Debian DSA-2207-1 : tomcat5.5 - several vulnerabilities

Medium Nessus Plugin ID 53212

Synopsis

The remote Debian host is missing a security-related update.

Description

Various vulnerabilities have been discovered in the Tomcat Servlet and JSP engine, resulting in denial of service, cross-site scripting, information disclosure and WAR file traversal. Further details on the individual security issues can be found on the Apache Tomcat 5 vulnerabilities page.

Solution

Upgrade the tomcat5.5 packages.

For the oldstable distribution (lenny), this problem has been fixed in version 5.5.26-5lenny2.

The stable distribution (squeeze) no longer contains tomcat5.5.
tomcat6 is already fixed.

See Also

http://tomcat.apache.org/security-5.html

https://www.debian.org/security/2011/dsa-2207

Plugin Details

Severity: Medium

ID: 53212

File Name: debian_DSA-2207.nasl

Version: 1.16

Type: local

Agent: unix

Published: 2011/03/30

Updated: 2019/07/15

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 6.4

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

CVSS v3.0

Base Score: 4.2

Temporal Score: 3.9

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:tomcat5.5, cpe:/o:debian:debian_linux:5.0

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2011/03/30

Vulnerability Publication Date: 2009/03/09

Exploitable With

CANVAS (D2ExploitPack)

Reference Information

CVE: CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783, CVE-2009-2693, CVE-2009-2902, CVE-2010-1157, CVE-2010-2227

BID: 35193, 35196, 35263, 35416, 37944, 37945, 39635, 41544

DSA: 2207

CWE: 20, 22, 79, 200