Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.

The version of IBM Engineering Requirements Management DOORS (formerly IBM Rational DOORS) installed on the remote host is 9.7.2.x prior to 9.7.2.8. It is, therefore, affected by multiple vulnerabilities as referenced in the 7124058 advisory.

  - Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet     containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly     vulnerable to an authorization bypass. (CVE-2022-32532)

  - The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow     a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary     shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client     or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade     both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
    (CVE-2023-46604)

  - Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be     exploited. There is only a risk in conjunction with Java object deserialization within an application. In     such situations, it allows attackers to erase contents of arbitrary files, make network connections, or     possibly run arbitrary code (specifically, Function0 functions) via a gadget chain. (CVE-2022-36944)

  - IBM Engineering Requirements Management DOORS 9.7.2.7 is vulnerable to cross-site request forgery which     could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the     website trusts. IBM X-Force ID: 251216. (CVE-2023-28949)

  - A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows     remote attackers to inject arbitrary web script through a crafted protected comment (with the     cke_protected syntax). (CVE-2020-9281)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 18.04 LTS / 20.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5360-1 advisory.

  - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to     7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the     server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is     configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used)     or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker     knows the relative file path from the storage location used by FileStore to the file the attacker has     control over; then, using a specifically crafted request, the attacker will be able to trigger remote code     execution via deserialization of the file under their control. Note that all of conditions a) to d) must     be true for the attack to succeed. (CVE-2020-9484)

  - Apache Traffic Server 6.0.0 to 6.2.3, 7.0.0 to 7.1.10, and 8.0.0 to 8.0.7 is vulnerable to certain types     of HTTP/2 HEADERS frames that can cause the server to allocate a large amount of memory and spin the     thread. (CVE-2020-9494)

  - If an HTTP/2 client connecting to Apache Tomcat 10.0.0-M1 to 10.0.0-M7, 9.0.0.M1 to 9.0.37 or 8.5.0 to     8.5.57 exceeded the agreed maximum number of concurrent streams for a connection (in violation of the     HTTP/2 protocol), it was possible that a subsequent request made on that connection could contain HTTP     headers - including HTTP/2 pseudo headers - from a previous request rather than the intended headers. This     could lead to users seeing responses for unexpected resources. (CVE-2020-13943)

  - While investigating bug 64830 it was discovered that Apache Tomcat 10.0.0-M1 to 10.0.0-M9, 9.0.0-M1 to     9.0.39 and 8.5.0 to 8.5.59 could re-use an HTTP request header value from the previous stream received on     an HTTP/2 connection for the request associated with the subsequent stream. While this would most likely     lead to an error and the closure of the HTTP/2 connection, it is possible that information could leak     between requests. (CVE-2020-17527)

  - When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to     9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one     request to another meaning user A and user B could both see the results of user A's request.
    (CVE-2021-25122)

  - The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to     9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be     used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published     prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to     this issue. (CVE-2021-25329)

  - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of     a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue     affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)

  - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP     transfer-encoding request header in some circumstances leading to the possibility to request smuggling     when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if     the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;
    and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
    (CVE-2021-33037)

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the versions of the tomcat packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities :

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1490-1 advisory.

  - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of     a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue     affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)

  - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP     transfer-encoding request header in some circumstances leading to the possibility to request smuggling     when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if     the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;
    and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
    (CVE-2021-33037)

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3670-1 advisory.

  - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of     a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue     affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)

  - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP     transfer-encoding request header in some circumstances leading to the possibility to request smuggling     when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if     the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;
    and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
    (CVE-2021-33037)

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3672-1 advisory.

  - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of     a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue     affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)

  - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP     transfer-encoding request header in some circumstances leading to the possibility to request smuggling     when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if     the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;
    and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
    (CVE-2021-33037)

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES15 / SLES_SAP15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3669-1 advisory.

  - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of     a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue     affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)

  - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP     transfer-encoding request header in some circumstances leading to the possibility to request smuggling     when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if     the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;
    and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
    (CVE-2021-33037)

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:3672-1 advisory.

  - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of     a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue     affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)

  - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP     transfer-encoding request header in some circumstances leading to the possibility to request smuggling     when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if     the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;
    and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
    (CVE-2021-33037)

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3602-1 advisory.

  - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of     a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue     affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)

  - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP     transfer-encoding request header in some circumstances leading to the possibility to request smuggling     when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if     the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;
    and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
    (CVE-2021-33037)

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of tomcat8 installed on the remote host is prior to 8.5.69-1.88. It is, therefore, affected by a vulnerability as referenced in the ALAS-2021-1547 advisory.

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 10 / 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-4986 advisory.

  - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of     a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue     affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update of the apache package has been released.

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 7 / 8 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2021:3741 advisory.

  - tomcat: Infinite loop while reading an unexpected TLS packet when using OpenSSL JSSE engine     (CVE-2021-41079)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Debian 9 host has packages installed that are affected by a vulnerability as referenced in the dla-2764 advisory.

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 8.5.64. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.64_security-8 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 9.0.44. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.44_security-9 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 10.0.4. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.0.4_security-10 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
191754	IBM Engineering Requirements Management DOORS 9.7.2.x < 9.7.2.8 Multiple Vulnerabilities (7124058)	Nessus	Windows	critical
159385	Ubuntu 18.04 LTS / 20.04 LTS : Tomcat vulnerabilities (USN-5360-1)	Nessus	Ubuntu Local Security Checks	high
157918	EulerOS Virtualization 3.0.6.0 : tomcat (EulerOS-SA-2022-1053)	Nessus	Huawei Local Security Checks	high
156300	EulerOS 2.0 SP8 : tomcat (EulerOS-SA-2021-2816)	Nessus	Huawei Local Security Checks	high
155657	openSUSE 15 Security Update : tomcat (openSUSE-SU-2021:1490-1)	Nessus	SuSE Local Security Checks	medium
155466	SUSE SLES15 Security Update : tomcat (SUSE-SU-2021:3670-1)	Nessus	SuSE Local Security Checks	medium
155463	SUSE SLES15 Security Update : tomcat (SUSE-SU-2021:3672-1)	Nessus	SuSE Local Security Checks	medium
155462	SUSE SLES15 Security Update : tomcat (SUSE-SU-2021:3669-1)	Nessus	SuSE Local Security Checks	medium
155382	openSUSE 15 Security Update : tomcat (openSUSE-SU-2021:3672-1)	Nessus	SuSE Local Security Checks	medium
154907	SUSE SLES12 Security Update : tomcat (SUSE-SU-2021:3602-1)	Nessus	SuSE Local Security Checks	medium
154900	Amazon Linux AMI : tomcat8 (ALAS-2021-1547)	Nessus	Amazon Linux Local Security Checks	high
154177	Debian DSA-4986-1 : tomcat9 - security update	Nessus	Debian Local Security Checks	medium
153988	Photon OS 3.0: Apache PHSA-2021-3.0-0312	Nessus	PhotonOS Local Security Checks	high
153938	Photon OS 1.0: Apache PHSA-2021-1.0-0438	Nessus	PhotonOS Local Security Checks	high
153928	Photon OS 2.0: Apache PHSA-2021-2.0-0401	Nessus	PhotonOS Local Security Checks	high
153902	RHEL 7 / 8 : Red Hat JBoss Web Server 5.5.1 Security Update (Important) (RHSA-2021:3741)	Nessus	Red Hat Local Security Checks	high
153601	Debian DLA-2764-1 : tomcat8 - LTS security update	Nessus	Debian Local Security Checks	high
701366	Apache Tomcat < 8.5.64 Vulnerability	Nessus Network Monitor	Web Servers	medium
701365	Apache Tomcat < 9.0.44 Vulnerability	Nessus Network Monitor	Web Servers	medium
701364	Apache Tomcat < 10.0.4 Vulnerability	Nessus Network Monitor	Web Servers	medium

Detections

Analytics

CVE-2021-41079

high

Tenable Plugins

critical

high

high

high

medium

medium

medium

medium

medium

medium

high

medium

high

high

high

high

high

medium

medium

medium