The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - tomcat: Session fixation when using FORM authentication (CVE-2019-17563)

  - tomcat: JsonErrorReportValve injection (CVE-2022-45143)

  - The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes     user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The     printenv command is intended for debugging and is unlikely to be present in a production website.
    (CVE-2019-0221)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The version of IBM Engineering Requirements Management DOORS (formerly IBM Rational DOORS) installed on the remote host is 9.7.2.x prior to 9.7.2.8. It is, therefore, affected by multiple vulnerabilities as referenced in the 7124058 advisory.

  - Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet     containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly     vulnerable to an authorization bypass. (CVE-2022-32532)

  - The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow     a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary     shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client     or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade     both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
    (CVE-2023-46604)

  - Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be     exploited. There is only a risk in conjunction with Java object deserialization within an application. In     such situations, it allows attackers to erase contents of arbitrary files, make network connections, or     possibly run arbitrary code (specifically, Function0 functions) via a gadget chain. (CVE-2022-36944)

  - IBM Engineering Requirements Management DOORS 9.7.2.7 is vulnerable to cross-site request forgery which     could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the     website trusts. IBM X-Force ID: 251216. (CVE-2023-28949)

  - A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows     remote attackers to inject arbitrary web script through a crafted protected comment (with the     cke_protected syntax). (CVE-2020-9281)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 5.16.1.3. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.16.1.3 advisory.

  - The Linux kernel before 5.1-rc5 allows page->_refcount reference count overflow, with resultant use-after-     free issues, if about 140 GiB of RAM exists. This is related to fs/fuse/dev.c, fs/pipe.c, fs/splice.c,     include/linux/mm.h, include/linux/pipe_fs_i.h, kernel/trace/trace.c, mm/gup.c, and mm/hugetlb.c. It can     occur with FUSE requests. (CVE-2019-11487)

  - rtl_p2p_noa_ie in drivers/net/wireless/realtek/rtlwifi/ps.c in the Linux kernel through 5.3.6 lacks a     certain upper-bound check, leading to a buffer overflow. (CVE-2019-17666)

  - A flaw was found in the fix for CVE-2019-11135, in the Linux upstream kernel versions before 5.5 where,     the way Intel CPUs handle speculative execution of instructions when a TSX Asynchronous Abort (TAA) error     occurs. When a guest is running on a host CPU affected by the TAA flaw (TAA_NO=0), but is not affected by     the MDS issue (MDS_NO=1), the guest was to clear the affected buffers by using a VERW instruction     mechanism. But when the MDS_NO=1 bit was exported to the guests, the guests did not use the VERW mechanism     to clear the affected buffers. This issue affects guests running on Cascade Lake CPUs and requires that     host has 'TSX' enabled. Confidentiality of data is the highest threat associated with this vulnerability.
    (CVE-2019-19338)

  - The Requests package before 2.20.0 for Python sends an HTTP Authorization header to an http URI upon     receiving a same-hostname https-to-http redirect, which makes it easier for remote attackers to discover     credentials by sniffing the network. (CVE-2018-18074)

  - urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin     redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the     Authorization header to be exposed to unintended hosts or transmitted in cleartext. (CVE-2018-20060)

  - In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the     request parameter. (CVE-2019-11236)

  - The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA     certificates is different from the OS store of CA certificates, which results in SSL connections     succeeding in situations where a verification failure is the correct outcome. This is related to use of     the ssl_context, ca_certs, or ca_certs_dir argument. (CVE-2019-11324)

  - The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with     excessive numbers of SETTINGS frames and also permitted clients to keep streams open without     reading/writing request/response data. By keeping streams open for requests that utilised the Servlet     API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread     exhaustion and a DoS. (CVE-2019-0199)

  - The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write     in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages     for the connection window (stream 0) clients were able to cause server-side threads to block eventually     leading to thread exhaustion and a DoS. (CVE-2019-10072)

  - When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote     Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able     to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords     used to access the JMX interface. The attacker can then use these credentials to access the JMX interface     and gain complete control over the Tomcat instance. (CVE-2019-12418)

  - When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98     there was a narrow window where an attacker could perform a session fixation attack. The window was     considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has     been treated as a security vulnerability. (CVE-2019-17563)

  - The refactoring present in Apache Tomcat 9.0.28 to 9.0.30, 8.5.48 to 8.5.50 and 7.0.98 to 7.0.99     introduced a regression. The result of the regression was that invalid Transfer-Encoding headers were     incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a     reverse proxy that incorrectly handled the invalid Transfer-Encoding header in a particular manner. Such a     reverse proxy is considered unlikely. (CVE-2019-17569)

  - A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to     9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of     such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
    (CVE-2020-11996)

  - An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56     did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such     requests were made, an OutOfMemoryException could occur leading to a denial of service. (CVE-2020-13934)

  - The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to     10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could     trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of     service. (CVE-2020-13935)

  - In Apache Tomcat 9.0.0.M1 to 9.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99 the HTTP header parsing code used     an approach to end-of-line parsing that allowed some invalid HTTP headers to be parsed as valid. This led     to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly     handled the invalid Transfer-Encoding header in a particular manner. Such a reverse proxy is considered     unlikely. (CVE-2020-1935)

  - When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to     Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP     connection. If such connections are available to an attacker, they can be exploited in ways that may be     surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped     with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected     (and recommended in the security guide) that this Connector would be disabled if not required. This     vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the     web application - processing any file in the web application as a JSP Further, if the web application     allowed file upload and stored those files within the web application (or the attacker was able to control     the content of the web application by some other means) then this, along with the ability to process a     file as a JSP, made remote code execution possible. It is important to note that mitigation is only     required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth     approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to     Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP     Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading     to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
    (CVE-2020-1938)

  - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to     7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the     server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is     configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used)     or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker     knows the relative file path from the storage location used by FileStore to the file the attacker has     control over; then, using a specifically crafted request, the attacker will be able to trigger remote code     execution via deserialization of the file under their control. Note that all of conditions a) to d) must     be true for the attack to succeed. (CVE-2020-9484)

  - An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer     overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in     common/unistr.cpp. (CVE-2020-10531)

  - TSX Asynchronous Abort condition on some CPUs utilizing speculative execution may allow an authenticated     user to potentially enable information disclosure via a side channel with local access. (CVE-2019-11135)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

A denial of service (DoS) vulnerability exists in MySQL Enterprise Monitor due to an HTTP/2 connection window exhaustion on write. Therefore, An unauthenticated, remote attacker can exploit this issue, by not sending WINDOW_UPDATE messages, to cause the system to stop responding.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Several vulnerabilities were discovered in the Tomcat servlet and JSP engine, which could result in HTTP request smuggling, code execution in the AJP connector (disabled by default in Debian) or a man-in-the-middle attack against the JMX interface.

The remote Oracle Database Server is missing the January 2020 Critical Patch Update (CPU). It is, therefore, affected by multiple vulnerabilities:

  - A denial of service (DoS) vulnerability exists in the Core RDBMS component of Oracle Database Server. An     authenticated, remote attacker can exploit this issue, to cause the application to stop responding.
    (CVE-2020-2511)

  - A remote code execution vulnerability exists in the Core RDBMS component of Oracle Database Server. An     unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands.
    (CVE-2020-2510)

  - An unspecified vulnerability exists in the JavaVM component of Oracle Database Server. An authenicated,     remote attacker can exploit this issue, to affect the confidentiality, integrity and availability of the     application.

It is also affected by additional vulnerabilities; see the vendor advisory for more information.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for tomcat to version 9.0.30 fixes the following issues :

Security issue fixed :

  - CVE-2019-12418: Fixed a local privilege escalation     through by manipulating the RMI registry and performing     a man-in-the-middle attack (bsc#1159723).

  - CVE-2019-17563: Fixed a session fixation attack when     using FORM authentication (bsc#1159729).

This update was imported from the SUSE:SLE-15-SP1:Update update project.

The remote Redhat Enterprise Linux 6 / 7 / 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:3929 advisory.

    Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web     applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),     the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

    This release of Red Hat JBoss Web Server 5.2 serves as a replacement for Red Hat JBoss Web Server 5.1, and     includes bug fixes, enhancements, and component upgrades, which are documented in the Release Notes,     linked to in the References.

    Security Fix(es):

    * openssl: Side-channel vulnerability on SMT/Hyper-Threading architectures (PortSmash) (CVE-2018-5407)

    * openssl: 0-byte record padding oracle (CVE-2019-1559)

    * tomcat: HTTP/2 connection window exhaustion on write, incomplete fix of CVE-2019-0199 (CVE-2019-10072)

    * tomcat: XSS in SSI printenv (CVE-2019-0221)

    * tomcat: Apache Tomcat HTTP/2 DoS (CVE-2019-0199)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

According to the version of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - The fix for CVE-2019-0199 was incomplete and did not     address HTTP/2 connection window exhaustion on write in     Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to     8.5.40 . By not sending WINDOW_UPDATE messages for the     connection window (stream 0) clients were able to cause     server-side threads to block eventually leading to     thread exhaustion and a DoS.(CVE-2019-10072)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4128-2 advisory.

    It was discovered that the Tomcat 9 SSI printenv command echoed user

    provided data without escaping it. An attacker could possibly use this

    issue to perform an XSS attack. (CVE-2019-0221)

    It was discovered that Tomcat 9 did not address HTTP/2 connection window exhaustion on write while     addressing CVE-2019-0199. An attacker could

    possibly use this issue to cause a denial of service. (CVE-2019-10072)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 16.04 LTS / 18.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-4128-1 advisory.

    It was discovered that the Tomcat 8 SSI printenv command echoed user

    provided data without escaping it. An attacker could possibly use this

    issue to perform an XSS attack. (CVE-2019-0221)

    It was discovered that Tomcat 8 did not address HTTP/2 connection window exhaustion on write while     addressing CVE-2019-0199. An attacker could

    possibly use this issue to cause a denial of service. (CVE-2019-10072)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update of the apache package has been released.

The version of Apache Tomcat installed on the remote host is 9.0.0.M1 to 9.0.19 or 8.5.0 to 8.5.40. It is, therefore, affected by a denial of service vulnerability due to an incomplete fix for CVE-2019-0199 which did not address HTTP/2 connection window exhaustion on write.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.20. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.20_security-9 advisory.

  - The fix for CVE-2019-0199 was incomplete and did not     address HTTP/2 connection window exhaustion on write. By     not sending WINDOW_UPDATE messages for the connection     window (stream 0) clients were able to cause server-side     threads to block eventually leading to thread exhaustion     and a DoS. (CVE-2019-10072)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 8.5.41. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.41_security-8 advisory.

  - The fix for CVE-2019-0199 was incomplete and did not     address HTTP/2 connection window exhaustion on write. By     not sending WINDOW_UPDATE messages for the connection     window (stream 0) clients were able to cause server-side     threads to block eventually leading to thread exhaustion     and a DoS. (CVE-2019-10072)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
202296	RHEL 8 : tomcat (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
191754	IBM Engineering Requirements Management DOORS 9.7.2.x < 9.7.2.8 Multiple Vulnerabilities (7124058)	Nessus	Windows	critical
164612	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.17.1)	Nessus	Misc.	critical
164595	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.18)	Nessus	Misc.	critical
164582	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.16.1.3)	Nessus	Misc.	critical
138896	MySQL Enterprise Monitor 8.x < 8.0.18 DoS (Oct 2019 CPU)	Nessus	CGI abuses	high
136376	Debian DSA-4680-1 : tomcat9 - security update	Nessus	Debian Local Security Checks	critical
133047	Oracle Database Server Multiple Vulnerabilities (Jan 2020 CPU)	Nessus	Databases	high
132913	openSUSE Security Update : tomcat (openSUSE-2020-38)	Nessus	SuSE Local Security Checks	high
131214	RHEL 6 / 7 / 8 : Red Hat JBoss Web Server 5.2 security (Important) (RHSA-2019:3929)	Nessus	Red Hat Local Security Checks	high
129453	EulerOS 2.0 SP8 : tomcat (EulerOS-SA-2019-2094)	Nessus	Huawei Local Security Checks	high
129048	Ubuntu 18.04 LTS : Tomcat vulnerabilities (USN-4128-2)	Nessus	Ubuntu Local Security Checks	medium
128682	Ubuntu 16.04 LTS / 18.04 LTS : Tomcat vulnerabilities (USN-4128-1)	Nessus	Ubuntu Local Security Checks	medium
128151	Photon OS 3.0: Apache PHSA-2019-3.0-0024	Nessus	PhotonOS Local Security Checks	high
126954	Photon OS 1.0: Apache PHSA-2019-1.0-0244	Nessus	PhotonOS Local Security Checks	high
98629	Apache Tomcat 8.5.0 < 8.5.41 Denial of Service	Web App Scanning	Component Vulnerability	high
98625	Apache Tomcat 9.0.0.M1 < 9.0.20 Denial of Service	Web App Scanning	Component Vulnerability	high
126245	Apache Tomcat 9.0.0.M1 < 9.0.20 DoS	Nessus	Web Servers	high
126125	Apache Tomcat 8.5.0 < 8.5.41 DoS	Nessus	Web Servers	high

Detections

Analytics

CVE-2019-10072

high

Tenable Plugins

high

critical

critical

critical

critical

high

critical

high

high

high

high

medium

medium

high

high

high

high

high

high