Apache Tomcat 7.0.x < 7.0.70 / 8.0.x < 8.0.36 / 8.5.x < 8.5.3 / 9.x < 9.0.0M8 DoS

High Nessus Network Monitor Plugin ID 9905

Synopsis

The remote web server is missing an Apache Tomcat patch update.

Description

The version of Apache Tomcat installed on the remote host is version 7.0.x prior to 7.0.70, 8.0.x prior to 8.0.36, 8.5.x prior to 8.5.3, or 9.x prior to 9.0.0M8, and is therefore affected by a flaw in 'boundaries' within content-type headers when handling file upload requests. This may allow a remote attacker to cause a process linked against the library to become unresponsive.

Solution

Update to Apache Tomcat version 9.0.0M8 or later. If version 9.x cannot be obtained, versions 8.5.3, 8.0.36, and 7.0.70 have also been patched for these vulnerabilities.

See Also

http://svn.apache.org/viewvc?view=revision&amp;revision=1743480

http://svn.apache.org/viewvc?view=rev&amp;rev=1743722

http://svn.apache.org/viewvc?view=rev&amp;rev=1743738

http://svn.apache.org/viewvc?view=rev&amp;rev=1743742

Plugin Details

Severity: High

ID: 9905

File Name: 9905.prm

Family: Web Servers

Published: 2017/01/24

Modified: 2017/01/24

Dependencies: 8928, 8931, 9715

Risk Information

Risk Factor: High

CVSSv2

Base Score: 7.8

Temporal Score: 6.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C

Temporal Vector: CVSS2#E:ND/RL:OF/RC:C

CVSSv3

Base Score: 7.5

Temporal Score: 7.2

Vector: CVSS3#AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Temporal Vector: CVSS3#E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:tomcat

Patch Publication Date: 2016/05/26

Vulnerability Publication Date: 2016/06/21

Reference Information

CVE: CVE-2016-3092

BID: 91453