EulerOS 2.0 SP1 : tomcat (EulerOS-SA-2016-1054)

This script is Copyright (C) 2017 Tenable Network Security, Inc.


Synopsis :

The remote EulerOS host is missing multiple security updates.

Description :

According to the versions of the tomcat packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :

- Directory traversal vulnerability in RequestUtil.java
in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65,
and 8.x before 8.0.27 allows remote authenticated users
to bypass intended SecurityManager restrictions and
list a parent directory via a /.. (slash dot dot) in a
pathname used by a web application in a getResource,
getResourceAsStream, or getResourcePaths call, as
demonstrated by the $CATALINA_BASE/webapps
directory.(CVE-2015-5174)

- The Mapper component in Apache Tomcat 6.x before
6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x
before 9.0.0.M2 processes redirects before considering
security constraints and Filters, which allows remote
attackers to determine the existence of a directory via
a URL that lacks a trailing / (slash)
character.(CVE-2015-5345)

- The (1) Manager and (2) Host Manager applications in
Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and
9.x before 9.0.0.M2 establish sessions and send CSRF
tokens for arbitrary new requests, which allows remote
attackers to bypass a CSRF protection mechanism by
using a token.(CVE-2015-5351)

- Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x
before 8.0.31, and 9.x before 9.0.0.M2 does not place
org.apache.catalina.manager.StatusManagerServlet on the
org/apache/catalina/core/RestrictedServlets.properties
list, which allows remote authenticated users to bypass
intended SecurityManager restrictions and read
arbitrary HTTP requests, and consequently discover
session ID values, via a crafted web
application.(CVE-2016-0706)

- The session-persistence implementation in Apache Tomcat
6.x before 6.0.45, 7.x before 7.0.68, 8.x before
8.0.31, and 9.x before 9.0.0.M2 mishandles session
attributes, which allows remote authenticated users to
bypass intended SecurityManager restrictions and
execute arbitrary code in a privileged context via a
web application that places a crafted object in a
session.(CVE-2016-0714)

- The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in
Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and
9.x before 9.0.0.M3 does not consider whether
ResourceLinkFactory.setGlobalContext callers are
authorized, which allows remote authenticated users to
bypass intended SecurityManager restrictions and read
or write to arbitrary application data, or cause a
denial of service (application disruption), via a web
application that sets a crafted global
context.(CVE-2016-0763)

- The MultipartStream class in Apache Commons Fileupload
before 1.3.2, as used in Apache Tomcat 7.x before
7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x
before 9.0.0.M7 and other products, allows remote
attackers to cause a denial of service (CPU
consumption) via a long boundary string.(CVE-2016-3092)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.

See also :

http://www.nessus.org/u?23e980e7

Solution :

Update the affected tomcat packages.

Risk factor :

High / CVSS Base Score : 7.8
(CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C)
CVSS Temporal Score : 6.4
(CVSS2#E:F/RL:OF/RC:ND)
Public Exploit Available : true

Family: Huawei Local Security Checks

Nessus Plugin ID: 99816 ()

Bugtraq ID:

CVE ID: CVE-2015-5174
CVE-2015-5345
CVE-2015-5351
CVE-2016-0706
CVE-2016-0714
CVE-2016-0763
CVE-2016-3092

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now