The SingleSignOn Valve (org.apache.catalina.authenticator.SingleSignOn) in Apache Tomcat before 5.5.21 does not set the secure flag for the JSESSIONIDSSO cookie in an https session, which can cause the cookie to be sent in http requests and make it easier for remote attackers to capture this cookie.

According to its self-reported version number, the instance of Apache Tomcat 6.x listening on the remote host is prior to 6.0.9. It is, therefore, affected by an information disclosure vulnerability.

If the remote Apache Tomcat install is configured to use the SingleSignOn Valve, the JSESSIONIDSSO cookie does not have the 'secure' attribute set if authentication takes place over HTTPS. This allows the JSESSIONIDSSO cookie to be sent to the same server when HTTP content is requested.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the instance of Apache Tomcat 5.x listening on the remote host is prior to 5.5.21. It is, therefore, affected by the following vulnerabilities :

  - The remote Apache Tomcat install is vulnerable to a     cross-site scripting attack. The client supplied     Accept-Language headers are not validated which allows     an attacker to use a specially crafted URL to inject     arbitrary HTML and script code into the user's browser.
    (CVE-2007-1358)

  - If the remote Apache Tomcat install is configured to use     the SingleSignOn Valve, the JSESSIONIDSSO cookie does     not have the 'secure' attribute set if authentication     takes place over HTTPS. This allows the JSESSIONIDSSO     cookie to be sent to the same server when HTTP content     is requested. (CVE-2008-0128)

  - The remote Apache Tomcat install is affected by an     information disclosure vulnerability. The doRead method     fails to return the proper error code for certain error     conditions, which can cause POST content to be sent to     different, and improper, requests. (CVE-2008-4308)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the instance of Apache Tomcat 4.x listening on the remote host is prior to 4.1.39. It is, therefore, affected by one or more of the following vulnerabilities :

  - If the remote Apache Tomcat install is configured to use     the SingleSignOn Valve, the JSESSIONIDSSO cookie does     not have the 'secure' attribute set if authentication     takes place over HTTPS. This allows the JSESSIONIDSSO     cookie to be sent to the same server when HTTP content     is requested. (CVE-2008-0128)

  - The remote Apache Tomcat install is vulnerable to a     cross-site scripting attack. Improper input validation     allows a remote attacker to inject arbitrary script     code or HTML into the message argument used by the     HttpServletResponse.sendError method. (CVE-2008-1232)

  - If the remote Apache Tomcat install contains pages     using the RequestDispatcher object, a directory     traversal attack may be possible. This allows an     attacker to select one or more of the input parameters     and provide specific values leading to access of     potentially sensitive files. (CVE-2008-2370)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Red Hat Network Satellite Server version 5.1.1 is now available. This update includes fixes for a number of security issues in Red Hat Network Satellite Server components.

This update has been rated as having low security impact by the Red Hat Security Response Team.

During an internal security audit, it was discovered that Red Hat Network Satellite Server shipped with an XML-RPC script, manzier.pxt, which had a single hard-coded authentication key. A remote attacker who is able to connect to the Satellite Server XML-RPC service could use this flaw to obtain limited information about Satellite Server users, such as login names, associated email addresses, internal user IDs, and partial information about entitlements. (CVE-2008-2369)

This release also corrects several security vulnerabilities in various components shipped as part of Red Hat Network Satellite Server 5.1. In a typical operating environment, these components are not exposed to users of Satellite Server in a vulnerable manner. These security updates will reduce risk in unique Satellite Server environments.

A denial-of-service flaw was fixed in mod_perl. (CVE-2007-1349)

Multiple cross-site scripting flaws were fixed in the image map feature in the JFreeChart package. (CVE-2007-6306)

A flaw which could result in weak encryption was fixed in the perl-Crypt-CBC package. (CVE-2006-0898)

Multiple flaws were fixed in the Apache Tomcat package.
(CVE-2005-4838, CVE-2006-0254, CVE-2007-1355, CVE-2007-1358, CVE-2007-2449, CVE-2007-5461, CVE-2008-0128)

Users of Red Hat Network Satellite Server 5.1 are advised to upgrade to 5.1.1, which resolves these issues.

Red Hat Network Satellite Server version 4.2.3 is now available. This update includes fixes for a number of security issues in Red Hat Network Satellite Server components.

This update has been rated as having low security impact by the Red Hat Security Response Team.

This release corrects several security vulnerabilities in various components shipped as part of the Red Hat Network Satellite Server 4.2. In a typical operating environment, these components are not exposed to users of Satellite Server in a vulnerable manner. These security updates will reduce risk in unique Satellite Server environments.

Multiple flaws were fixed in the Apache HTTPD server. These flaws could result in a cross-site scripting, denial-of-service, or information disclosure attacks. (CVE-2004-0885, CVE-2006-5752, CVE-2006-7197, CVE-2007-1860, CVE-2007-3304, CVE-2007-4465, CVE-2007-5000, CVE-2007-6388)

A denial-of-service flaw was fixed in mod_perl. (CVE-2007-1349)

A denial-of-service flaw was fixed in the jabberd server.
(CVE-2006-1329)

Multiple cross-site scripting flaws were fixed in the image map feature in the JFreeChart package. (CVE-2007-6306)

Multiple flaws were fixed in the IBM Java 1.4.2 Runtime.
(CVE-2007-0243, CVE-2007-2435, CVE-2007-2788, CVE-2007-2789)

Multiple flaws were fixed in the OpenMotif package. (CVE-2004-0687, CVE-2004-0688, CVE-2004-0914, CVE-2005-3964, CVE-2005-0605)

A flaw which could result in weak encryption was fixed in the perl-Crypt-CBC package. (CVE-2006-0898)

Multiple flaws were fixed in the Tomcat package. (CVE-2008-0128, CVE-2007-5461, CVE-2007-3385, CVE-2007-3382, CVE-2007-1358, CVE-2007-1355, CVE-2007-2450, CVE-2007-2449, CVE-2007-0450, CVE-2006-7196, CVE-2006-7195, CVE-2006-3835, CVE-2006-0254, CVE-2005-2090, CVE-2005-4838, CVE-2005-3510)

Users of Red Hat Network Satellite Server 4.2 are advised to upgrade to 4.2.3, which resolves these issues.

Red Hat Network Satellite Server version 5.0.2 is now available. This update includes fixes for a number of security issues in Red Hat Network Satellite Server components.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

During an internal security review, a cross-site scripting flaw was found that affected the Red Hat Network channel search feature.
(CVE-2007-5961)

This release also corrects several security vulnerabilities in various components shipped as part of the Red Hat Network Satellite Server. In a typical operating environment, these components are not exposed to users of Satellite Server in a vulnerable manner. These security updates will reduce risk in unique Satellite Server environments.

Multiple flaws were fixed in the Apache HTTPD server. These flaws could result in a cross-site scripting, denial-of-service, or information disclosure attacks. (CVE-2004-0885, CVE-2006-5752, CVE-2006-7197, CVE-2007-1860, CVE-2007-3304, CVE-2007-4465, CVE-2007-5000, CVE-2007-6388)

A denial-of-service flaw was fixed in mod_perl. (CVE-2007-1349)

A denial-of-service flaw was fixed in the jabberd server.
(CVE-2006-1329)

Multiple cross-site scripting flaws were fixed in the image map feature in the JFreeChart package. (CVE-2007-6306)

Multiple flaws were fixed in the IBM Java 1.4.2 Runtime.
(CVE-2007-0243, CVE-2007-2435, CVE-2007-2788, CVE-2007-2789)

Two arbitrary code execution flaws were fixed in the OpenMotif package. (CVE-2005-3964, CVE-2005-0605)

A flaw which could result in weak encryption was fixed in the perl-Crypt-CBC package. (CVE-2006-0898)

Multiple flaws were fixed in the Tomcat package. (CVE-2008-0128, CVE-2007-5461, CVE-2007-3385, CVE-2007-3382, CVE-2007-1358, CVE-2007-1355, CVE-2007-2450, CVE-2007-2449, CVE-2007-0450, CVE-2006-7196, CVE-2006-7195, CVE-2006-3835, CVE-2006-0254, CVE-2005-2090, CVE-2005-4838, CVE-2005-3510)

Users of Red Hat Network Satellite Server 5.0 are advised to upgrade to 5.0.2, which resolves these issues.

Fixed various issues in tomcat :

  - mod_jk directory traversal. (CVE-2007-1860)

  - Handling of cookies containing a ' character.
    (CVE-2007-3382)

  - Handling of a double-quote character in cookies.
    (CVE-2007-3385)

  - tomcat path traversal / information leak.
    (CVE-2007-5641)

  - tomcat HTTP Request Smuggling. (CVE-2005-2090)

  - tomcat https information disclosure. (CVE-2008-0128)

Fixed various issues in tomcat :

  - CVE-2006-7196: Cross-site scripting (XSS) vulnerability     in example JSP applications

  - CVE-2007-3382: Handling of cookies containing a '     character

  - CVE-2007-3385: Handling of \' in cookies

  - CVE-2007-5641: tomcat path traversal / information leak

  - CVE-2007-1860: directory traversal

  - CVE-2008-0128: tomcat https information disclosure

  - CVE-2005-2090: tomcat HTTP Request Smuggling

- Cross-site scripting (XSS) vulnerability in example JSP     applications. (CVE-2006-7196)

  - Handling of cookies containing a ' character.
    (CVE-2007-3382)

  - Handling of \' in cookies. (CVE-2007-3385)

  - tomcat path traversal / information leak.
    (CVE-2007-5641)

  - directory traversal. (CVE-2007-1860)

  - tomcat https information disclosure. (CVE-2008-0128)

  - tomcat HTTP Request Smuggling. (CVE-2005-2090)

Several remote vulnerabilities have been discovered in the Tomcat servlet and JSP engine. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2008-0128     Olaf Kock discovered that HTTPS encryption was     insufficiently enforced for single-sign-on cookies,     which could result in information disclosure.

  - CVE-2007-2450     It was discovered that the Manager and Host Manager web     applications performed insufficient input sanitising,     which could lead to cross site scripting.

This update also adapts the tomcat5.5-webapps package to the tightened JULI permissions introduced in the previous tomcat5.5 DSA. However, it should be noted, that the tomcat5.5-webapps is for demonstration and documentation purposes only and should not be used for production systems.

ID	Name	Product	Family	Severity
46869	Apache Tomcat 6.x < 6.0.9 Information Disclosure	Nessus	Web Servers	medium
46868	Apache Tomcat 5.x < 5.5.21 Multiple Vulnerabilities	Nessus	Web Servers	medium
46867	Apache Tomcat 4.x < 4.1.39 Multiple Vulnerabilities	Nessus	Web Servers	medium
43840	RHEL 4 : Satellite Server (RHSA-2008:0630)	Nessus	Red Hat Local Security Checks	medium
43837	RHEL 3 / 4 : Satellite Server (RHSA-2008:0524)	Nessus	Red Hat Local Security Checks	critical
43835	RHEL 4 : Satellite Server (RHSA-2008:0261)	Nessus	Red Hat Local Security Checks	critical
41198	SuSE9 Security Update : Tomcat (YOU Patch Number 12078)	Nessus	SuSE Local Security Checks	medium
31319	openSUSE 10 Security Update : apache2-mod_jk (apache2-mod_jk-4992)	Nessus	SuSE Local Security Checks	medium
31298	SuSE 10 Security Update : Tomcat 5 (ZYPP Patch Number 4990)	Nessus	SuSE Local Security Checks	medium
30060	Debian DSA-1468-1 : tomcat5.5 - several vulnerabilities	Nessus	Debian Local Security Checks	medium

Detections

Analytics

CVE-2008-0128

medium

Tenable Plugins

medium

medium

medium

medium

critical

critical

medium

medium

medium

medium