openSUSE Security Update : tomcat (openSUSE-SU-2013:1307-1)

Medium Nessus Plugin ID 75107

Synopsis

The remote openSUSE host is missing a security update.

Description

Tomcat was updated to fix security issues and bug: CVE-2013-1976:
Avoid a potential symlink race during startup of the tomcat server, where a local attacker that gaine access to the tomcat chroot could escalate privileges to root.

CVE-2013-2067:
java/org/apache/catalina/authenticator/FormAuthenticator.java in the form authentication feature in Apache Tomcat did not properly handle the relationships between authentication requirements and sessions, which allows remote attackers to inject a request into a session by sending this request during completion of the login form, a variant of a session fixation attack.

CVE-2012-3544: Tomcat were affected by a chunked transfer encoding extension size denial of service vulnerability.

Also the following bug was fixed :

- Fix tomcat init scripts generating malformed classpath (http://youtrack.jetbrains.com/issue/JT-18545) bnc#804992

Solution

Update the affected tomcat packages.

See Also

https://youtrack.jetbrains.com/issue/JT-18545

https://bugzilla.novell.com/show_bug.cgi?id=768772

https://bugzilla.novell.com/show_bug.cgi?id=804992

https://bugzilla.novell.com/show_bug.cgi?id=822177

https://bugzilla.novell.com/show_bug.cgi?id=831117

https://bugzilla.novell.com/show_bug.cgi?id=831119

https://lists.opensuse.org/opensuse-updates/2013-08/msg00014.html

Plugin Details

Severity: Medium

ID: 75107

File Name: openSUSE-2013-633.nasl

Version: 1.10

Type: local

Agent: unix

Published: 2014/06/13

Updated: 2020/06/04

Dependencies: 12634

Risk Information

Risk Factor: Medium

CVSS v2.0

Base Score: 6.9

Temporal Score: 6

Vector: CVSS2#AV:L/AC:M/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:H/RL:OF/RC:C

Vulnerability Information

CPE: p-cpe:/a:novell:opensuse:tomcat, p-cpe:/a:novell:opensuse:tomcat-admin-webapps, p-cpe:/a:novell:opensuse:tomcat-docs-webapp, p-cpe:/a:novell:opensuse:tomcat-el-2_2-api, p-cpe:/a:novell:opensuse:tomcat-javadoc, p-cpe:/a:novell:opensuse:tomcat-jsp-2_2-api, p-cpe:/a:novell:opensuse:tomcat-jsvc, p-cpe:/a:novell:opensuse:tomcat-lib, p-cpe:/a:novell:opensuse:tomcat-servlet-3_0-api, p-cpe:/a:novell:opensuse:tomcat-webapps, cpe:/o:novell:opensuse:12.2

Required KB Items: Host/local_checks_enabled, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2013/08/14

Reference Information

CVE: CVE-2012-3544, CVE-2013-1976, CVE-2013-2067