Apache Tomcat 8.5.x < 8.5.13 Multiple Vulnerabilities

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote Apache Tomcat server is affected by multiple
vulnerabilities.

Description :

According to its self-reported version number, the Apache Tomcat
service running on the remote host is 8.5.x prior to 8.5.13. It is
therefore affected by multiple vulnerabilities :

- A flaw exists in the handling of pipelined requests when
send file processing is used that results in the
pipelined request being lost when processing of the
previous request has completed, causing responses to be
sent for the wrong request. An unauthenticated, remote
attacker can exploit this to disclose sensitive
information. (CVE-2017-5647)

- A flaw exists in the handling of HTTP/2 GOAWAY frames
for a connection due to streams associated with the
connection not being properly closed if the connection
was currently waiting for a WINDOW_UPDATE before
allowing the application to write more data. Each stream
consumes a processing thread in the system. An
unauthenticated, remote attacker can exploit this issue,
via a series of specially crafted HTTP/2 requests, to
consume all available threads, resulting in a denial of
service condition. (CVE-2017-5650)

- A flaw exists in HTTP connectors when processing send
files. If processing completed quickly, it was possible
to add the processor to the processor cache twice, which
allows the same processor to be used for multiple
requests. An unauthenticated, remote attacker can
exploit this to disclose sensitive information from
other sessions or cause unexpected errors.
(CVE-2017-5651)

Note that Nessus has not attempted to exploit these issues but has
instead relied only on the application's self-reported version number.

See also :

https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.13

Solution :

Upgrade to Apache Tomcat version 8.5.13 or later.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.4
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Web Servers

Nessus Plugin ID: 99368 ()

Bugtraq ID: 97529
97531
97544

CVE ID: CVE-2017-5647
CVE-2017-5650
CVE-2017-5651

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now