Oracle Solaris Third-Party Patch Update : tomcat (multiple_vulnerabilities_in_apache_tomcat3)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote Solaris system is missing a security patch for third-party
software.

Description :

The remote Solaris system is missing necessary patches to address
security updates :

- java/org/apache/coyote/http11/InternalNioInputBuffer.jav
a in the HTTP NIO connector in Apache Tomcat 6.x before
6.0.36 and 7.x before 7.0.28 does not properly restrict
the request-header size, which allows remote attackers
to cause a denial of service (memory consumption) via a
large amount of header data. (CVE-2012-2733)

- org/apache/catalina/realm/RealmBase.java in Apache
Tomcat 6.x before 6.0.36 and 7.x before 7.0.30, when
FORM authentication is used, allows remote attackers to
bypass security-constraint checks by leveraging a
previous setUserPrincipal call and then placing
/j_security_check at the end of a URI. (CVE-2012-3546)

- org/apache/catalina/filters/CsrfPreventionFilter.java in
Apache Tomcat 6.x before 6.0.36 and 7.x before 7.0.32
allows remote attackers to bypass the cross-site request
forgery (CSRF) protection mechanism via a request that
lacks a session identifier. (CVE-2012-4431)

- org/apache/tomcat/util/net/NioEndpoint.java in Apache
Tomcat 6.x before 6.0.36 and 7.x before 7.0.28, when the
NIO connector is used in conjunction with sendfile and
HTTPS, allows remote attackers to cause a denial of
service (infinite loop) by terminating the connection
during the reading of a response. (CVE-2012-4534)

- The replay-countermeasure functionality in the HTTP
Digest Access Authentication implementation in Apache
Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36, and 7.x
before 7.0.30 tracks cnonce (aka client nonce) values
instead of nonce (aka server nonce) and nc (aka
nonce-count) values, which makes it easier for remote
attackers to bypass intended access restrictions by
sniffing the network for valid requests, a different
vulnerability than CVE-2011-1184. (CVE-2012-5885)

- The HTTP Digest Access Authentication implementation in
Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36,
and 7.x before 7.0.30 caches information about the
authenticated user within the session state, which makes
it easier for remote attackers to bypass authentication
via vectors related to the session ID. (CVE-2012-5886)

- The HTTP Digest Access Authentication implementation in
Apache Tomcat 5.5.x before 5.5.36, 6.x before 6.0.36,
and 7.x before 7.0.30 does not properly check for stale
nonce values in conjunction with enforcement of proper
credentials, which makes it easier for remote attackers
to bypass intended access restrictions by sniffing the
network for valid requests. (CVE-2012-5887)

See also :

http://www.nessus.org/u?b5f8def1
http://www.nessus.org/u?7a0a77a1

Solution :

Upgrade to Solaris 11.1.4.5.

Risk factor :

Medium / CVSS Base Score : 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P)
Public Exploit Available : true

Family: Solaris Local Security Checks

Nessus Plugin ID: 80791 ()

Bugtraq ID:

CVE ID: CVE-2012-2733
CVE-2012-3546
CVE-2012-4431
CVE-2012-4534
CVE-2012-5885
CVE-2012-5886
CVE-2012-5887

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now