The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

The version of AOS installed on the remote host is prior to 5.16.1.3. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.16.1.3 advisory.

  - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-     free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a     certain upper-bound check, leading to a buffer overflow. (CVE-2019-17666)

  - A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where,     the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error     occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by     the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction     mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism     to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that     host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.
    (CVE-2019-19338)

  - The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon     receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover     credentials by sniffing the network. (CVE-2018-18074)

  - urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin     redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the     Authorization header to be exposed to unintended hosts or transmitted in cleartext. (CVE-2018-20060)

  - In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the     request parameter. (CVE-2019-11236)

  - The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA     certificates is different from the OS store of CA certificates, which results in SSL connections     succeeding in situations where a verification failure is the correct outcome. This is related to use of     the ssl_context, ca_certs, or ca_certs_dir argument. (CVE-2019-11324)

  - The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with     excessive numbers of SETTINGS frames and also permitted clients to keep streams open without     reading/writing request/response data. By keeping streams open for requests that utilised the Servlet     API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread     exhaustion and a DoS. (CVE-2019-0199)

  - The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write     in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages     for the connection window (stream 0) clients were able to cause server-side threads to block eventually     leading to thread exhaustion and a DoS. (CVE-2019-10072)

  - When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote     Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able     to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords     used to access the JMX interface. The attacker can then use these credentials to access the JMX interface     and gain complete control over the Tomcat instance. (CVE-2019-12418)

  - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98     there was a narrow window where an attacker could perform a session fixation attack. The window was     considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has     been treated as a security vulnerability. (CVE-2019-17563)

  - The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99     introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were     incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a     reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a     reverse proxy is considered unlikely. (CVE-2019-17569)

  - A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to     9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of     such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
    (CVE-2020-11996)

  - An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56     did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such     requests were made, an OutOfMemoryException could occur leading to a denial of service. (CVE-2020-13934)

  - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to     10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could     trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of     service. (CVE-2020-13935)

  - In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used     an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led     to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly     handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered     unlikely. (CVE-2020-1935)

  - When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to     Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP     connection. If such connections are available to an attacker, they can be exploited in ways that may be     surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped     with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected     (and recommended in the security guide) that this Connector would be disabled if not required. This     vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the     web application - processing any file in the web application as a JSP Further, if the web application     allowed file upload and stored those files within the web application (or the attacker was able to control     the content of the web application by some other means) then this, along with the ability to process a     file as a JSP, made remote code execution possible. It is important to note that mitigation is only     required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth     approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to     Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP     Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading     to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
    (CVE-2020-1938)

  - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to     7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the     server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is     configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used)     or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker     knows the relative file path from the storage location used by FileStore to the file the attacker has     control over; then, using a specifically crafted request, the attacker will be able to trigger remote code     execution via deserialization of the file under their control. Note that all of conditions a) to d) must     be true for the attack to succeed. (CVE-2020-9484)

  - An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer     overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in     common/unistr.cpp. (CVE-2020-10531)

  - TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated     user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11135)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Several issues were discovered in the Tomcat servlet and JSP engine, which could result in session fixation attacks, information disclosure, cross-site scripting, denial of service via resource exhaustion and insecure redirects.

Updated Red Hat JBoss Web Server 5.2.0 packages are now available for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

This release of Red Hat JBoss Web Server 5.2 serves as a replacement for Red Hat JBoss Web Server 5.1, and includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes, linked to in the References.

Security Fix(es) :

* openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407)

* openssl: 0-byte record padding oracle (CVE-2019-1559)

* tomcat: HTTP/2 connection window exhaustion on write, incomplete fix of CVE-2019-0199 (CVE-2019-10072)

* tomcat: XSS in SSI printenv (CVE-2019-0221)

* tomcat: Apache Tomcat HTTP/2 DoS (CVE-2019-0199)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

This update for tomcat to version 9.0.21 fixes the following issues :

Security issues fixed :

  - CVE-2019-0199: Fixed a denial of service in the HTTP/2     implementation related to streams with excessive numbers     of SETTINGS frames (bsc#1131055).

  - CVE-2019-0221: Fixed a cross site scripting     vulnerability with the SSI printenv command     (bsc#1136085).

Non-security issues fixed :

  - Increase maximum number of threads and open files for     tomcat (bsc#1111966).

This update was imported from the SUSE:SLE-15-SP1:Update update project.

The HTTP/2 implementation in Apache Tomcat accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-0199)

The SSI printenv command in Apache Tomcat echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. (CVE-2019-0221)

According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - When the default servlet in Apache Tomcat versions     9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to     7.0.90 returned a redirect to a directory (e.g.
    redirecting to '/foo/' when the user requested '/foo')     a specially crafted URL could be used to cause the     redirect to be generated to any URI of the attackers     choice.(CVE-2018-11784)

  - The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to     9.0.14 and 8.5.0 to 8.5.37 accepted streams with     excessive numbers of SETTINGS frames and also permitted     clients to keep streams open without reading/writing     request/response data. By keeping streams open for     requests that utilised the Servlet API's blocking I/O,     clients were able to cause server-side threads to block     eventually leading to thread exhaustion and a     DoS.(CVE-2019-0199)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tomcat to version 9.0.21 fixes the following issues :

Security issue fixed :

  - CVE-2019-0199: Added additional fixes to address HTTP/2     connection window exhaustion (bsc#1139924).

This update was imported from the SUSE:SLE-15:Update update project.

This update includes a rebase from 9.0.13 up to 9.0.21 which resolves two CVEs along with various other bugs/features :

  - rhbz#1673856 tomcat-9.0.21 is available

  - rhbz#1713279 CVE-2019-0221 tomcat: XSS in SSI printenv

  - rhbz#1693326 CVE-2019-0199 tomcat: Apache Tomcat HTTP/2     DoS

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tomcat to version 9.0.20 fixes the following issues :

Security issues fixed :

  - CVE-2019-0199: Fixed a denial of service in the HTTP/2     implementation related to streams with excessive numbers     of SETTINGS frames (bsc#1131055).

  - CVE-2019-0221: Fixed a cross site scripting     vulnerability with the SSI printenv command     (bsc#1136085).

Non-security issues fixed :

  - Increase maximum number of threads and open files for     tomcat (bsc#1111966).

This update was imported from the SUSE:SLE-15:Update update project.

The version of Tomcat installed on the remote host is prior to 9.0.16.
It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.16_security-9 advisory.

  - The HTTP/2 implementation accepted streams with     excessive numbers of SETTINGS frames and also permitted     clients to keep streams open without reading/writing     request/response data. By keeping streams open for     requests that utilised the Servlet API's blocking I/O,     clients were able to cause server-side threads to block     eventually leading to thread exhaustion and a DoS.
    (CVE-2019-0199)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.20. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.20_security-9 advisory.

  - The fix for CVE-2019-0199 was incomplete and did not     address HTTP/2 connection window exhaustion on write. By     not sending WINDOW_UPDATE messages for the connection     window (stream 0) clients were able to cause server-side     threads to block eventually leading to thread exhaustion     and a DoS. (CVE-2019-10072)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 8.5.41. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.41_security-8 advisory.

  - The fix for CVE-2019-0199 was incomplete and did not     address HTTP/2 connection window exhaustion on write. By     not sending WINDOW_UPDATE messages for the connection     window (stream 0) clients were able to cause server-side     threads to block eventually leading to thread exhaustion     and a DoS. (CVE-2019-10072)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

When the default servlet in Apache Tomcat returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. (CVE-2018-11784)

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injec tions-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microso ft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command
-line-arguments-the-wrong-way/). (CVE-2019-0232)

The HTTP/2 implementation in Apache Tomcat accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-0199)

An update of the apache package has been released.

The version of Tomcat installed on the remote host is prior to 9.0.16. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.16_security-9 advisory.

 - The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-0199)

Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 8.5.41. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.41_security-8 advisory.

- The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write. By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-10072)

Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 9.0.0.M1 to 9.0.14 or 8.5.0 to 8.5.37. It is, therefore, affected by a denial of service vulnerability due to streams kept open for requests that utilised the Servlet API's blocking I/O.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
164612	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.17.1)	Nessus	Misc.	critical
164595	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.18)	Nessus	Misc.	critical
164582	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.16.1.3)	Nessus	Misc.	critical
132427	Debian DSA-4596-1 : tomcat8 - security update	Nessus	Debian Local Security Checks	critical
131214	RHEL 6 / 7 / 8 : JBoss Web Server (RHSA-2019:3929)	Nessus	Red Hat Local Security Checks	high
127088	openSUSE Security Update : tomcat (openSUSE-2019-1808)	Nessus	SuSE Local Security Checks	medium
127062	Amazon Linux AMI : tomcat8 (ALAS-2019-1234)	Nessus	Amazon Linux Local Security Checks	medium
127009	EulerOS 2.0 SP8 : tomcat (EulerOS-SA-2019-1772)	Nessus	Huawei Local Security Checks	medium
126888	openSUSE Security Update : tomcat (openSUSE-2019-1723)	Nessus	SuSE Local Security Checks	high
126483	Fedora 29 : 1:tomcat (2019-d66febb5df)	Nessus	Fedora Local Security Checks	medium
126373	openSUSE Security Update : tomcat (openSUSE-2019-1673)	Nessus	SuSE Local Security Checks	medium
126312	Apache Tomcat 9.0.0.M1 < 9.0.16 DoS	Nessus	Web Servers	high
126245	Apache Tomcat 9.0.0.M1 < 9.0.20 DoS	Nessus	Web Servers	high
126225	Fedora 30 : 1:tomcat (2019-1a3f878d27)	Nessus	Fedora Local Security Checks	medium
126125	Apache Tomcat 8.5.0 < 8.5.41 DoS	Nessus	Web Servers	high
125294	Amazon Linux AMI : tomcat8 (ALAS-2019-1208)	Nessus	Amazon Linux Local Security Checks	high
124862	Photon OS 1.0: Apache PHSA-2019-1.0-0227	Nessus	PhotonOS Local Security Checks	high
700710	Apache Tomcat 9.0.x < 9.0.16 DoS	Nessus Network Monitor	Web Servers	medium
700697	Apache Tomcat 8.5.x < 8.5.41 DoS Vulnerability	Nessus Network Monitor	Web Servers	medium
98543	Apache Tomcat 8.5.0 < 8.5.38 Denial of Service	Web App Scanning	Component Vulnerability	high
98542	Apache Tomcat 9.0.0.M1 < 9.0.16 Denial of Service	Web App Scanning	Component Vulnerability	high

Detections

Analytics

CVE-2019-0199

high

Tenable Plugins

critical

critical

critical

critical

high

medium

medium

medium

high

medium

medium

high

high

medium

high

high

high

medium

medium

high

high