The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

An update of the apache package has been released.

The version of Tomcat installed on the remote host is prior to 8.5.38. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.38_security-8 advisory.

  - The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with     excessive numbers of SETTINGS frames and also permitted clients to keep streams open without     reading/writing request/response data. By keeping streams open for requests that utilised the Servlet     API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread     exhaustion and a DoS. (CVE-2019-0199)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 5.17.1. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.17.1 advisory.

  - When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to     Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP     connection. If such connections are available to an attacker, they can be exploited in ways that may be     surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped     with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected     (and recommended in the security guide) that this Connector would be disabled if not required. This     vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the     web application - processing any file in the web application as a JSP Further, if the web application     allowed file upload and stored those files within the web application (or the attacker was able to control     the content of the web application by some other means) then this, along with the ability to process a     file as a JSP, made remote code execution possible. It is important to note that mitigation is only     required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth     approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to     Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP     Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading     to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
    (CVE-2020-1938)

  - rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a     certain upper-bound check, leading to a buffer overflow. (CVE-2019-17666)

  - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-     free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where,     the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error     occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by     the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction     mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism     to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that     host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.
    (CVE-2019-19338)

  - The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which     allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.
    (CVE-2015-8035)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 5.18. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.18 advisory.

  - When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to     Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP     connection. If such connections are available to an attacker, they can be exploited in ways that may be     surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped     with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected     (and recommended in the security guide) that this Connector would be disabled if not required. This     vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the     web application - processing any file in the web application as a JSP Further, if the web application     allowed file upload and stored those files within the web application (or the attacker was able to control     the content of the web application by some other means) then this, along with the ability to process a     file as a JSP, made remote code execution possible. It is important to note that mitigation is only     required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth     approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to     Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP     Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading     to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
    (CVE-2020-1938)

  - rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a     certain upper-bound check, leading to a buffer overflow. (CVE-2019-17666)

  - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-     free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where,     the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error     occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by     the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction     mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism     to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that     host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.
    (CVE-2019-19338)

  - The xz_decomp function in xzlib.c in libxml2 2.9.1 does not properly detect compression errors, which     allows context-dependent attackers to cause a denial of service (process hang) via crafted XML data.
    (CVE-2015-8035)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 5.16.1.3. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.16.1.3 advisory.

  - When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to     Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP     connection. If such connections are available to an attacker, they can be exploited in ways that may be     surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped     with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected     (and recommended in the security guide) that this Connector would be disabled if not required. This     vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the     web application - processing any file in the web application as a JSP Further, if the web application     allowed file upload and stored those files within the web application (or the attacker was able to control     the content of the web application by some other means) then this, along with the ability to process a     file as a JSP, made remote code execution possible. It is important to note that mitigation is only     required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth     approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to     Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP     Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading     to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
    (CVE-2020-1938)

  - rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a     certain upper-bound check, leading to a buffer overflow. (CVE-2019-17666)

  - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-     free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where,     the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error     occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by     the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction     mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism     to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that     host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.
    (CVE-2019-19338)

  - The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon     receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover     credentials by sniffing the network. (CVE-2018-18074)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Several issues were discovered in the Tomcat servlet and JSP engine, which could result in session fixation attacks, information disclosure, cross-site scripting, denial of service via resource exhaustion and insecure redirects.

The remote Redhat Enterprise Linux 6 / 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:3929 advisory.

    Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web     applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),     the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

    This release of Red Hat JBoss Web Server 5.2 serves as a replacement for Red Hat JBoss Web Server 5.1, and     includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes,     linked to in the References.

    Security Fix(es):

    * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407)

    * openssl: 0-byte record padding oracle (CVE-2019-1559)

    * tomcat: HTTP/2 connection window exhaustion on write, incomplete fix of CVE-2019-0199 (CVE-2019-10072)

    * tomcat: XSS in SSI printenv (CVE-2019-0221)

    * tomcat: Apache Tomcat HTTP/2 DoS (CVE-2019-0199)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for tomcat to version 9.0.21 fixes the following issues :

Security issues fixed :

  - CVE-2019-0199: Fixed a denial of service in the HTTP/2     implementation related to streams with excessive numbers     of SETTINGS frames (bsc#1131055).

  - CVE-2019-0221: Fixed a cross site scripting     vulnerability with the SSI printenv command     (bsc#1136085).

Non-security issues fixed :

  - Increase maximum number of threads and open files for     tomcat (bsc#1111966).

This update was imported from the SUSE:SLE-15-SP1:Update update project.

The HTTP/2 implementation in Apache Tomcat accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-0199)

The SSI printenv command in Apache Tomcat echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. (CVE-2019-0221)

According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - When the default servlet in Apache Tomcat versions     9.0.0.M1 to 9.0.11, 8.5.0 to 8.5.33 and 7.0.23 to     7.0.90 returned a redirect to a directory (e.g.
    redirecting to '/foo/' when the user requested '/foo')     a specially crafted URL could be used to cause the     redirect to be generated to any URI of the attackers     choice.(CVE-2018-11784)

  - The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to     9.0.14 and 8.5.0 to 8.5.37 accepted streams with     excessive numbers of SETTINGS frames and also permitted     clients to keep streams open without reading/writing     request/response data. By keeping streams open for     requests that utilised the Servlet API's blocking I/O,     clients were able to cause server-side threads to block     eventually leading to thread exhaustion and a     DoS.(CVE-2019-0199)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tomcat to version 9.0.21 fixes the following issues :

Security issue fixed :

  - CVE-2019-0199: Added additional fixes to address HTTP/2     connection window exhaustion (bsc#1139924).

This update was imported from the SUSE:SLE-15:Update update project.

This update includes a rebase from 9.0.13 up to 9.0.21 which resolves two CVEs along with various other bugs/features :

  - rhbz#1673856 tomcat-9.0.21 is available

  - rhbz#1713279 CVE-2019-0221 tomcat: XSS in SSI printenv

  - rhbz#1693326 CVE-2019-0199 tomcat: Apache Tomcat HTTP/2     DoS

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for tomcat to version 9.0.20 fixes the following issues :

Security issues fixed :

  - CVE-2019-0199: Fixed a denial of service in the HTTP/2     implementation related to streams with excessive numbers     of SETTINGS frames (bsc#1131055).

  - CVE-2019-0221: Fixed a cross site scripting     vulnerability with the SSI printenv command     (bsc#1136085).

Non-security issues fixed :

  - Increase maximum number of threads and open files for     tomcat (bsc#1111966).

This update was imported from the SUSE:SLE-15:Update update project.

The version of Tomcat installed on the remote host is prior to 9.0.16. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.16_security-9 advisory.

  - The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with     excessive numbers of SETTINGS frames and also permitted clients to keep streams open without     reading/writing request/response data. By keeping streams open for requests that utilised the Servlet     API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread     exhaustion and a DoS. (CVE-2019-0199)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 8.5.41. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.41_security-8 advisory.

  - The fix for CVE-2019-0199 was incomplete and did not     address HTTP/2 connection window exhaustion on write. By     not sending WINDOW_UPDATE messages for the connection     window (stream 0) clients were able to cause server-side     threads to block eventually leading to thread exhaustion     and a DoS. (CVE-2019-10072)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

When the default servlet in Apache Tomcat returned a redirect to a directory (e.g. redirecting to '/foo/' when the user requested '/foo') a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. (CVE-2018-11784)

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injec tions-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microso ft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command
-line-arguments-the-wrong-way/). (CVE-2019-0232)

The HTTP/2 implementation in Apache Tomcat accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-0199)

The version of Tomcat installed on the remote host is prior to 9.0.16. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.16_security-9 advisory.

 - The HTTP/2 implementation accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-0199)

Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 8.5.41. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.41_security-8 advisory.

- The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write. By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-10072)

Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 9.0.0.M1 to 9.0.14 or 8.5.0 to 8.5.37. It is, therefore, affected by a denial of service vulnerability due to streams kept open for requests that utilised the Servlet API's blocking I/O.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
202870	Photon OS 2.0: Apache PHSA-2019-2.0-0153	Nessus	PhotonOS Local Security Checks	high
202822	Photon OS 3.0: Apache PHSA-2019-3.0-0011	Nessus	PhotonOS Local Security Checks	high
197817	Apache Tomcat 8.5.0 < 8.5.38	Nessus	Web Servers	high
164612	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.17.1)	Nessus	Misc.	critical
164595	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.18)	Nessus	Misc.	critical
164582	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.16.1.3)	Nessus	Misc.	critical
132427	Debian DSA-4596-1 : tomcat8 - security update	Nessus	Debian Local Security Checks	critical
131214	RHEL 6 / 7 / 8 : Red Hat JBoss Web Server 5.2 security (Important) (RHSA-2019:3929)	Nessus	Red Hat Local Security Checks	high
127088	openSUSE Security Update : tomcat (openSUSE-2019-1808)	Nessus	SuSE Local Security Checks	medium
127062	Amazon Linux AMI : tomcat8 (ALAS-2019-1234)	Nessus	Amazon Linux Local Security Checks	medium
127009	EulerOS 2.0 SP8 : tomcat (EulerOS-SA-2019-1772)	Nessus	Huawei Local Security Checks	medium
126888	openSUSE Security Update : tomcat (openSUSE-2019-1723)	Nessus	SuSE Local Security Checks	high
126483	Fedora 29 : 1:tomcat (2019-d66febb5df)	Nessus	Fedora Local Security Checks	medium
126373	openSUSE Security Update : tomcat (openSUSE-2019-1673)	Nessus	SuSE Local Security Checks	medium
126312	Apache Tomcat 9.0.0.M1 < 9.0.16	Nessus	Web Servers	high
126225	Fedora 30 : 1:tomcat (2019-1a3f878d27)	Nessus	Fedora Local Security Checks	medium
126125	Apache Tomcat 8.5.0 < 8.5.41 DoS	Nessus	Web Servers	high
125294	Amazon Linux AMI : tomcat8 (ALAS-2019-1208)	Nessus	Amazon Linux Local Security Checks	high
124862	Photon OS 1.0: Apache PHSA-2019-1.0-0227	Nessus	PhotonOS Local Security Checks	high
700710	Apache Tomcat 9.0.x < 9.0.16 DoS	Nessus Network Monitor	Web Servers	high
700697	Apache Tomcat 8.5.x < 8.5.41 DoS Vulnerability	Nessus Network Monitor	Web Servers	high
98543	Apache Tomcat 8.5.0 < 8.5.38 Denial of Service	Web App Scanning	Component Vulnerability	high
98542	Apache Tomcat 9.0.0.M1 < 9.0.16 Denial of Service	Web App Scanning	Component Vulnerability	high

Detections

Analytics

CVE-2019-0199

high

Tenable Plugins

high

high

high

critical

critical

critical

critical

high

medium

medium

medium

high

medium

medium

high

medium

high

high

high

high

high

high

high