Apache Tomcat 7.0.x < 7.0.57 Multiple Vulnerabilities (POODLE)

high Nessus Plugin ID 81650

Language:

Synopsis

The remote Apache Tomcat server is affected by multiple vulnerabilities.

Description

According to its self-reported version number, the Apache Tomcat service listening on the remote host is 7.0.x prior to 7.0.57. It is, therefore, affected by the following vulnerabilities :

 - A memory double-free error exists in 'd1_both.c' related to handling DTLS packets that allows denial of service attacks. (CVE-2014-3505)

 - An unspecified error exists in 'd1_both.c' related to handling DTLS handshake messages that allows denial of service attacks due to large amounts of memory being consumed. (CVE-2014-3506)

 - A memory leak error exists in 'd1_both.c' related to handling specially crafted DTLS packets that allows denial of service attacks. (CVE-2014-3507)

 - An error exists in the 'OBJ_obj2txt' function when various 'X509_name_*' pretty printing functions are used, which leak process stack data, resulting in an information disclosure. (CVE-2014-3508)

 - An error exists related to 'ec point format extension' handling and multithreaded clients that allows freed memory to be overwritten during a resumed session.
 (CVE-2014-3509)

 - A NULL pointer dereference error exists related to handling anonymous ECDH cipher suites and crafted handshake messages that allows denial of service attacks against clients. (CVE-2014-3510)

 - An error exists related to handling fragmented 'ClientHello' messages that allows a man-in-the-middle attacker to force usage of TLS 1.0 regardless of higher protocol levels being supported by both the server and the client. (CVE-2014-3511)

 - Buffer overflow errors exist in 'srp_lib.c' related to handling Secure Remote Password protocol (SRP) parameters, which can allow a denial of service or have other unspecified impact. (CVE-2014-3512)

 - A memory leak issue exists in 'd1_srtp.c' related to the DTLS SRTP extension handling and specially crafted handshake messages that can allow denial of service attacks. (CVE-2014-3513)

 - An error exists related to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode.
 Man-in-the-middle attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. This is also known as the 'POODLE' issue. (CVE-2014-3566)

 - A memory leak issue exists in 't1_lib.c' related to session ticket handling that can allow denial of service attacks. (CVE-2014-3567)

 - An error exists related to the build configuration process and the 'no-ssl3' build option that allows servers and clients to process insecure SSL 3.0 handshake messages. (CVE-2014-3568)

 - A NULL pointer dereference error exists in 't1_lib.c', related to handling Secure Remote Password protocol (SRP) ServerHello messages, which allows a malicious server to crash a client, resulting in a denial of service. (CVE-2014-5139)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

Solution

Update to Apache Tomcat version 7.0.57 or later.

See Also

http://tomcat.apache.org/tomcat-7.0-doc/changelog.html

https://www.imperialviolet.org/2014/10/14/poodle.html

https://www.openssl.org/~bodo/ssl-poodle.pdf

https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00

Plugin Details

Severity: High

ID: 81650

File Name: tomcat_7_0_57.nasl

Version: 1.11

Type: combined

Agent: windows, macosx, unix

Family: Web Servers

Published: 3/5/2015

Updated: 4/11/2022

Supported Sensors: Nessus Agent

Risk Information

CVSS Score Source: CVE-2014-3505

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS v3

Risk Factor: High

Base Score: 7.3

Temporal Score: 6.4

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:tomcat

Required KB Items: installed_sw/Apache Tomcat

Exploit Ease: No known exploits are available

Patch Publication Date: 11/11/2014

Vulnerability Publication Date: 8/6/2014

Reference Information

CVE: CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568, CVE-2014-5139

BID: 69075, 69076, 69077, 69078, 69079, 69081, 69082, 69083, 69084, 70574, 70584, 70585, 70586

CERT: 577193