Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.

The version of Apache Tomcat installed on the remote host is < 7.0.67. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_7.0.67_security-7 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the Apache Tomcat instance listening on the remote host is prior to 9.0.0.M3. It is, therefore, affected by multiple vulnerabilities:

  - An information disclosure vulnerability exists due to     a failure to enforce access restrictions when handling     directory requests that are missing trailing slashes. An     unauthenticated, remote attacker can exploit this to     enumerate valid directories. (CVE-2015-5345)

  - A flaw exists due to a failure to invalidate a previous     session ID when assigning an ID to a new session. An     attacker can exploit this, via a crafted request that     uses the requestedSessionSSL field to fixate the session     ID, to ensure that the user authenticates with a known     session ID, allowing the session to be subsequently     hijacked. (CVE-2015-5346)

  - An information disclosure vulnerability exists in the     Manager and Host Manager web applications due to a flaw     in the index page when issuing redirects in response to     unauthenticated requests for the root directory of the     application. An unauthenticated, remote attacker can     exploit this to gain access to the XSRF token     information stored in the index page. (CVE-2015-5351)

  - An information disclosure vulnerability exists that     allows a specially crafted web application to load the     StatusManagerServlet. An attacker can exploit this to     gain unauthorized access to a list of all deployed     applications and a list of the HTTP request lines for     all requests currently being processed. (CVE-2016-0706)

  - A security bypass vulnerability exists due to a flaw     in the StandardManager, PersistentManager, and cluster     implementations that is triggered when handling     persistent sessions. An unauthenticated, remote attacker     can exploit this, via a crafted object in a session, to     bypass the security manager and execute arbitrary code.
    (CVE-2016-0714)

  - A flaw exists due to the setGlobalContext() method of     ResourceLinkFactory being accessible to web applications     even when run under a security manager. An     unauthenticated, remote attacker can exploit this to     inject malicious global context, allowing data owned by     other web applications to be read or written to.
    (CVE-2016-0763)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 7.0.67. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_7.0.67_security-7 advisory.

  - Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before     9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web     application, might allow remote attackers to hijack web sessions by leveraging use of a     requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
    (CVE-2015-5346)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201705-09 (Apache Tomcat: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Tomcat. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker may be able to cause a Denial of Service condition,       obtain sensitive information, bypass protection mechanisms and       authentication restrictions.
    A local attacker, who is a tomcat&rsquo;s system user or belongs to       tomcat&rsquo;s group, could potentially escalate privileges.
  Workaround :

    There is no known workaround at this time.

According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - The Expression Language (EL) implementation in Apache     Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x     before 8.0.16 does not properly consider the     possibility of an accessible interface implemented by     an inaccessible class, which allows attackers to bypass     a SecurityManager protection mechanism via a web     application that leverages use of incorrect privileges     during EL evaluation.(CVE-2014-7810)

  - Session fixation vulnerability in Apache Tomcat 7.x     before 7.0.66, 8.x before 8.0.30, and 9.x before     9.0.0.M2, when different session settings are used for     deployments of multiple versions of the same web     application, might allow remote attackers to hijack web     sessions by leveraging use of a requestedSessionSSL     field for an unintended request, related to     CoyoteAdapter.java and Request.java.(CVE-2015-5346)

  - Apache Tomcat through 8.5.4, when the CGI Servlet is     enabled, follows RFC 3875 section 4.1.18 and therefore     does not protect applications from the presence of     untrusted client data in the HTTP_PROXY environment     variable, which might allow remote attackers to     redirect an application's outbound HTTP traffic to an     arbitrary proxy server via a crafted Proxy header in an     HTTP request, aka an 'httpoxy' issue. NOTE: the vendor     states 'A mitigation is planned for future releases of     Tomcat, tracked as CVE-2016-5388' in other words, this     is not a CVE ID for a vulnerability.(CVE-2016-5388)

  - It was discovered that the Tomcat packages installed     configuration file /usr/lib/tmpfiles.d/tomcat.conf     writeable to the tomcat group. A member of the group or     a malicious web application deployed on Tomcat could     use this flaw to escalate their     privileges.(CVE-2016-5425)

  - It was discovered that the Tomcat packages installed     certain configuration files read by the Tomcat     initialization script as writeable to the tomcat group.
    A member of the group or a malicious web application     deployed on Tomcat could use this flaw to escalate     their privileges.(CVE-2016-6325)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2016:2807 advisory.

    Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

    This release of Red Hat JBoss Web Server 2.1.2 serves as a replacement for Red Hat JBoss Web Server 2.1.1.
    It contains security fixes for the Tomcat 7 component. Only users of the Tomcat 7 component in JBoss Web     Server need to apply the fixes delivered in this release.

    Security Fix(es):

    * A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These     applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request     to the root of the web application. This token could then be used by an attacker to perform a CSRF attack.
    (CVE-2015-5351)

    * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user     to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a     web application that placed a crafted object in a session. (CVE-2016-0714)

    * A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to     access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763)

    * A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of     the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file     if the boundary was the typical tens of bytes long. (CVE-2016-3092)

    * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least     one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could     reuse a previously used session ID for further requests. (CVE-2015-5346)

    * It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a     security manager was configured. This allowed a web application to list all deployed web applications and     expose sensitive information such as session IDs. (CVE-2016-0706)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Security Fix(es) :

  - It was discovered that the Tomcat packages installed     configuration file /usr/lib/tmpfiles.d/tomcat.conf     writeable to the tomcat group. A member of the group or     a malicious web application deployed on Tomcat could use     this flaw to escalate their privileges. (CVE-2016-5425)

  - It was discovered that the Tomcat packages installed     certain configuration files read by the Tomcat     initialization script as writeable to the tomcat group.
    A member of the group or a malicious web application     deployed on Tomcat could use this flaw to escalate their     privileges. (CVE-2016-6325)

  - It was found that the expression language resolver     evaluated expressions within a privileged code section.
    A malicious web application could use this flaw to     bypass security manager protections. (CVE-2014-7810)

  - It was discovered that tomcat used the value of the     Proxy header from HTTP requests to initialize the     HTTP_PROXY environment variable for CGI scripts, which     in turn was incorrectly used by certain HTTP client     implementations to configure the proxy for outgoing HTTP     requests. A remote attacker could possibly use this flaw     to redirect HTTP requests performed by a CGI script to     an attacker-controlled proxy via a malicious HTTP     request. (CVE-2016-5388)

  - A session fixation flaw was found in the way Tomcat     recycled the requestedSessionSSL field. If at least one     web application was configured to use the SSL session ID     as the HTTP session ID, an attacker could reuse a     previously used session ID for further requests.
    (CVE-2015-5346)

An update for tomcat is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es) :

* It was discovered that the Tomcat packages installed configuration file / usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425)

* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)

* It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)

* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)

* A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)

Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2016:2046 advisory.

    Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

    Security Fix(es):

    * It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf     writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat     could use this flaw to escalate their privileges. (CVE-2016-5425)

    * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat     initialization script as writeable to the tomcat group. A member of the group or a malicious web     application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)

    * It was found that the expression language resolver evaluated expressions within a privileged code     section. A malicious web application could use this flaw to bypass security manager protections.
    (CVE-2014-7810)

    * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the     HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client     implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use     this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a     malicious HTTP request. (CVE-2016-5388)

    * A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least     one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could     reuse a previously used session ID for further requests. (CVE-2015-5346)

    Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott     Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product     Security.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2016-2046 advisory.

    - Resolves: CVE-2015-5346

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-3024-1 advisory.

    It was discovered that Tomcat incorrectly handled pathnames used by web applications in a getResource,     getResourceAsStream, or getResourcePaths call. A remote attacker could use this issue to possibly list a     parent directory . This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10.
    (CVE-2015-5174)

    It was discovered that the Tomcat mapper component incorrectly handled redirects. A remote attacker could     use this issue to determine the existence of a directory. This issue only affected Ubuntu 12.04 LTS,     Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-5345)

    It was discovered that Tomcat incorrectly handled different session settings when multiple versions of the     same web application was deployed. A remote attacker could possibly use this issue to hijack web sessions.
    This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-5346)

    It was discovered that the Tomcat Manager and Host Manager applications incorrectly handled new requests.
    A remote attacker could possibly use this issue to bypass CSRF protection mechanisms. This issue only     affected Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2015-5351)

    It was discovered that Tomcat did not place StatusManagerServlet on the RestrictedServlets list. A remote     attacker could possibly use this issue to read arbitrary HTTP requests, including session ID values. This     issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-0706)

    It was discovered that the Tomcat session-persistence implementation incorrectly handled session     attributes. A remote attacker could possibly use this issue to execute arbitrary code in a privileged     context. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-0714)

    It was discovered that the Tomcat setGlobalContext method incorrectly checked if callers were authorized.
    A remote attacker could possibly use this issue to read or wite to arbitrary application data, or cause a     denial of service. This issue only affected Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 15.10.
    (CVE-2016-0763)

    It was discovered that the Tomcat Fileupload library incorrectly handled certain upload requests. A remote     attacker could possibly use this issue to cause a denial of service. (CVE-2016-3092)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in information disclosure, the bypass of CSRF protections, bypass of the SecurityManager or denial of service.

Apache Tomcat 7.0.x before 7.0.67 or 8.0.x before 8.0.32 is affected by a flaw that allows conducting a session fixation attack.  This flaw exists because the application, when establishing a new session, does not invalidate an existing session identifier and assign a new one.  With a specially crafted request fixating the session identifier via the 'requestedSessionSSL' field, a context-dependent attacker can ensure a user authenticates with the known session identifier, allowing the session to be subsequently hijacked.  This vulnerability is only present when at least one web application is configured to use the SSL session ID as the HTTP session ID.

Red Hat JBoss Web Server 3.0.3 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References.

Security Fix(es) :

* A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)

* A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351)

* It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714)

* A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763)

* It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345)

* It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured.
This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)

Red Hat JBoss Web Server 3.0.3 is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References.

Security Fix(es) :

* A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)

* A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351)

* It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714)

* A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763)

* It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345)

* It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured.
This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)

Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in information disclosure, the bypass of CSRF protections and bypass of the SecurityManager.

ResourceLinkFactory.setGlobalContext() is a public method and was discovered to be accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applications and/or read and write data owned by other web applications. (CVE-2016-0763)

A session fixation vulnerability was discovered that might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request when different session settings are used for deployments of multiple versions of the same web application. (CVE-2015-5346)

The Manager and Host Manager applications were discovered to establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. (CVE-2015-5351)

The session-persistence implementation was discovered to mishandle session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. (CVE-2016-0714)

It was discovered that org.apache.catalina.manager.StatusManagerServlet was not placed on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
(CVE-2016-0706)

Multiple security vulnerabilities have been fixed in the Tomcat servlet and JSP engine, which may result on bypass of security manager restrictions, information disclosure, denial of service or session fixation.

This update for tomcat fixes the following issues :

Tomcat 8 was updated from 8.0.23 to 8.0.32, to fix bugs and security issues.

Fixed security issues :

  - CVE-2015-5174: Directory traversal vulnerability in     RequestUtil.java in Apache Tomcat allowed remote     authenticated users to bypass intended SecurityManager     restrictions and list a parent directory via a /..
    (slash dot dot) in a pathname used by a web application     in a getResource, getResourceAsStream, or     getResourcePaths call, as demonstrated by the     $CATALINA_BASE/webapps directory. (bsc#967967)

  - CVE-2015-5346: Session fixation vulnerability in Apache     Tomcat when different session settings are used for     deployments of multiple versions of the same web     application, might have allowed remote attackers to     hijack web sessions by leveraging use of a     requestedSessionSSL field for an unintended request,     related to CoyoteAdapter.java and Request.java.
    (bsc#967814)

  - CVE-2015-5345: The Mapper component in Apache Tomcat     processes redirects before considering security     constraints and Filters, which allowed remote attackers     to determine the existence of a directory via a URL that     lacks a trailing / (slash) character. (bsc#967965)

  - CVE-2015-5351: The (1) Manager and (2) Host Manager     applications in Apache Tomcat established sessions and     send CSRF tokens for arbitrary new requests, which     allowed remote attackers to bypass a CSRF protection     mechanism by using a token. (bsc#967812)

  - CVE-2016-0706: Apache Tomcat did not place     org.apache.catalina.manager.StatusManagerServlet on the     org/apache/catalina/core/RestrictedServlets.properties     list, which allowed remote authenticated users to bypass     intended SecurityManager restrictions and read arbitrary     HTTP requests, and consequently discover session ID     values, via a crafted web application. (bsc#967815)

  - CVE-2016-0714: The session-persistence implementation in     Apache Tomcat mishandled session attributes, which     allowed remote authenticated users to bypass intended     SecurityManager restrictions and execute arbitrary code     in a privileged context via a web application that     places a crafted object in a session. (bsc#967964)

  - CVE-2016-0763: The setGlobalContext method in     org/apache/naming/factory/ResourceLinkFactory.java in     Apache Tomcat did not consider whether     ResourceLinkFactory.setGlobalContext callers are     authorized, which allowed remote authenticated users to     bypass intended SecurityManager restrictions and read or     write to arbitrary application data, or cause a denial     of service (application disruption), via a web     application that sets a crafted global context.
    (bsc#967966)

The full changes can be read on:
http://tomcat.apache.org/tomcat-8.0-doc/changelog.html

This update was imported from the SUSE:SLE-12-SP1:Update update project.

A directory traversal vulnerability in RequestUtil.java was discovered which allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /..
(slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call.
(CVE-2015-5174)

A session fixation vulnerability was discovered that might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request when different session settings are used for deployments of multiple versions of the same web application. (CVE-2015-5346)

It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)

Mark Thomas reports :

- CVE-2015-5346 Apache Tomcat Session fixation

- CVE-2015-5351 Apache Tomcat CSRF token leak

- CVE-2016-0763 Apache Tomcat Security Manager Bypass

Mark Thomas reports :

- CVE-2015-5345 Apache Tomcat Directory disclosure

- CVE-2016-0706 Apache Tomcat Security Manager bypass

- CVE-2016-0714 Apache Tomcat Security Manager Bypass

The version of Tomcat installed on the remote host is prior to 8.0.32. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_8.0.32_security-8 advisory.

  - Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before     9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web     application, might allow remote attackers to hijack web sessions by leveraging use of a     requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java.
    (CVE-2015-5346)

  - The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31,     and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows     remote attackers to bypass a CSRF protection mechanism by using a token. (CVE-2015-5351)

  - Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not     place org.apache.catalina.manager.StatusManagerServlet on the     org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to     bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover     session ID values, via a crafted web application. (CVE-2016-0706)

  - The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before     8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to     bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web     application that places a crafted object in a session. (CVE-2016-0714)

  - The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x     before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether     ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to     bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a     denial of service (application disruption), via a web application that sets a crafted global context.
    (CVE-2016-0763)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
701336	Apache Tomcat < 7.0.67 Vulnerability	Nessus Network Monitor	Web Servers	high
121125	Apache Tomcat < 9.0.0.M3 Multiple Vulnerabilities	Nessus	Web Servers	high
121118	Apache Tomcat 7.0.5 < 7.0.67	Nessus	Web Servers	high
100262	GLSA-201705-09 : Apache Tomcat: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	critical
99812	EulerOS 2.0 SP1 : tomcat (EulerOS-SA-2016-1049)	Nessus	Huawei Local Security Checks	high
95024	RHEL 6 / 7 : Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7 (Important) (RHSA-2016:2807)	Nessus	Red Hat Local Security Checks	high
94005	Scientific Linux Security Update : tomcat on SL7.x (noarch) (20161010) (httpoxy)	Nessus	Scientific Linux Local Security Checks	high
93966	CentOS 7 : tomcat (CESA-2016:2046) (httpoxy)	Nessus	CentOS Local Security Checks	high
93951	RHEL 7 : tomcat (RHSA-2016:2046)	Nessus	Red Hat Local Security Checks	high
93948	Oracle Linux 7 : tomcat (ELSA-2016-2046)	Nessus	Oracle Linux Local Security Checks	critical
91954	Ubuntu 14.04 LTS / 16.04 LTS : Tomcat vulnerabilities (USN-3024-1)	Nessus	Ubuntu Local Security Checks	high
91906	Debian DSA-3609-1 : tomcat8 - security update	Nessus	Debian Local Security Checks	high
9314	Apache Tomcat 7.0.x < 7.0.67 / 8.0.x < 8.0.32 Session Hijacking	Nessus Network Monitor	Web Servers	medium
91246	RHEL 7 : JBoss Web Server (RHSA-2016:1088)	Nessus	Red Hat Local Security Checks	high
91245	RHEL 6 : JBoss Web Server (RHSA-2016:1087)	Nessus	Red Hat Local Security Checks	high
90552	Debian DSA-3552-1 : tomcat7 - security update	Nessus	Debian Local Security Checks	high
90272	Amazon Linux AMI : tomcat8 (ALAS-2016-679)	Nessus	Amazon Linux Local Security Checks	high
90205	Debian DSA-3530-1 : tomcat6 - security update	Nessus	Debian Local Security Checks	high
90136	openSUSE Security Update : tomcat (openSUSE-2016-384)	Nessus	SuSE Local Security Checks	high
89838	Amazon Linux AMI : tomcat7 (ALAS-2016-657)	Nessus	Amazon Linux Local Security Checks	high
89010	FreeBSD : tomcat -- multiple vulnerabilities (7bbc3016-de63-11e5-8fa8-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	high
89006	FreeBSD : tomcat -- multiple vulnerabilities (1f1124fe-de5c-11e5-8fa8-14dae9d210b8)	Nessus	FreeBSD Local Security Checks	high
88937	Apache Tomcat 8.0.0.RC1 < 8.0.32 multiple vulnerabilities	Nessus	Web Servers	high

Detections

Analytics

CVE-2015-5346

high

Tenable Plugins

high

high

high

critical

high

high

high

high

high

critical

high

high

medium

high

high

high

high

high

high

high

high

high

high