The version of Symantec Content Analysis running on the   remote host is prior to version 2.3.5.1. It is, therefore,   affected by multiple vulnerabilities:
    - An improper handing of overflow in the UTF-8 decoder       with supplementary characters can lead to an infinite       loop in the decoder causing a Denial of Service.
      (CVE-2018-1336)

    - When using an OCSP responder Apache Tomcat Native       1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 did not correctly       handle invalid responses. This allowed for revoked client       certificates to be incorrectly identified. It was therefore       possible for users to authenticate with revoked certificates       when using mutual TLS.(CVE-2018-8019)       
    - Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has       a flaw that does not properly check OCSP pre-produced responses,       which are lists (multiple entries) of certificate statuses.
      (CVE-2018-8020)

    - The host name verification when using TLS with the       WebSocket client was missing. It is now enabled by       default. (CVE-2018-8034)

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2742 advisory.

    Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss     Application Server.

    This release of Red Hat JBoss Enterprise Application Platform 6.4.21 serves as a replacement for Red Hat     JBoss Enterprise Application Platform 6.4.20, and includes bug fixes and enhancements, which are     documented in the Release Notes document linked to in the References.

    Security Fix(es):

    * hibernate-validator: Privilege escalation when running under the security manager (CVE-2017-7536)

    * guava: Unbounded memory allocation in AtomicDoubleArray and CompoundOrdering classes allow remote     attackers to cause a denial of service (CVE-2018-10237)

    * picketlink: The fix for CVE-2017-2582 breaks the feature of attribute replacement with system property     in picketlink.xml (CVE-2017-2582)

    * jbossweb: tomcat: A bug in the UTF-8 decoder can lead to DoS (CVE-2018-1336)

    For more details about the security issue(s), including the impact, a CVSS score, and other related     information, refer to the CVE page(s) listed in the References section.

    The CVE-2017-2582 issue was discovered by Hynek Mlnarik (Red Hat) and the CVE-2017-7536 issue was     discovered by Gunnar Morling (Red Hat).

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.(CVE-2018-8014)

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 8.5.0 to 8.5.30. (CVE-2018-1336)

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 8.5.0 to 8.5.31.(CVE-2018-8034)

A bug in the tracking of connection closures can lead to reuse of user sessions in a new connection. Versions Affected: Apache Tomcat 8.5.5 to 8.5.31.(CVE-2018-8037)

This update for tomcat to version 9.0.10 fixes the following issues :

Security issues fixed :

  - CVE-2018-1336: An improper handing of overflow in the     UTF-8 decoder with supplementary characters could have     lead to an infinite loop in the decoder causing a Denial     of Service (bsc#1102400).

  - CVE-2018-8014: Fix insecure default CORS filter settings     (bsc#1093697).

  - CVE-2018-8034: The host name verification when using TLS     with the WebSocket client was missing. It is now enabled     by default (bsc#1102379).

  - CVE-2018-8037: If an async request was completed by the     application at the same time as the container triggered     the async timeout, a race condition existed that could     have resulted in a user seeing a response intended for a     different user. An additional issue was present in the     NIO and NIO2 connectors that did not correctly track the     closure of the connection when an async request was     completed by the application and timed out by the     container at the same time. This could also have     resulted in a user seeing a response intended for     another user (bsc#1102410).

Bug fixes :

  - Avoid overwriting of customer's configuration during     update (bsc#1067720)

  - Disable adding OSGi metadata to JAR files

  - See changelog at     http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#T     omcat_9.0.10_(markt)

This update was imported from the SUSE:SLE-15:Update update project.

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2018-2921 advisory.

    [0:7.0.76-8]
    - Resolves: rhbz#1608608 CVE-2018-1336 tomcat: A bug in the UTF 8 decoder can lead to DoS

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Security Fix(es) :

  - tomcat: A bug in the UTF-8 decoder can lead to DoS     (CVE-2018-1336)

The version of F5 Networks BIG-IP installed on the remote host is prior to 14.0.1.1 / 14.1.0. It is, therefore, affected by a vulnerability as referenced in the K73008537 advisory.

  - An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite     loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0     to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. (CVE-2018-1336)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to the version of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - tomcat: A bug in the UTF-8 decoder can lead to DoS     (CVE-2018-1336)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the Apache Tomcat instance listening on the remote host is 7.0.x prior to 7.0.88. It is, therefore, affected by the following vulnerability:

- A denial of service (DoS) vulnerability exists in Tomcat due to improper overflow handling in the UTF-8 decoder. An unauthenticated, remote attacker can exploit this issue to cause an infinite loop in the decoder, leading to a denial of service condition.

Note that Nessus Network Monitor has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the Apache Tomcat instance listening on the remote host is 8.0.x prior to 8.0.52. It is, therefore, affected by the following vulnerability:

 - A denial of service (DoS) vulnerability exists in Tomcat due to improper overflow handling in the UTF-8 decoder. An unauthenticated, remote attacker can exploit this issue to cause an infinite loop in the decoder, leading to a denial of service condition.

Note that Nessus Network Monitor has not tested for these issues but has instead relied only on the application's self-reported version number.

A denial of service (DoS) vulnerability exists in Apache Tomcat, in versions between 9.0.0.M1 and 9.0.7 (inclusive), due to improper overflow handling in the UTF-8 decoder component. An unauthenticated, remote attacker can exploit this issue, to cause the application to stop responding.

According to its self-reported version number, the Apache Tomcat instance listening on the remote host is 8.5.x earlier to 8.5.31. It is, therefore, affected by the following vulnerability:

 - A denial of service (DoS) vulnerability exists in Tomcat due to improper overflow handling in the UTF-8 decoder. An unauthenticated, remote attacker can exploit this issue to cause an infinite loop in the decoder, leading to a denial of service condition.

Note that Nessus Network Monitor has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 7.0.88. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_7.0.88_security-7 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
125550	Symantec Content Analysis < 2.3.5.1 affected by Multiple Vulnerabilities (SYMSA1463)	Nessus	Misc.	5/30/2019	10/30/2019	high
194122	RHEL 5 : Red Hat JBoss Enterprise Application Platform 6.4.21 (RHSA-2018:2742)	Nessus	Red Hat Local Security Checks	4/27/2024	3/20/2025	high
111611	Amazon Linux AMI : tomcat8 (ALAS-2018-1056)	Nessus	Amazon Linux Local Security Checks	8/10/2018	8/23/2024	critical
117983	openSUSE Security Update : tomcat (openSUSE-2018-1129)	Nessus	SuSE Local Security Checks	10/9/2018	7/31/2024	critical
118161	Oracle Linux 7 : tomcat (ELSA-2018-2921)	Nessus	Oracle Linux Local Security Checks	10/17/2018	11/1/2024	high
118167	Scientific Linux Security Update : tomcat on SL7.x (noarch) (20181016)	Nessus	Scientific Linux Local Security Checks	10/17/2018	2/8/2022	high
119668	F5 Networks BIG-IP : Apache Tomcat vulnerability (K73008537)	Nessus	F5 Networks Local Security Checks	12/14/2018	1/4/2024	high
119904	EulerOS 2.0 SP2 : tomcat (EulerOS-SA-2018-1415)	Nessus	Huawei Local Security Checks	12/28/2018	7/12/2024	high
700678	Apache Tomcat 7.0.x < 7.0.88 Denial of Service	Nessus Network Monitor	Web Servers	5/13/2019	5/13/2019	high
700688	Apache Tomcat 8.0.x < 8.0.52 Denial of Service	Nessus Network Monitor	Web Servers	5/13/2019	5/13/2019	high
700706	Apache Tomcat 9.0.x < 9.0.8 Denial of Service Vulnerability	Nessus Network Monitor	Web Servers	5/13/2019	5/13/2019	high
700694	Apache Tomcat 8.5.x < 8.5.31 Denial of Service	Nessus Network Monitor	Web Servers	5/13/2019	5/13/2019	high
701337	Apache Tomcat < 7.0.88 Vulnerability	Nessus Network Monitor	Web Servers	4/14/2021	4/14/2021	medium

Detections

Analytics

Plugins Search

high

high

critical

critical

high

high

high

high

high

high

high

high

medium