Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - tomcat: security manager bypass via IntrospectHelper utility function (CVE-2016-5018)

  - tomcat: Remote Code Execution bypass for CVE-2017-12615 (CVE-2017-12617)

  - Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x before 8.0.0-RC10 processes chunked transfer     coding without properly handling (1) a large total amount of chunked data or (2) whitespace characters in     an HTTP header value within a trailer field, which allows remote attackers to cause a denial of service by     streaming data. NOTE: this vulnerability exists because of an incomplete fix for CVE-2012-3544.
    (CVE-2013-4322)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

An update for tomcat is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

The following packages have been upgraded to a newer upstream version:
tomcat (7.0.69). (BZ#1287928)

Security Fix(es) :

* A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351)

* It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714)

* A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763)

* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.
(CVE-2016-3092)

* A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call. (CVE-2015-5174)

* It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345)

* It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured.
This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

From Red Hat Security Advisory 2016:2599 :

An update for tomcat is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

The following packages have been upgraded to a newer upstream version:
tomcat (7.0.69). (BZ#1287928)

Security Fix(es) :

* A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351)

* It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714)

* A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763)

* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.
(CVE-2016-3092)

* A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call. (CVE-2015-5174)

* It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345)

* It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured.
This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2016:0597 advisory.

  - tomcat: non-persistent DoS attack by feeding data by aborting an upload (CVE-2014-0230)

  - EAP: HTTPS NIO connector uses no timeout when reading SSL handshake from client (CVE-2016-2094)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

A jboss-ec2-eap update is now available for Red Hat JBoss Enterprise Application Platform 6.4.7 on Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.

The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). With this update, the packages have been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.7.

Security Fix(es) :

* A read-timeout flaw was found in the HTTPS NIO Connector handling of SSL handshakes. A remote, unauthenticated attacker could create a socket and cause a thread to remain occupied indefinitely so long as the socket remained open (denial of service). (CVE-2016-2094)

* It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made. (CVE-2014-0230)

The CVE-2016-2094 issue was discovered by Aaron Ogburn of Red Hat.

A Red Hat JBoss Enterprise Application Platform update is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.

This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.6, and includes bug fixes and enhancements.
Documentation for these changes will be available shortly from the Red Hat JBoss Enterprise Application Platform 6.4.7 Release Notes, linked to in the References.

Security Fix(es) :

* A read-timeout flaw was found in the HTTPS NIO Connector handling of SSL handshakes. A remote, unauthenticated attacker could create a socket and cause a thread to remain occupied indefinitely so long as the socket remained open (denial of service). (CVE-2016-2094)

* It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made. (CVE-2014-0230)

The CVE-2016-2094 issue was discovered by Aaron Ogburn of Red Hat.

A Red Hat JBoss Enterprise Application Platform update is now available for Red Hat Enterprise Linux 5.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Red Hat JBoss Enterprise Application Platform 6 is a platform for Java applications based on JBoss Application Server 7.

This release serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.6, and includes bug fixes and enhancements.
Documentation for these changes will be available shortly from the Red Hat JBoss Enterprise Application Platform 6.4.7 Release Notes, linked to in the References.

Security Fix(es) :

* A read-timeout flaw was found in the HTTPS NIO Connector handling of SSL handshakes. A remote, unauthenticated attacker could create a socket and cause a thread to remain occupied indefinitely so long as the socket remained open (denial of service). (CVE-2016-2094)

* It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made. (CVE-2014-0230)

The CVE-2016-2094 issue was discovered by Aaron Ogburn of Red Hat.

Multiple security vulnerabilities have been fixed in the Tomcat servlet and JSP engine, which may result on bypass of security manager restrictions, information disclosure, denial of service or session fixation.

It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)

It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made. (CVE-2014-0230)

Updated Red Hat JBoss Web Server 3.0.2 packages are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and prevent further, legitimate connections to the Tomcat server.
(CVE-2014-0230)

A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.
(CVE-2013-5704)

Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183)

* This enhancement update adds the Red Hat JBoss Web Server 3.0.2 packages to Red Hat Enterprise Linux 7. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-229)

Users of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.

Updated Red Hat JBoss Web Server 3.0.2 packages are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and prevent further, legitimate connections to the Tomcat server.
(CVE-2014-0230)

A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.
(CVE-2013-5704)

Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183)

* This enhancement update adds the Red Hat JBoss Web Server 3.0.2 packages to Red Hat Enterprise Linux 6. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-228)

Users of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.

Updated tomcat6 and tomcat7 packages that fix two security issues are now available for Red Hat JBoss Web Server 2.1.0 on Red Hat Enterprise Linux 5, 6, and 7.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)

It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made. (CVE-2014-0230)

All users of Red Hat JBoss Web Server 2.1.0 as provided from the Red Hat Customer Portal are advised to apply this update. The Red Hat JBoss Web Server process must be restarted for the update to take effect.

Apache Tomcat 7.0.x before 7.0.55 or 8.0.x before 8.0.9 is affected by multiple vulnerabilities: 

 - A flaw in handling attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service by streaming data with malformed chunked transfer coding. (CVE-2014-0227) 

 - A flaw in handling an aborted file upload after it has partially been completed may allow a remote attacker to exhaust available memory resources. (CVE-2014-0230)

According to its self-reported version number, the Apache Tomcat service listening on the remote host is 6.0.x prior to 6.0.44. It is, therefore, affected by multiple vulnerabilities:

 - An error exists due to a failure to limit the size of discarded requests. A remote attacker can exploit this to exhaust available memory resources, resulting in a denial of service condition. (CVE-2014-0230)

 - A NULL pointer dereference flaw exists when the SSLv3 option isn't enabled and an SSLv3 ClientHello is received. This allows a remote attacker, using an unexpected handshake, to crash the daemon, resulting in a denial of service. (CVE-2014-3569)

 - The BIGNUM squaring (BN_sqr) implementation does not properly calculate the square of a BIGNUM value. This allows remote attackers to defeat cryptographic protection mechanisms. (CVE-2014-3570)

 - A NULL pointer dereference flaw exists with dtls1_get_record() when handling DTLS messages. A remote attacker, using a specially crafted DTLS message, can cause a denial of service. (CVE-2014-3571)

 - A flaw exists with ECDH handshakes when using an ECDSA certificate without a ServerKeyExchange message. This allows a remote attacker to trigger a loss of forward secrecy from the ciphersuite. (CVE-2014-3572)

 - A malicious application can use expression language to bypass the internal Security Manager and execute code with elevated privileges. (CVE-2014-7810)

 - A flaw exists when accepting non-DER variations of certificate signature algorithms and signature encodings due to a lack of enforcement of matches between signed and unsigned portions. A remote attacker, by including crafted data within a certificate's unsigned portion, can bypass fingerprint-based certificate-blacklist protection mechanisms. (CVE-2014-8275)

 - A security feature bypass vulnerability, known as FREAK (Factoring attack on RSA-EXPORT Keys), exists due to the support of weak EXPORT_RSA cipher suites with keys less than or equal to 512 bits. A man-in-the-middle attacker may be able to downgrade the SSL/TLS connection to use EXPORT_RSA cipher suites which can be factored in a short amount of time, allowing the attacker to intercept and decrypt the traffic.

The Oracle Secure Global Desktop installed on the remote host is version 4.63 / 4.71 / 5.1 / 5.2. It is, therefore, affected by the following vulnerabilities :

  - A security bypass vulnerability exists in Kerberos 5 due     to a failure to properly determine the acceptability of     checksums. A remote attacker can exploit this to forge     tokens or gain privileges by using an unkeyed checksum.
    (CVE-2010-1324)

  - A NULL pointer deference flaw exists in the function     bdfReadCharacters() in file bdfread.c of the X.Org     libXfont module due to improper handling of non-readable     character bitmaps. An authenticated, remote attacker,     using a crafted BDF font file, can exploit this to     cause a denial of service or execute arbitrary code.
    (CVE-2015-1803)

  - An out-of-bounds read/write error exists in the     SProcXFixesSelectSelectionInput() function in the     XFixes extension. A remote, authenticated attacker,     using a crafted length value, can exploit this to     cause a denial of service or execute arbitrary code.
    (CVE-2014-8102)

  - A remote attacker, by using a crafted string length     value in an XkbSetGeometry request, can gain access to     sensitive information from process memory or cause a     denial of service. (CVE-2015-0255)

  - An invalid read error exists in the ASN1_TYPE_cmp()     function due to improperly performed boolean-type     comparisons. A remote attacker can exploit this, via a     crafted X.509 certificate to an endpoint that uses the     certificate-verification feature, to cause an invalid     read operation, resulting in a denial of service.
    (CVE-2015-0286)

  - A denial of service vulnerability exists in Apache     Tomcat due to improper handling of HTTP responses     that occurs before finishing reading an entire request     body. A remote attacker can exploit this by using a     crafted series of aborted upload attempts.
    (CVE-2014-0230)

  - A denial of service vulnerability exists in Apache     Tomcat in ChunkedInputFilter.java due to improper     handling of attempts to read data after an error has     occurred. A remote attacker can exploit this by     streaming data with malformed chunked-transfer     encoding. (CVE-2014-0227)

  - A NULL pointer dereference flaw exists in the     dtls1_get_record() function when handling DTLS messages.
    A remote attacker, using a specially crafted DTLS     message, can cause a denial of service. (CVE-2014-3571)

  - An unspecified flaw exists that is related to the     JServer subcomponent. A remote attacker can exploit this     to impact confidentiality and integrity. No further     details have been provided. (CVE-2015-2581)

It was discovered that Tomcat incorrectly handled data with malformed chunked transfer coding. A remote attacker could possibly use this issue to conduct HTTP request smuggling attacks, or cause Tomcat to consume resources, resulting in a denial of service. (CVE-2014-0227)

It was discovered that Tomcat incorrectly handled HTTP responses occurring before the entire request body was finished being read. A remote attacker could possibly use this issue to cause memory consumption, resulting in a denial of service. (CVE-2014-0230)

It was discovered that the Tomcat Expression Language (EL) implementation incorrectly handled accessible interfaces implemented by inaccessible classes. An attacker could possibly use this issue to bypass a SecurityManager protection mechanism. (CVE-2014-7810).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2654-1 advisory.

    It was discovered that the Tomcat XML parser incorrectly handled XML External Entities (XXE). A remote     attacker could possibly use this issue to read arbitrary files. This issue only affected Ubuntu 14.04 LTS.
    (CVE-2014-0119)

    It was discovered that Tomcat incorrectly handled data with malformed chunked transfer coding. A remote     attacker could possibly use this issue to conduct HTTP request smuggling attacks, or cause Tomcat to     consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS.
    (CVE-2014-0227)

    It was discovered that Tomcat incorrectly handled HTTP responses occurring before the entire request body     was finished being read. A remote attacker could possibly use this issue to cause a limited denial of     service. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-0230)

    It was discovered that the Tomcat Expression Language (EL) implementation incorrectly handled accessible     interfaces implemented by inaccessible classes. An attacker could possibly use this issue to bypass a     SecurityManager protection mechanism. (CVE-2014-7810)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Apache Software Foundation reports :

Low: Denial of Service CVE-2014-0230

When a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection.

Moderate: Security Manager bypass CVE-2014-7810

Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section.

The following vulnerabilities were found in Apache Tomcat 6 :

CVE-2014-0227

The Tomcat security team identified that it was possible to conduct HTTP request smuggling attacks or cause a DoS by streaming malformed data.

CVE-2014-0230

AntBean@secdig, from the Baidu Security Team, disclosed that it was possible to cause a limited DoS attack by feeding data by aborting an upload.

CVE-2014-7810

The Tomcat security team identified that malicious web applications could bypass the Security Manager by the use of expression language.

For Debian 6 'Squeeze', these issues have been fixed in tomcat6 version 6.0.41-2+squeeze7.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

According to its self-reported version number, the Apache Tomcat service listening on the remote host is 6.0.x prior to 6.0.44. It is, therefore, affected by multiple vulnerabilities :

  - An error exists due to a failure to limit the size of     discarded requests. A remote attacker can exploit this     to exhaust available memory resources, resulting in a     denial of service condition. (CVE-2014-0230)

  - A NULL pointer dereference flaw exists when the SSLv3     option isn't enabled and an SSLv3 ClientHello is     received. This allows a remote attacker, using an     unexpected handshake, to crash the daemon, resulting in     a denial of service. (CVE-2014-3569)

  - The BIGNUM squaring (BN_sqr) implementation does not     properly calculate the square of a BIGNUM value. This     allows remote attackers to defeat cryptographic     protection mechanisms. (CVE-2014-3570)

  - A NULL pointer dereference flaw exists with     dtls1_get_record() when handling DTLS messages. A remote     attacker, using a specially crafted DTLS message, can     cause a denial of service. (CVE-2014-3571)

  - A flaw exists with ECDH handshakes when using an ECDSA     certificate without a ServerKeyExchange message. This     allows a remote attacker to trigger a loss of forward     secrecy from the ciphersuite. (CVE-2014-3572)

  - A malicious application can use expression language to     bypass the internal Security Manager and execute code     with elevated privileges. (CVE-2014-7810)

  - A flaw exists when accepting non-DER variations of     certificate signature algorithms and signature encodings     due to a lack of enforcement of matches between signed     and unsigned portions. A remote attacker, by including     crafted data within a certificate's unsigned portion,     can bypass fingerprint-based certificate-blacklist     protection mechanisms. (CVE-2014-8275)

  - A security feature bypass vulnerability, known as FREAK     (Factoring attack on RSA-EXPORT Keys), exists due to the     support of weak EXPORT_RSA cipher suites with keys less     than or equal to 512 bits. A man-in-the-middle attacker     may be able to downgrade the SSL/TLS connection to use     EXPORT_RSA cipher suites which can be factored in a     short amount of time, allowing the attacker to intercept     and decrypt the traffic. (CVE-2015-0204)

  - A flaw exists when accepting DH certificates for client     authentication without the CertificateVerify message.
    This allows a remote attacker to authenticate to the     service without a private key. (CVE-2015-0205)

  - A memory leak occurs in dtls1_buffer_record()     when handling a saturation of DTLS records containing     the same number sequence but for the next epoch. This     allows a remote attacker to cause a denial of service.
    (CVE-2015-0206)

  - A use-after-free condition exists in the     d2i_ECPrivateKey() function due to improper processing     of malformed EC private key files during import. A     remote attacker can exploit this to dereference or free     already freed memory, resulting in a denial of service     or other unspecified impact. (CVE-2015-0209)

  - An invalid read flaw exists in the ASN1_TYPE_cmp()     function due to improperly performed boolean-type     comparisons. A remote attacker can exploit this, via a     crafted X.509 certificate to an endpoint that uses the     certificate-verification feature, to cause an invalid     read operation, resulting in a denial of service.
    (CVE-2015-0286)

  - A flaw exists in the ASN1_item_ex_d2i() function due to     a failure to reinitialize 'CHOICE' and 'ADB' data     structures when reusing a structure in ASN.1 parsing.
    This allows a remote attacker to cause an invalid write     operation and memory corruption, resulting in a denial     of service. (CVE-2015-0287)

  - A NULL pointer dereference flaw exists in the     X509_to_X509_REQ() function due to improper processing     of certificate keys. This allows a remote attacker, via     a crafted X.509 certificate, to cause a denial of     service. (CVE-2015-0288)

  - A NULL pointer dereference flaw exists in the PKCS#7     parsing code due to incorrect handling of missing outer     ContentInfo. This allows a remote attacker, using an     application that processes arbitrary PKCS#7 data and     providing malformed data with ASN.1 encoding, to cause     a denial of service. (CVE-2015-0289)

  - A flaw exists in servers that both support SSLv2 and     enable export cipher suites due to improper     implementation of SSLv2. A remote attacker can exploit     this, via a crafted CLIENT-MASTER-KEY message, to cause     a denial of service. (CVE-2015-0293)

Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 8.0.9. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_8.0.9_security-8 advisory.

  - java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x     before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an     error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a     denial of service (resource consumption) by streaming data with malformed chunked transfer coding.
    (CVE-2014-0227)

  - Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases     where an HTTP response occurs before finishing the reading of an entire request body, which allows remote     attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.
    (CVE-2014-0230)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 7.0.55. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_7.0.55_security-7 advisory.

  - java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x     before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an     error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a     denial of service (resource consumption) by streaming data with malformed chunked transfer coding.
    (CVE-2014-0227)

  - Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases     where an HTTP response occurs before finishing the reading of an entire request body, which allows remote     attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.
    (CVE-2014-0230)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
198604	RHEL 5 : tomcat5 (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
95345	CentOS 7 : tomcat (CESA-2016:2599)	Nessus	CentOS Local Security Checks	high
94718	Oracle Linux 7 : tomcat (ELSA-2016-2599)	Nessus	Oracle Linux Local Security Checks	high
94562	RHEL 7 : tomcat (RHSA-2016:2599)	Nessus	Red Hat Local Security Checks	high
91301	F5 Networks BIG-IP : Apache Tomcat vulnerability (SOL17123)	Nessus	F5 Networks Local Security Checks	high
90990	RHEL 7 : Red Hat JBoss Enterprise Application Platform 6.4.7 update (Moderate) (RHSA-2016:0597)	Nessus	Red Hat Local Security Checks	high
90390	RHEL 6 : jboss-ec2-eap (RHSA-2016:0598)	Nessus	Red Hat Local Security Checks	high
90389	RHEL 6 : JBoss EAP (RHSA-2016:0596)	Nessus	Red Hat Local Security Checks	high
90388	RHEL 5 : JBoss EAP (RHSA-2016:0595)	Nessus	Red Hat Local Security Checks	high
90205	Debian DSA-3530-1 : tomcat6 - security update	Nessus	Debian Local Security Checks	high
89837	Amazon Linux AMI : tomcat6 (ALAS-2016-656)	Nessus	Amazon Linux Local Security Checks	high
87458	RHEL 7 : JBoss Web Server (RHSA-2015:2660)	Nessus	Red Hat Local Security Checks	medium
87457	RHEL 6 : JBoss Web Server (RHSA-2015:2659)	Nessus	Red Hat Local Security Checks	medium
85441	RHEL 5 / 6 / 7 : JBoss Web Server (RHSA-2015:1622)	Nessus	Red Hat Local Security Checks	high
8831	Apache Tomcat 7.0.x < 7.0.55 / 8.0.x < 8.0.9 Multiple Vulnerabilities	Nessus Network Monitor	Web Servers	medium
8830	Apache Tomcat 6.0.x < 6.0.44 Multiple Vulnerabilities (FREAK)	Nessus Network Monitor	Web Servers	medium
84795	Oracle Secure Global Desktop Multiple Vulnerabilities (July 2015 CPU)	Nessus	Misc.	high
84430	Ubuntu 12.04 LTS : tomcat6 vulnerabilities (USN-2655-1)	Nessus	Ubuntu Local Security Checks	high
84429	Ubuntu 14.04 LTS : Tomcat vulnerabilities (USN-2654-1)	Nessus	Ubuntu Local Security Checks	medium
84201	FreeBSD : tomcat -- multiple vulnerabilities (25e0593d-13c0-11e5-9afb-3c970e169bc2)	Nessus	FreeBSD Local Security Checks	high
83887	Debian DLA-232-1 : tomcat6 security update	Nessus	Debian Local Security Checks	high
83490	Apache Tomcat 6.0.x < 6.0.44 Multiple Vulnerabilities (FREAK)	Nessus	Web Servers	high
81580	Apache Tomcat 8.0.0-RC1 < 8.0.9 multiple vulnerabilities	Nessus	Web Servers	medium
77475	Apache Tomcat 7.0.0 < 7.0.55 multiple vulnerabilities	Nessus	Web Servers	medium

Detections

Analytics

CVE-2014-0230

high

Tenable Plugins

critical

high

high

high

high

high

high

high

high

high

high

medium

medium

high

medium

medium

high

high

medium

high

high

high

medium

medium