SynopsisThe remote web server is missing an Apache Tomcat patch update.
DescriptionThe version of Apache Tomcat installed on the remote host is version 6.0.x prior to 6.0.48. It is, therefore, affected by multiple vulnerabilities :
- A flaw exists that is triggered when handling request lines containing certain invalid characters. An unauthenticated, remote attacker can exploit this, by injecting additional headers into responses, to conduct HTTP response splitting attacks. (CVE-2016-6816)
- A remote code execution vulnerability exists in the JMX listener in JmxRemoteLifecycleListener.java due to improper deserialization of Java objects. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-8735)
SolutionUpdate to Apache Tomcat version 6.0.48 or later.