Apache Tomcat 6.0.x < 6.0.48 Multiple Vulnerabilities
Medium Nessus Network Monitor Plugin ID 700668
Synopsis
The remote web server is missing an Apache Tomcat patch update.
Description
The version of Apache Tomcat installed on the remote host is version 6.0.x prior to 6.0.48. It is, therefore, affected by multiple vulnerabilities :
- A flaw exists that is triggered when handling request lines containing certain invalid characters. An unauthenticated, remote attacker can exploit this, by injecting additional headers into responses, to conduct HTTP response splitting attacks. (CVE-2016-6816)
- A remote code execution vulnerability exists in the JMX listener in JmxRemoteLifecycleListener.java due to improper deserialization of Java objects. An unauthenticated, remote attacker can exploit this to execute arbitrary code. (CVE-2016-8735)
Solution
Update to Apache Tomcat version 6.0.48 or later.