  - An information disclosure vulnerability exists in Tomcat due to     improper handling of content-length headers. An unauthenticated,     remote attacker can exploit this to disclose potentially sensitive     information.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple security vulnerabilities have been fixed in the Tomcat servlet and JSP engine, which may result on bypass of security manager restrictions, information disclosure, denial of service or session fixation.

The remote IBM Storwize device is running a version that is 1.3.x prior to 1.4.3.4 or 1.5.x prior to 1.5.0.2. It is, therefore, affected by multiple vulnerabilities :

  - A denial of service vulnerability exists due to a flaw     in the bundled version of Apache HTTP Server. A remote     attacker can exploit this, via partial HTTP requests,     to cause a daemon outage, resulting in a denial of     service condition. (CVE-2007-6750)

  - An HTTP request smuggling vulnerability exists due to a     flaw in the bundled version of Apache Tomcat; when an     HTTP connector or AJP connector is used, Tomcat fails to     properly handle certain inconsistent HTTP request     headers. A remote attacker can exploit this flaw, via     multiple Content-Length headers or a Content-Length     header and a 'Transfer-Encoding: chunked' header, to     smuggle an HTTP request in one or more Content-Length     headers. (CVE-2013-4286)

  - A denial of service vulnerability exists in the bundled     version of Apache Tomcat due to improper processing of     chunked transfer coding with a large amount of chunked     data or whitespace characters in an HTTP header value     within a trailer field. An unauthenticated, remote     attacker can exploit this to cause a denial of service     condition. (CVE-2013-4322)

  - A denial of service vulnerability exists due to a flaw     in the bundled version of Apache Tomcat; an integer     overflow condition exists in the parseChunkHeader()     function in ChunkedInputFilter.java. A remote attacker     can exploit this, via a malformed chunk size that is     part of a chunked request, to cause excessive     consumption of resources, resulting in a denial of     service condition. (CVE-2014-0075)

  - A remote code execution vulnerability exists due to a     flaw in the bundled version of Apache Struts. A remote     attacker can manipulate the ClassLoader via the class     parameter, resulting in the execution of arbitrary Java     code. (CVE-2014-0094)

  - An XML External Entity (XXE) injection vulnerability     exists due to a flaw in the bundled version of Apache     Tomcat; an incorrectly configured XML parser accepts     XML external entities from an untrusted source via XSLT.
    A remote attacker can exploit this, by sending specially     crafted XML data, to gain access to arbitrary files.
    (CVE-2014-0096)

  - An integer overflow condition exists in the bundled     version of Apache Tomcat. A remote attacker, via a     crafted Content-Length HTTP header, can conduct HTTP     request smuggling attacks. (CVE-2014-0099)

  - An information disclosure vulnerability exists due to a     flaw in the bundled version of Apache Tomcat. Tomcat     fails to properly constrain the class loader that     accesses the XML parser used with an XSLT stylesheet. A     remote attacker can exploit this, via a crafted web     application that provides an XML external entity     declaration in conjunction with an entity reference, to     read arbitrary files. (CVE-2014-0119)

  - A flaw exists in a bundled version of Samba due to a     flaw in the vfswrap_fsctl() function that is triggered     when responding to FSCTL_GET_SHADOW_COPY_DATA or     FSCTL_SRV_ENUMERATE_SNAPSHOTS client requests. An     unauthenticated, remote attacker can exploit this, via     a specially crafted request, to disclose sensitive     information from process memory. (CVE-2014-0178)

  - Multiple flaws exist in the bundled version of Mozilla     Firefox that allow a remote attacker to execute     arbitrary code. (CVE-2014-1555, CVE-2014-1556,     CVE-2014-1557)

  - An information disclosure vulnerability exists due to     the chkauth password being saved in plaintext in the     audit log. A local attacker can exploit this to gain     administrator access. (CVE-2014-3077)

  - A denial of service vulnerability exists due to a flaw     in the bundled version of Samba. An authenticated,     remote attacker can exploit this, via an attempt to read     a Unicode pathname without specifying the use of     Unicode, to cause an application crash. (CVE-2014-3493)   
  - A security bypass vulnerability exists due to an     unspecified flaw. A remote attacker can exploit this     flaw to reset the administrator password to its default     value via a direct request to the administrative IP     address. Note that this vulnerability only affects the     1.4.x release levels. (CVE-2014-4811)

Updated tomcat packages fix security vulnerabilities :

Apache Tomcat 7.x before 7.0.47, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a Transfer-Encoding: chunked header (CVE-2013-4286).

Apache Tomcat 7.x before 7.0.50 processes chunked transfer coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by streaming data (CVE-2013-4322).

Apache Tomcat 7.x before 7.0.50 allows attackers to obtain Tomcat internals information by leveraging the presence of an untrusted web application with a context.xml, web.xml, *.jspx, *.tagx, or *.tld XML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue (CVE-2013-4590).

Integer overflow in the parseChunkHeader function in java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 allows remote attackers to cause a denial of service (resource consumption) via a malformed chunk size in chunked transfer coding of a request during the streaming of data (CVE-2014-0075).

java/org/apache/catalina/servlets/DefaultServlet.java in the default servlet in Apache Tomcat before 6.0.40 and 7.x before 7.0.53 does not properly restrict XSLT stylesheets, which allows remote attackers to bypass security-manager restrictions and read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue (CVE-2014-0096).

Integer overflow in java/org/apache/tomcat/util/buf/Ascii.java in Apache Tomcat before 6.0.40 and 7.x before 7.0.53, when operated behind a reverse proxy, allows remote attackers to conduct HTTP request smuggling attacks via a crafted Content-Length HTTP header (CVE-2014-0099).

Apache Tomcat before 6.0.40 and 7.x before 7.0.54 does not properly constrain the class loader that accesses the XML parser used with an XSLT stylesheet, which allows remote attackers to read arbitrary files via a crafted web application that provides an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue, or read files associated with different web applications on a single Tomcat instance via a crafted web application (CVE-2014-0119).

In Apache Tomcat 7.x before 7.0.55, it was possible to craft a malformed chunk as part of a chunked request that caused Tomcat to read part of the request body as a new request (CVE-2014-0227).

The remote Solaris system is missing necessary patches to address security updates :

  - Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30     does not properly handle chunk extensions in chunked     transfer coding, which allows remote attackers to cause     a denial of service by streaming data. (CVE-2012-3544)

  - Unspecified vulnerability in the Javadoc component in     Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and     earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21     and earlier; and OpenJDK 7 allows remote attackers to     affect integrity via unknown vectors related to Javadoc.
    NOTE: the previous information is from the June 2013     CPU. Oracle has not commented on claims from another     vendor that this issue is related to frame injection in     HTML that is generated by Javadoc. (CVE-2013-1571)

  - Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x     before 8.0.0-RC3, when an HTTP connector or AJP     connector is used, does not properly handle certain     inconsistent HTTP request headers, which allows remote     attackers to trigger incorrect identification of a     request's length and conduct request-smuggling attacks     via (1) multiple Content-Length headers or (2) a     Content-Length header and a 'Transfer-Encoding: chunked'     header. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2005-2090. (CVE-2013-4286)

  - Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x     before 8.0.0-RC10 processes chunked transfer coding     without properly handling (1) a large total amount of     chunked data or (2) whitespace characters in an HTTP     header value within a trailer field, which allows remote     attackers to cause a denial of service by streaming     data. NOTE: this vulnerability exists because of an     incomplete fix for CVE-2012-3544. (CVE-2013-4322)

  - Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x     before 8.0.0-RC10 allows attackers to obtain 'Tomcat     internals' information by leveraging the presence of an     untrusted web application with a context.xml, web.xml,

    *.jspx, *.tagx, or *.tld XML document containing an     external entity declaration in conjunction with an     entity reference, related to an XML External Entity     (XXE) issue. (CVE-2013-4590)

  - org/apache/catalina/connector/CoyoteAdapter.java in     Apache Tomcat 6.0.33 through 6.0.37 does not consider     the disableURLRewriting setting when handling a session     ID in a URL, which allows remote attackers to conduct     session fixation attacks via a crafted URL.
    (CVE-2014-0033)

The remote host is affected by the vulnerability described in GLSA-201412-29 (Apache Tomcat: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Tomcat. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker may be able to cause a Denial of Service condition as       well as obtain sensitive information, bypass protection mechanisms and       authentication restrictions.
  Workaround :

    There is no known workaround at this time.

It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. (CVE-2013-4286)

It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. (CVE-2013-4322)

A denial of service flaw was found in the way Apache Commons FileUpload handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing JBoss Web to enter an infinite loop when processing such an incoming request. (CVE-2014-0050)

- Updated to 7.0.52

    - Create and own %{_localstatedir}/lib/tomcats,       resolves: rhbz#1026741

    - Add pom for tomcat-jdbc, resolves: rhbz#1011003

    - Substitute libnames in catalina-tasks.xml, resolves:
      rhbz#1126439

    - Use CATALINA_OPTS only on start, resolves:
      rhbz#1051194

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated tomcat packages that fix three security issues are now available for Red Hat Enterprise Linux 7.

The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

It was found that a fix for a previous security flaw introduced a regression that could cause a denial of service in Tomcat 7. A remote attacker could use this flaw to consume an excessive amount of CPU on the Tomcat server by sending a specially crafted request to that server. (CVE-2014-0186)

It was found that when Tomcat 7 processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. (CVE-2013-4286)

It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat 7 processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. (CVE-2013-4322)

All Tomcat 7 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

From Red Hat Security Advisory 2014:0686 :

Updated tomcat packages that fix three security issues are now available for Red Hat Enterprise Linux 7.

The Red Hat Security Response Team has rated this update as having Important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

It was found that a fix for a previous security flaw introduced a regression that could cause a denial of service in Tomcat 7. A remote attacker could use this flaw to consume an excessive amount of CPU on the Tomcat server by sending a specially crafted request to that server. (CVE-2014-0186)

It was found that when Tomcat 7 processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. (CVE-2013-4286)

It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat 7 processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. (CVE-2013-4322)

All Tomcat 7 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

The remote host has a version of Oracle Secure Global Desktop that is version 4.63, 4.71, 5.0 or 5.1. It is, therefore, affected by the following vulnerabilities :

  - Apache Tomcat does not properly handle certain     inconsistent HTTP request headers, which allows remote     attackers to trigger incorrect identification of a     request's length and conduct request-smuggling attacks.
    (CVE-2013-4286)

  - CoyoteAdapter.java in Apache Tomcat does not consider     the 'disableURLRewriting' setting when handling session     ID in a URL, allowing a remote attacker to conduct     session fixation attacks via a crafted URL.
    (CVE-2014-0033)

  - The 'log_cookie' function in mod_log_config.c of Apache     will not handle specially crafted cookies during     truncation, allowing a remote attacker to cause a denial     of service via a segmentation fault. (CVE-2014-0098)

  - Multiple integer overflows within X.Org libXfont that     could allow remote font servers to execute arbitrary     code via a crafted xfs reply, which triggers a buffer     overflow. (CVE-2014-0211)

  - OpenSSL does not properly restrict processing of     'ChangeCipherSpec' messages which allows     man-in-the-middle attackers to trigger use of a     zero-length master key and consequently hijack sessions     or obtain sensitive information via a crafted TLS     handshake. (CVE-2014-0224)

  - An unspecified flaw related to the Workspace Web     Application subcomponent could allow a remote attacker     to impact integrity. (CVE-2014-4232)

Updated tomcat7 packages that fix three security issues are now available for Red Hat JBoss Web Server 2.0.1 on Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. (CVE-2013-4286)

It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. (CVE-2013-4322)

A denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in Tomcat, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing Tomcat to enter an infinite loop when processing such an incoming request. (CVE-2014-0050)

All users of Red Hat JBoss Web Server 2.0.1 are advised to upgrade to these updated tomcat7 packages, which contain backported patches to correct these issues. The Red Hat JBoss Web Server process must be restarted for the update to take effect.

Updated tomcat6 packages that fix multiple security issues are now available for Red Hat JBoss Web Server 2.0.1 on Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. (CVE-2013-4286)

It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. (CVE-2013-4322)

It was found that previous fixes in Tomcat 6 to path parameter handling introduced a regression that caused Tomcat to not properly disable URL rewriting to track session IDs when the disableURLRewriting option was enabled. A man-in-the-middle attacker could potentially use this flaw to hijack a user's session.
(CVE-2014-0033)

A denial of service flaw was found in the way Apache Commons FileUpload, which is embedded in Tomcat, handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing Tomcat to enter an infinite loop when processing such an incoming request. (CVE-2014-0050)

All users of Red Hat JBoss Web Server 2.0.1 are advised to upgrade to these updated tomcat6 packages, which contain backported patches to correct these issues. The Red Hat JBoss Web Server process must be restarted for the update to take effect.

It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. (CVE-2013-4286)

It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. (CVE-2013-4322)

A denial of service flaw was found in the way Apache Commons FileUpload handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing JBoss Web to enter an infinite loop when processing such an incoming request. (CVE-2014-0050)

Tomcat must be restarted for this update to take effect.

Updated tomcat6 packages that fix three security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. (CVE-2013-4286)

It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. (CVE-2013-4322)

A denial of service flaw was found in the way Apache Commons FileUpload handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing JBoss Web to enter an infinite loop when processing such an incoming request. (CVE-2014-0050)

All Tomcat users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

From Red Hat Security Advisory 2014:0429 :

Updated tomcat6 packages that fix three security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

It was found that when Tomcat processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, Tomcat would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. (CVE-2013-4286)

It was discovered that the fix for CVE-2012-3544 did not properly resolve a denial of service flaw in the way Tomcat processed chunk extensions and trailing headers in chunked requests. A remote attacker could use this flaw to send an excessively long request that, when processed by Tomcat, could consume network bandwidth, CPU, and memory on the Tomcat server. Note that chunked transfer encoding is enabled by default. (CVE-2013-4322)

A denial of service flaw was found in the way Apache Commons FileUpload handled small-sized buffers used by MultipartStream. A remote attacker could use this flaw to create a malformed Content-Type header for a multipart request, causing JBoss Web to enter an infinite loop when processing such an incoming request. (CVE-2014-0050)

All Tomcat users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

Multiple security issues were found in the Tomcat servlet and JSP engine :

  - CVE-2013-2067     FORM authentication associates the most recent request     requiring authentication with the current session. By     repeatedly sending a request for an authenticated     resource while the victim is completing the login form,     an attacker could inject a request that would be     executed using the victim's credentials.

  - CVE-2013-2071     A runtime exception in AsyncListener.onComplete()     prevents the request from being recycled. This may     expose elements of a previous request to a current     request.

  - CVE-2013-4286     Reject requests with multiple content-length headers or     with a content-length header when chunked encoding is     being used.

  - CVE-2013-4322     When processing a request submitted using the chunked     transfer encoding, Tomcat ignored but did not limit any     extensions that were included. This allows a client to     perform a limited denial of service by streaming an     unlimited amount of data to the server.

  - CVE-2014-0050     Multipart requests with a malformed Content-Type header     could trigger an infinite loop causing a denial of     service.

Updated packages that provide Red Hat JBoss Enterprise Application Platform 6.2.2 and fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.

It was found that when JBoss Web processed a series of HTTP requests in which at least one request contained either multiple content-length headers, or one content-length header with a chunked transfer-encoding header, JBoss Web would incorrectly handle the request. A remote attacker could use this flaw to poison a web cache, perform cross-site scripting (XSS) attacks, or obtain sensitive information from other requests. (CVE-2013-4286)

It was found that Java Security Manager permissions configured via a policy file were not properly applied, causing all deployed applications to be granted the java.security.AllPermission permission.
In certain cases, an attacker could use this flaw to circumvent expected security measures to perform actions which would otherwise be restricted. (CVE-2014-0093)

The CVE-2014-0093 issue was discovered by Josef Cacek of the Red Hat JBoss EAP Quality Engineering team.

This release serves as an update for Red Hat JBoss Enterprise Application Platform 6.2, and includes bug fixes and enhancements.
Documentation for these changes will be available shortly from the Red Hat JBoss Enterprise Application Platform 6.2.2 Release Notes, linked to in the References.

All users of Red Hat JBoss Enterprise Application Platform 6.2 on Red Hat Enterprise Linux 6 are advised to upgrade to these updated packages. The JBoss server process must be restarted for the update to take effect.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2014:0343 advisory.

  - tomcat: multiple content-length header poisoning flaws (CVE-2013-4286)

  - PicketBox/JBossSX: Unauthorized access to and modification of application server configuration and state     by application (CVE-2014-0005)

  - JBoss EAP 6: JSM policy not respected by deployed applications (CVE-2014-0093)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It was discovered that Tomcat incorrectly handled certain inconsistent HTTP headers. A remote attacker could possibly use this flaw to conduct request smuggling attacks. (CVE-2013-4286)

It was discovered that Tomcat incorrectly handled certain requests submitted using chunked transfer encoding. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service. (CVE-2013-4322)

It was discovered that Tomcat incorrectly applied the disableURLRewriting setting when handling a session id in a URL. A remote attacker could possibly use this flaw to conduct session fixation attacks. This issue only applied to Ubuntu 12.04 LTS.
(CVE-2014-0033)

It was discovered that Tomcat incorrectly handled malformed Content-Type headers and multipart requests. A remote attacker could use this flaw to cause the Tomcat server to stop responding, resulting in a denial of service. This issue only applied to Ubuntu 12.10 and Ubuntu 13.10. (CVE-2014-0050).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the instance of Apache Tomcat 6.0.x listening on the remote host is prior to 6.0.39. It is, therefore, affected by the following vulnerabilities :

  - The version of Java used to build the application     generates Javadoc containing a frame injection error.
    (CVE-2013-1571)

  - The fix for CVE-2005-2090 was not complete and the     application does not reject requests with multiple     Content-Length HTTP headers or with Content-Length     HTTP headers when using chunked encoding.
    (CVE-2013-4286)

  - The fix for CVE-2012-3544 was not complete and limits     are not properly applied to chunk extensions and     whitespaces in certain trailing headers. This error     allows denial of service attacks. (CVE-2013-4322)

  - The application allows XML External Entity (XXE)     processing that discloses sensitive information.
    (CVE-2013-4590)

  - An error exists related to the 'disableURLRewriting'     configuration option and session IDs. (CVE-2014-0033)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
121116	Apache Tomcat 7.0.x < 7.0.47 / 8.0.x < 8.0.0-RC3 Information Disclosure	Nessus	Web Servers	medium
90205	Debian DSA-3530-1 : tomcat6 - security update	Nessus	Debian Local Security Checks	high
84401	IBM Storwize 1.3.x < 1.4.3.4 / 1.5.x < 1.5.0.2 Multiple Vulnerabilities	Nessus	Misc.	high
81935	Mandriva Linux Security Advisory : tomcat (MDVSA-2015:052)	Nessus	Mandriva Local Security Checks	medium
80793	Oracle Solaris Third-Party Patch Update : tomcat (multiple_vulnerabilities_in_apache_tomcat4)	Nessus	Solaris Local Security Checks	medium
79982	GLSA-201412-29 : Apache Tomcat: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
78287	Amazon Linux AMI : tomcat6 (ALAS-2014-344)	Nessus	Amazon Linux Local Security Checks	high
77928	Fedora 20 : tomcat-7.0.52-1.fc20 (2014-11048)	Nessus	Fedora Local Security Checks	medium
76895	RHEL 7 : tomcat (RHSA-2014:0686)	Nessus	Red Hat Local Security Checks	medium
76733	Oracle Linux 7 : tomcat (ELSA-2014-0686)	Nessus	Oracle Linux Local Security Checks	medium
76570	Oracle Secure Global Desktop Multiple Vulnerabilities (July 2014 CPU)	Nessus	Misc.	high
76241	RHEL 5 / 6 : JBoss Web Server (RHSA-2014:0526)	Nessus	Red Hat Local Security Checks	high
76240	RHEL 5 / 6 : JBoss Web Server (RHSA-2014:0525)	Nessus	Red Hat Local Security Checks	high
73679	Scientific Linux Security Update : tomcat6 on SL6.x (noarch) (20140423)	Nessus	Scientific Linux Local Security Checks	high
73678	RHEL 6 : tomcat6 (RHSA-2014:0429)	Nessus	Red Hat Local Security Checks	high
73677	Oracle Linux 6 : tomcat6 (ELSA-2014-0429)	Nessus	Oracle Linux Local Security Checks	high
73675	CentOS 6 : tomcat6 (CESA-2014:0429)	Nessus	CentOS Local Security Checks	high
73421	Debian DSA-2897-1 : tomcat7 - security update	Nessus	Debian Local Security Checks	high
73284	RHEL 6 : JBoss EAP (RHSA-2014:0344)	Nessus	Red Hat Local Security Checks	medium
73283	RHEL 5 : Red Hat JBoss Enterprise Application Platform 6.2.2 update (Moderate) (RHSA-2014:0343)	Nessus	Red Hat Local Security Checks	medium
72874	Ubuntu 10.04 LTS / 12.04 LTS / 12.10 / 13.10 : tomcat6, tomcat7 vulnerabilities (USN-2130-1)	Nessus	Ubuntu Local Security Checks	high
72690	Apache Tomcat 6.0.x < 6.0.39 Multiple Vulnerabilities	Nessus	Web Servers	medium

Detections

Analytics

CVE-2013-4286

medium

Tenable Plugins

medium

high

high

medium

medium

high

high

medium

medium

medium

high

high

high

high

high

high

high

high

medium

medium

high

medium