Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with both a "Transfer-Encoding: chunked" header and a Content-Length header, which causes Tomcat to incorrectly handle and forward the body of the request in a way that causes the receiving server to process it as a separate HTTP request, aka "HTTP Request Smuggling."

The version of Tomcat installed on the remote host is prior to 8.0.0-RC3. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.0.0-rc3_security-8 advisory.

  - Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the     web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with     both a Transfer-Encoding: chunked header and a Content-Length header, which causes Tomcat to incorrectly     handle and forward the body of the request in a way that causes the receiving server to process it as a     separate HTTP request, aka HTTP Request Smuggling. (CVE-2005-2090)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 7.0.47. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_7.0.47_security-7 advisory.

  - Jakarta Tomcat 5.0.19 (Coyote/1.1) and Tomcat 4.1.24 (Coyote/1.0) allows remote attackers to poison the     web cache, bypass web application firewall protection, and conduct XSS attacks via an HTTP request with     both a Transfer-Encoding: chunked header and a Content-Length header, which causes Tomcat to incorrectly     handle and forward the body of the request in a way that causes the receiving server to process it as a     separate HTTP request, aka HTTP Request Smuggling. (CVE-2005-2090)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

From Red Hat Security Advisory 2007:0327 :

Updated tomcat packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

Tomcat is a servlet container for Java Servlet and JavaServer Pages technologies.

Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. (CVE-2005-2090)

Tomcat permitted various characters as path delimiters. If Tomcat was used behind certain proxies and configured to only proxy some contexts, an attacker could construct an HTTP request to work around the context restriction and potentially access non-proxied content.
(CVE-2007-0450)

The implict-objects.jsp file distributed in the examples webapp displayed a number of unfiltered header values. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks. (CVE-2006-7195)

Users should upgrade to these erratum packages which contain an update to Tomcat that resolves these issues. Updated jakarta-commons-modeler packages are also included which correct a bug when used with Tomcat 5.5.23.

Some JSPs within the 'examples' web application did not escape user provided data. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks (CVE-2007-2449).

Note: it is recommended the 'examples' web application not be installed on a production system.

The Manager and Host Manager web applications did not escape user provided data. If a user is logged in to the Manager or Host Manager web application, an attacker could perform a cross-site scripting attack (CVE-2007-2450).

Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. (CVE-2005-2090)

Tomcat permitted various characters as path delimiters. If Tomcat was used behind certain proxies and configured to only proxy some contexts, an attacker could construct an HTTP request to work around the context restriction and potentially access non-proxied content.
(CVE-2007-0450)

The implict-objects.jsp file distributed in the examples webapp displayed a number of unfiltered header values. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks. (CVE-2006-7195)

According to its self-reported version number, the Apache Tomcat instance listening on the remote host is prior to 6.0.13. It is, therefore, affected by the following vulnerabilities :

  - Requests containing multiple 'content-length' headers     are not rejected as invalid. This error can allow     web-cache poisoning, cross-site scripting attacks and     information disclosure. (CVE-2005-2090)

  - The remote Apache Tomcat install may be vulnerable to     a cross-site scripting attack if the JSP and Servlet     examples are enabled. Several of these examples do     not properly validate user input. (CVE-2007-1355)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the instance of Apache Tomcat listening on the remote host is 5.0.x equal to or prior to 5.0.30 or 5.5.x prior to 5.5.23. It is, therefore, affected by an HTTP request smuggling vulnerability.

Requests containing multiple 'content-length' headers are not rejected as invalid. This error can allow web-cache poisoning, cross-site scripting attacks and information disclosure.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the instance of Apache Tomcat 4.x listening on the remote host is prior to 4.1.36. It is, therefore, affected by the following vulnerabilities :

  - Requests containing multiple 'content-length' headers     are not rejected as invalid. This error can allow     web-cache poisoning, cross-site scripting attacks and     information disclosure. (CVE-2005-2090)

  - An input sanitization error exists that can allow     disclosure of sensitive information via directory     traversal. This vulnerability is exposed when the     server is configured to use the 'Proxy' module.
    (CVE-2007-0450)

  - 'Accept-Language' headers are not validated properly,     which can allow cross-site scripting attacks.
    (CVE-2007-1358)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Red Hat Network Satellite Server version 4.2.3 is now available. This update includes fixes for a number of security issues in Red Hat Network Satellite Server components.

This update has been rated as having low security impact by the Red Hat Security Response Team.

This release corrects several security vulnerabilities in various components shipped as part of the Red Hat Network Satellite Server 4.2. In a typical operating environment, these components are not exposed to users of Satellite Server in a vulnerable manner. These security updates will reduce risk in unique Satellite Server environments.

Multiple flaws were fixed in the Apache HTTPD server. These flaws could result in a cross-site scripting, denial-of-service, or information disclosure attacks. (CVE-2004-0885, CVE-2006-5752, CVE-2006-7197, CVE-2007-1860, CVE-2007-3304, CVE-2007-4465, CVE-2007-5000, CVE-2007-6388)

A denial-of-service flaw was fixed in mod_perl. (CVE-2007-1349)

A denial-of-service flaw was fixed in the jabberd server.
(CVE-2006-1329)

Multiple cross-site scripting flaws were fixed in the image map feature in the JFreeChart package. (CVE-2007-6306)

Multiple flaws were fixed in the IBM Java 1.4.2 Runtime.
(CVE-2007-0243, CVE-2007-2435, CVE-2007-2788, CVE-2007-2789)

Multiple flaws were fixed in the OpenMotif package. (CVE-2004-0687, CVE-2004-0688, CVE-2004-0914, CVE-2005-3964, CVE-2005-0605)

A flaw which could result in weak encryption was fixed in the perl-Crypt-CBC package. (CVE-2006-0898)

Multiple flaws were fixed in the Tomcat package. (CVE-2008-0128, CVE-2007-5461, CVE-2007-3385, CVE-2007-3382, CVE-2007-1358, CVE-2007-1355, CVE-2007-2450, CVE-2007-2449, CVE-2007-0450, CVE-2006-7196, CVE-2006-7195, CVE-2006-3835, CVE-2006-0254, CVE-2005-2090, CVE-2005-4838, CVE-2005-3510)

Users of Red Hat Network Satellite Server 4.2 are advised to upgrade to 4.2.3, which resolves these issues.

Red Hat Network Satellite Server version 5.0.2 is now available. This update includes fixes for a number of security issues in Red Hat Network Satellite Server components.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

During an internal security review, a cross-site scripting flaw was found that affected the Red Hat Network channel search feature.
(CVE-2007-5961)

This release also corrects several security vulnerabilities in various components shipped as part of the Red Hat Network Satellite Server. In a typical operating environment, these components are not exposed to users of Satellite Server in a vulnerable manner. These security updates will reduce risk in unique Satellite Server environments.

Multiple flaws were fixed in the Apache HTTPD server. These flaws could result in a cross-site scripting, denial-of-service, or information disclosure attacks. (CVE-2004-0885, CVE-2006-5752, CVE-2006-7197, CVE-2007-1860, CVE-2007-3304, CVE-2007-4465, CVE-2007-5000, CVE-2007-6388)

A denial-of-service flaw was fixed in mod_perl. (CVE-2007-1349)

A denial-of-service flaw was fixed in the jabberd server.
(CVE-2006-1329)

Multiple cross-site scripting flaws were fixed in the image map feature in the JFreeChart package. (CVE-2007-6306)

Multiple flaws were fixed in the IBM Java 1.4.2 Runtime.
(CVE-2007-0243, CVE-2007-2435, CVE-2007-2788, CVE-2007-2789)

Two arbitrary code execution flaws were fixed in the OpenMotif package. (CVE-2005-3964, CVE-2005-0605)

A flaw which could result in weak encryption was fixed in the perl-Crypt-CBC package. (CVE-2006-0898)

Multiple flaws were fixed in the Tomcat package. (CVE-2008-0128, CVE-2007-5461, CVE-2007-3385, CVE-2007-3382, CVE-2007-1358, CVE-2007-1355, CVE-2007-2450, CVE-2007-2449, CVE-2007-0450, CVE-2006-7196, CVE-2006-7195, CVE-2006-3835, CVE-2006-0254, CVE-2005-2090, CVE-2005-4838, CVE-2005-3510)

Users of Red Hat Network Satellite Server 5.0 are advised to upgrade to 5.0.2, which resolves these issues.

Updated tomcat packages that fix multiple security issues are now available for Red Hat Network Satellite Server.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Tomcat is a servlet container for Java Servlet and JavaServer Pages technologies.

It was reported Tomcat did not properly handle the following character sequence in a cookie: \' (a backslash followed by a double-quote). It was possible remote attackers could use this failure to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3385).

Tomcat was found treating single quote characters -- ' -- as delimiters in cookies. This could allow remote attackers to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3382).

The default Tomcat configuration permitted the use of insecure SSL cipher suites including the anonymous cipher suite. (CVE-2007-1858)

Tomcat permitted various characters as path delimiters. If Tomcat was used behind certain proxies and configured to only proxy some contexts, an attacker could construct an HTTP request to work around the context restriction and potentially access non-proxied content.
(CVE-2007-0450)

Directory listings were enabled by default in Tomcat. Information stored unprotected under the document root was visible to anyone if the administrator did not disable directory listings. (CVE-2006-3835)

It was found that generating listings of large directories was CPU intensive. An attacker could make repeated requests to obtain a directory listing of any large directory, leading to a denial of service. (CVE-2005-3510)

Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. (CVE-2005-2090)

Users should upgrade to these erratum packages which contain an update to Tomcat that resolves these issues, and add the tyrex and jakarta-commons-pool packages which are required dependencies of the new Tomcat version.

Fixed various issues in tomcat :

  - mod_jk directory traversal. (CVE-2007-1860)

  - Handling of cookies containing a ' character.
    (CVE-2007-3382)

  - Handling of a double-quote character in cookies.
    (CVE-2007-3385)

  - tomcat path traversal / information leak.
    (CVE-2007-5641)

  - tomcat HTTP Request Smuggling. (CVE-2005-2090)

  - tomcat https information disclosure. (CVE-2008-0128)

Updated VirtualCenter fixes the following application vulnerabilities

a. Tomcat Server Security Update This release of VirtualCenter Server updates the Tomcat Server package from 5.5.17 to 5.5.25, which addresses multiple security issues that existed in the earlier releases of Tomcat Server.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2005-2090, CVE-2006-7195, and CVE-2007-0450 to these issues.

b. JRE Security Update This release of VirtualCenter Server updates the JRE package from 1.5.0_7 to 1.5.0_12, which addresses a security issue that existed in the earlier release of JRE.

The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2007-3004 to this issue.

NOTE: These vulnerabilities can be exploited remotely only if the       attacker has access to the service console network.

      Security best practices provided by VMware recommend that the       service console be isolated from the VM network. Please see       http://www.vmware.com/resources/techresources/726 for more       information on VMware security best practices.

Fixed various issues in tomcat :

  - CVE-2006-7196: Cross-site scripting (XSS) vulnerability     in example JSP applications

  - CVE-2007-3382: Handling of cookies containing a '     character

  - CVE-2007-3385: Handling of \' in cookies

  - CVE-2007-5641: tomcat path traversal / information leak

  - CVE-2007-1860: directory traversal

  - CVE-2008-0128: tomcat https information disclosure

  - CVE-2005-2090: tomcat HTTP Request Smuggling

- Cross-site scripting (XSS) vulnerability in example JSP     applications. (CVE-2006-7196)

  - Handling of cookies containing a ' character.
    (CVE-2007-3382)

  - Handling of \' in cookies. (CVE-2007-3385)

  - tomcat path traversal / information leak.
    (CVE-2007-5641)

  - directory traversal. (CVE-2007-1860)

  - tomcat https information disclosure. (CVE-2008-0128)

  - tomcat HTTP Request Smuggling. (CVE-2005-2090)

The remote host is running a version of Mac OS X 10.4 or 10.3 which does not have the security update 2007-007 applied. 

This update contains several security fixes for the following programs :

 - bzip2
 - CFNetwork
 - CoreAudio
 - cscope
 - gnuzip
 - iChat
 - Kerberos
 - mDNSResponder
 - PDFKit
 - PHP
 - Quartz Composer
 - Samba
 - SquirrelMail
 - Tomcat
 - WebCore
 - WebKit

Apache Project reports :

The Apache Tomcat team is proud to announce the immediate availability of Tomcat 4.1.36 stable. This build contains numerous library updates, A small number of bug fixes and two important security fixes.

Updated tomcat packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red Hat Security Response Team.

Tomcat is a servlet container for Java Servlet and JavaServer Pages technologies.

Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. (CVE-2005-2090)

Tomcat permitted various characters as path delimiters. If Tomcat was used behind certain proxies and configured to only proxy some contexts, an attacker could construct an HTTP request to work around the context restriction and potentially access non-proxied content.
(CVE-2007-0450)

The implict-objects.jsp file distributed in the examples webapp displayed a number of unfiltered header values. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks. (CVE-2006-7195)

Users should upgrade to these erratum packages which contain an update to Tomcat that resolves these issues. Updated jakarta-commons-modeler packages are also included which correct a bug when used with Tomcat 5.5.23.

The remote host appears to be running a version of Apache, an open source web server.  This version of Apache is vulnerable to a flaw in the way that it handles malformed HTTP requests.  An attacker exploiting this flaw would be able to possibly corrupt cache memory or inject HTML requests to a vulnerable Apache server.  The vulnerability stems from a non-conformance to RFC 2616 that states that HTTP requests must not include both a 'Content-Length' and 'Transfer-Encoding' field.   

ID	Name	Product	Family	Severity
197824	Apache Tomcat 8.0.0 < 8.0.0-RC3 multiple vulnerabilities	Nessus	Web Servers	medium
121116	Apache Tomcat 7.0.0 < 7.0.47 multiple vulnerabilities	Nessus	Web Servers	medium
67487	Oracle Linux 5 : tomcat (ELSA-2007-0327)	Nessus	Oracle Linux Local Security Checks	medium
60227	Scientific Linux Security Update : tomcat on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
17728	Apache Tomcat < 6.0.13 Multiple Vulnerabilities	Nessus	Web Servers	medium
17727	Apache Tomcat 5.0.x <= 5.0.30 / 5.5.x < 5.5.23 Content-Length HTTP Request Smuggling	Nessus	Web Servers	medium
17726	Apache Tomcat 4.x < 4.1.36 Multiple Vulnerabilities	Nessus	Web Servers	medium
43837	RHEL 3 / 4 : Satellite Server (RHSA-2008:0524)	Nessus	Red Hat Local Security Checks	critical
43835	RHEL 4 : Satellite Server (RHSA-2008:0261)	Nessus	Red Hat Local Security Checks	critical
43834	RHEL 3 / 4 : tomcat in Satellite Server (RHSA-2007:1069)	Nessus	Red Hat Local Security Checks	medium
41198	SuSE9 Security Update : Tomcat (YOU Patch Number 12078)	Nessus	SuSE Local Security Checks	medium
40373	VMSA-2008-0002 : Low severity security update for VirtualCenter and ESX	Nessus	VMware ESX Local Security Checks	medium
31319	openSUSE 10 Security Update : apache2-mod_jk (apache2-mod_jk-4992)	Nessus	SuSE Local Security Checks	medium
31298	SuSE 10 Security Update : Tomcat 5 (ZYPP Patch Number 4990)	Nessus	SuSE Local Security Checks	medium
25830	Mac OS X Multiple Vulnerabilities (Security Update 2007-007)	Nessus	MacOS X Local Security Checks	critical
25784	FreeBSD : tomcat -- multiple vulnerabilities (872623af-39ec-11dc-b8cc-000fea449b8a)	Nessus	FreeBSD Local Security Checks	medium
25329	RHEL 5 : tomcat (RHSA-2007:0327)	Nessus	Red Hat Local Security Checks	medium
25223	CentOS 5 : tomcat (CESA-2007:0327)	Nessus	CentOS Local Security Checks	medium
3042	Apache HTTP Request Parsing HTML Injection	Nessus Network Monitor	Web Servers	high
800576	Apache HTTP Request Parsing HTML Injection	Log Correlation Engine	Web Servers	high

Detections

Analytics

CVE-2005-2090

medium

Tenable Plugins

medium

medium

medium

medium

medium

medium

medium

critical

critical

medium

medium

medium

medium

medium

critical

medium

medium

medium

high

high