The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

The remote Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6943-1 advisory.

    It was discovered that Tomcat incorrectly handled certain uncommon PersistenceManager with FileStore     configurations. A remote attacker could possibly use this issue to execute arbitrary code. This issue only     affected tomcat8 for Ubuntu 18.04 LTS (CVE-2020-9484)

    It was discovered that Tomcat incorrectly handled certain HTTP/2 connection requests. A remote attacker     could use this issue to obtain wrong responses possibly containing sensitive information. This issue only     affected tomcat8 for Ubuntu 18.04 LTS (CVE-2021-25122)

    Thomas Wozenilek discovered that Tomcat incorrectly handled certain TLS packets. A remote attacker could     possibly use this issue to cause a denial of service. This issue only affected tomcat8 for Ubuntu 18.04     LTS (CVE-2021-41079)

    Trung Pham discovered that a race condition existed in Tomcat when handling session files with FileStore.
    A remote attacker could possibly use this issue to execute arbitrary code. This issue affected tomcat8 for     Ubuntu 16.04 LTS and Ubuntu 18.04 LTS, and tomcat9 for Ubuntu 18.04 LTS and Ubuntu 20.04 LTS     (CVE-2022-23181)

    It was discovered that Tomcat's documentation incorrectly stated that EncryptInterceptor provided     availability protection when running over an untrusted network. A remote attacker could possibly use this     issue to cause a denial of service even if EncryptInterceptor was being used. This issue affected tomcat8     for Ubuntu 18.04 LTS, and tomcat9 for Ubuntu 18.04 LTS, Ubuntu 20.04 LTS and Ubuntu 22.04 LTS     (CVE-2022-29885)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 9 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - tomcat: EncryptInterceptor documentation mistake (CVE-2022-29885)

  - tomcat: JsonErrorReportValve injection (CVE-2022-45143)

  - Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate     incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially     crafted packet could be used to trigger an infinite loop resulting in a denial of service.
    (CVE-2021-41079)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - tomcat: EncryptInterceptor documentation mistake (CVE-2022-29885)

  - tomcat: Open Redirect vulnerability in FORM authentication (CVE-2023-41080)

  - Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat     from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from     8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to     information leaking from the current request/response to the next. Users are recommended to upgrade to     version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
    (CVE-2023-42795)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 8 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - tomcat: Session fixation when using FORM authentication (CVE-2019-17563)

  - tomcat: JsonErrorReportValve injection (CVE-2022-45143)

  - The SSI printenv command in Apache Tomcat 9.0.0.M1 to 9.0.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 echoes     user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The     printenv command is intended for debugging and is unlikely to be present in a production website.
    (CVE-2019-0221)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - tomcat: XSS in SSI printenv (CVE-2019-0221)

  - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and     8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an     untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and     integrity protection, it does not protect against all risks associated with running over any untrusted     network, particularly DoS risks. (CVE-2022-29885)

  - Incomplete Cleanup vulnerability in Apache Tomcat.When recycling various internal objects in Apache Tomcat     from 11.0.0-M1 through 11.0.0-M11, from 10.1.0-M1 through 10.1.13, from 9.0.0-M1 through 9.0.80 and from     8.5.0 through 8.5.93, an error could cause Tomcat to skip some parts of the recycling process leading to     information leaking from the current request/response to the next. Users are recommended to upgrade to     version 11.0.0-M12 onwards, 10.1.14 onwards, 9.0.81 onwards or 8.5.94 onwards, which fixes the issue.
    (CVE-2023-42795)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

This plugin has been deprecated as it does not adhere to established standards for this style of check.

The version of IBM Engineering Requirements Management DOORS (formerly IBM Rational DOORS) installed on the remote host is 9.7.2.x prior to 9.7.2.8. It is, therefore, affected by multiple vulnerabilities as referenced in the 7124058 advisory.

  - Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet     containers. Applications using RegExPatternMatcher with `.` in the regular expression are possibly     vulnerable to an authorization bypass. (CVE-2022-32532)

  - The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow     a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary     shell commands by manipulating serialized class types in the OpenWire protocol to cause either the client     or the broker (respectively) to instantiate any class on the classpath. Users are recommended to upgrade     both brokers and clients to version 5.15.16, 5.16.7, 5.17.6, or 5.18.3 which fixes this issue.
    (CVE-2023-46604)

  - Scala 2.13.x before 2.13.9 has a Java deserialization chain in its JAR file. On its own, it cannot be     exploited. There is only a risk in conjunction with Java object deserialization within an application. In     such situations, it allows attackers to erase contents of arbitrary files, make network connections, or     possibly run arbitrary code (specifically, Function0 functions) via a gadget chain. (CVE-2022-36944)

  - IBM Engineering Requirements Management DOORS 9.7.2.7 is vulnerable to cross-site request forgery which     could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the     website trusts. IBM X-Force ID: 251216. (CVE-2023-28949)

  - A cross-site scripting (XSS) vulnerability in the HTML Data Processor for CKEditor 4.0 before 4.14 allows     remote attackers to inject arbitrary web script through a crafted protected comment (with the     cke_protected syntax). (CVE-2020-9281)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of tomcat installed on the remote host is prior to 8.5.79-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2TOMCAT8.5-2023-005 advisory.

  - A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution     (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR     deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not     vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be     other ways to exploit it. (CVE-2022-22965)

  - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and     8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an     untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and     integrity protection, it does not protect against all risks associated with running over any untrusted     network, particularly DoS risks. (CVE-2022-29885)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 6.6. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.6 advisory.

  - In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the     Form authentication example in the examples web application displayed user provided data without     filtering, exposing a XSS vulnerability. (CVE-2022-34305)

  - An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the     attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content     to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing     filenames with two or more newlines where selected content and the target file names are embedded in     crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write     arbitrary files on the system. (CVE-2022-1271)

  - http.client in Python 3.x before 3.5.10, 3.6.x before 3.6.12, 3.7.x before 3.7.9, and 3.8.x before 3.8.5     allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR     and LF control characters in the first argument of HTTPConnection.request. (CVE-2020-26116)

  - urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as     demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this     is similar to CVE-2020-26116. (CVE-2020-26137)

  - Python 3.x through 3.9.1 has a buffer overflow in PyCArg_repr in _ctypes/callproc.c, which may lead to     remote code execution in certain Python applications that accept floating-point numbers as untrusted     input, as demonstrated by a 1e300 argument to c_double.from_param. This occurs because sprintf is used     unsafely. (CVE-2021-3177)

  - An issue was discovered in rsync before 3.2.5 that allows malicious remote servers to write arbitrary     files inside the directories of connecting peers. The server chooses which files/directories are sent to     the client. However, the rsync client performs insufficient validation of file names. A malicious rsync     server (or Man-in-The-Middle attacker) can overwrite arbitrary files in the rsync client target directory     and subdirectories (for example, overwrite the .ssh/authorized_keys file). (CVE-2022-29154)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,     18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise     Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java     Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes     from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by     using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21426)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,     17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2022-21434)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,     17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM     Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2022-21443)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle     GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated     attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion     or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2022-21449)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,     17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise     Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients     running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code     (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability     can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies     data to the APIs. (CVE-2022-21476)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,     18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible     data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java     Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes     from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by     using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21496)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1,     17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data.
    Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web     Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from     the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using     APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21540)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Hotspot). Supported versions that are affected are Oracle Java SE: 7u343, 8u333, 11.0.15.1,     17.0.3.1, 18.0.1.1; Oracle GraalVM Enterprise Edition: 20.3.6, 21.3.2 and 22.1.0. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized creation, deletion or modification access to critical data or all Oracle Java SE, Oracle     GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments,     typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load     and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for     security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through     a web service which supplies data to the APIs. (CVE-2022-21541)

  - The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious     XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler     and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java     runtimes (such as OpenJDK) include repackaged copies of Xalan. (CVE-2022-34169)

  - Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported     versions, allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP     broker through the spring-messaging module. A malicious user (or attacker) can craft a message to the     broker that can lead to a remote code execution attack. (CVE-2018-1270)

  - An issue was discovered in SaltStack Salt before 3003.3. A user who has control of the source, and     source_hash URLs can gain full file system access as root on a salt minion. (CVE-2021-21996)

  - Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered     discarding the request body, exposing the server to HTTP Request Smuggling (CVE-2022-22720)

  - VMware Tools (12.0.0, 11.x.y and 10.x.y) contains a local privilege escalation vulnerability. A malicious     actor with local non-administrative access to the Guest OS can escalate privileges as a root user in the     virtual machine. (CVE-2022-31676)

  - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many     distant matches. (CVE-2018-25032)

  - If a web application sends a WebSocket message concurrently with the WebSocket connection closing when     running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the     application will continue to use the socket after it has been closed. The error handling triggered in this     case could cause the a pooled object to be placed in the pool twice. This could result in subsequent     connections using the same object concurrently which could result in data being returned to the wrong use     and/or other errors. (CVE-2022-25762)

  - The BN_mod_sqrt() function, which computes a modular square root, contains a bug that can cause it to loop     forever for non-prime moduli. Internally this function is used when parsing certificates that contain     elliptic curve public keys in compressed form or explicit elliptic curve parameters with a base point     encoded in compressed form. It is possible to trigger the infinite loop by crafting a certificate that has     invalid explicit curve parameters. Since certificate parsing happens prior to verification of the     certificate signature, any process that parses an externally supplied certificate may thus be subject to a     denial of service attack. The infinite loop can also be reached when parsing crafted private keys as they     can contain explicit elliptic curve parameters. Thus vulnerable situations include: - TLS clients     consuming server certificates - TLS servers consuming client certificates - Hosting providers taking     certificates or private keys from customers - Certificate authorities parsing certification requests from     subscribers - Anything else which parses ASN.1 elliptic curve parameters Also any other applications that     use the BN_mod_sqrt() where the attacker can control the parameter values are vulnerable to this DoS     issue. In the OpenSSL 1.0.2 version the public key is not parsed during initial parsing of the certificate     which makes it slightly harder to trigger the infinite loop. However any operation which requires the     public key from the certificate will trigger the infinite loop. In particular the attacker can use a self-     signed certificate to trigger the loop during verification of the certificate signature. This issue     affects OpenSSL versions 1.0.2, 1.1.1 and 3.0. It was addressed in the releases of 1.1.1n and 3.0.2 on the     15th March 2022. Fixed in OpenSSL 3.0.2 (Affected 3.0.0,3.0.1). Fixed in OpenSSL 1.1.1n (Affected     1.1.1-1.1.1m). Fixed in OpenSSL 1.0.2zd (Affected 1.0.2-1.0.2zc). (CVE-2022-0778)

  - In Expat (aka libexpat) before 2.4.3, a left shift by 29 (or more) places in the storeAtts function in     xmlparse.c can lead to realloc misbehavior (e.g., allocating too few bytes, or only freeing memory).
    (CVE-2021-45960)

  - In doProlog in xmlparse.c in Expat (aka libexpat) before 2.4.3, an integer overflow exists for     m_groupSize. (CVE-2021-46143)

  - addBinding in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22822)

  - build_model in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22823)

  - defineAttribute in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
    (CVE-2022-22824)

  - lookup in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22825)

  - nextScaffoldPart in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow.
    (CVE-2022-22826)

  - storeAtts in xmlparse.c in Expat (aka libexpat) before 2.4.3 has an integer overflow. (CVE-2022-22827)

  - Expat (aka libexpat) before 2.4.4 has a signed integer overflow in XML_GetBuffer, for configurations with     a nonzero XML_CONTEXT_BYTES. (CVE-2022-23852)

  - xmltok_impl.c in Expat (aka libexpat) before 2.4.5 lacks certain validation of encoding, such as checks     for whether a UTF-8 character is valid in a certain context. (CVE-2022-25235)

  - xmlparse.c in Expat (aka libexpat) before 2.4.5 allows attackers to insert namespace-separator characters     into namespace URIs. (CVE-2022-25236)

  - In Expat (aka libexpat) before 2.4.5, there is an integer overflow in storeRawNames. (CVE-2022-25315)

  - Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and     expanded. The standard format for interpolation is ${prefix:name}, where prefix is used to locate an     instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with     version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that     could result in arbitrary code execution or contact with remote servers. These lookups are: - script -     execute expressions using the JVM script execution engine (javax.script) - dns - resolve dns records -     url - load values from urls, including from remote servers Applications using the interpolation defaults     in the affected versions may be vulnerable to remote code execution or unintentional contact with remote     servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons     Text 1.10.0, which disables the problematic interpolators by default. (CVE-2022-42889)

  - A use-after-free vulnerability was found in systemd. This issue occurs due to the on_stream_io() function     and dns_stream_complete() function in 'resolved-dns-stream.c' not incrementing the reference counting for     the DnsStream object. Therefore, other functions and callbacks called can dereference the DNSStream     object, causing the use-after-free when the reference is still used later. (CVE-2022-2526)

  - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and     8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an     untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and     integrity protection, it does not protect against all risks associated with running over any untrusted     network, particularly DoS risks. (CVE-2022-29885)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5265 advisory.

  - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to     7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the     server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is     configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used)     or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker     knows the relative file path from the storage location used by FileStore to the file the attacker has     control over; then, using a specifically crafted request, the attacker will be able to trigger remote code     execution via deserialization of the file under their control. Note that all of conditions a) to d) must     be true for the attack to succeed. (CVE-2020-9484)

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache     Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause     client connections to share an Http11Processor instance resulting in responses, or part responses, to be     received by the wrong client. (CVE-2021-43980)

  - The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat     10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local     attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue     is only exploitable when Tomcat is configured to persist sessions using the FileStore. (CVE-2022-23181)

  - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and     8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an     untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and     integrity protection, it does not protect against all risks associated with running over any untrusted     network, particularly DoS risks. (CVE-2022-29885)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3160 advisory.

  - When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to     7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the     server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is     configured with sessionAttributeValueClassNameFilter=null (the default unless a SecurityManager is used)     or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker     knows the relative file path from the storage location used by FileStore to the file the attacker has     control over; then, using a specifically crafted request, the attacker will be able to trigger remote code     execution via deserialization of the file under their control. Note that all of conditions a) to d) must     be true for the attack to succeed. (CVE-2020-9484)

  - The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to     Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache     Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause     client connections to share an Http11Processor instance resulting in responses, or part responses, to be     received by the wrong client. (CVE-2021-43980)

  - The fix for bug CVE-2020-9484 introduced a time of check, time of use vulnerability into Apache Tomcat     10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14, 9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local     attacker to perform actions with the privileges of the user that the Tomcat process is using. This issue     is only exploitable when Tomcat is configured to persist sessions using the FileStore. (CVE-2022-23181)

  - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and     8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an     untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and     integrity protection, it does not protect against all risks associated with running over any untrusted     network, particularly DoS risks. (CVE-2022-29885)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 5.20.4.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-5.20.4.5 advisory.

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,     18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise     Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java     Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes     from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by     using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21426)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,     17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2022-21434)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,     17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM     Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2022-21443)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle     GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated     attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion     or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2022-21449)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,     17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise     Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients     running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code     (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability     can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies     data to the APIs. (CVE-2022-21476)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,     18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible     data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java     Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes     from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by     using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21496)

  - An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the     attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content     to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing     filenames with two or more newlines where selected content and the target file names are embedded in     crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write     arbitrary files on the system. (CVE-2022-1271)

  - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many     distant matches. (CVE-2018-25032)

  - A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the     kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups     v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
    (CVE-2022-0492)

  - If a web application sends a WebSocket message concurrently with the WebSocket connection closing when     running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the     application will continue to use the socket after it has been closed. The error handling triggered in this     case could cause the a pooled object to be placed in the pool twice. This could result in subsequent     connections using the same object concurrently which could result in data being returned to the wrong use     and/or other errors. (CVE-2022-25762)

  - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and     8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an     untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and     integrity protection, it does not protect against all risks associated with running over any untrusted     network, particularly DoS risks. (CVE-2022-29885)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of AOS installed on the remote host is prior to 6.1.1.5. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.1.1.5 advisory.

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JAXP). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,     18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM Enterprise     Edition. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java     Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes     from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by     using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21426)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,     17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2022-21434)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,     17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Difficult to exploit     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Java SE, Oracle GraalVM     Enterprise Edition. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2022-21443)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 17.0.2 and 18; Oracle     GraalVM Enterprise Edition: 21.3.1 and 22.0.0.2. Easily exploitable vulnerability allows unauthenticated     attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM     Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized creation, deletion     or modification access to critical data or all Oracle Java SE, Oracle GraalVM Enterprise Edition     accessible data. Note: This vulnerability applies to Java deployments, typically in clients running     sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g.,     code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also     be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to     the APIs. (CVE-2022-21449)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: Libraries). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14,     17.0.2, 18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable     vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise     Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in     unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise     Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients     running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code     (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability     can also be exploited by using APIs in the specified Component, e.g., through a web service which supplies     data to the APIs. (CVE-2022-21476)

  - Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE     (component: JNDI). Supported versions that are affected are Oracle Java SE: 7u331, 8u321, 11.0.14, 17.0.2,     18; Oracle GraalVM Enterprise Edition: 20.3.5, 21.3.1 and 22.0.0.2. Easily exploitable vulnerability     allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE,     Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized     update, insert or delete access to some of Oracle Java SE, Oracle GraalVM Enterprise Edition accessible     data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java     Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes     from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by     using APIs in the specified Component, e.g., through a web service which supplies data to the APIs.
    (CVE-2022-21496)

  - An arbitrary file write vulnerability was found in GNU gzip's zgrep utility. When zgrep is applied on the     attacker's chosen file name (for example, a crafted file name), this can overwrite an attacker's content     to an arbitrary attacker-selected file. This flaw occurs due to insufficient validation when processing     filenames with two or more newlines where selected content and the target file names are embedded in     crafted multi-line file names. This flaw allows a remote, low privileged attacker to force zgrep to write     arbitrary files on the system. (CVE-2022-1271)

  - zlib before 1.2.12 allows memory corruption when deflating (i.e., when compressing) if the input has many     distant matches. (CVE-2018-25032)

  - If a web application sends a WebSocket message concurrently with the WebSocket connection closing when     running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the     application will continue to use the socket after it has been closed. The error handling triggered in this     case could cause the a pooled object to be placed in the pool twice. This could result in subsequent     connections using the same object concurrently which could result in data being returned to the wrong use     and/or other errors. (CVE-2022-25762)

  - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and     8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an     untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and     integrity protection, it does not protect against all risks associated with running over any untrusted     network, particularly DoS risks. (CVE-2022-29885)

  - A vulnerability was found in the Linux kernel's cgroup_release_agent_write in the     kernel/cgroup/cgroup-v1.c function. This flaw, under certain circumstances, allows the use of the cgroups     v1 release_agent feature to escalate privileges and bypass the namespace isolation unexpectedly.
    (CVE-2022-0492)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of tomcat8 installed on the remote host is prior to 8.5.81-1.91. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS-2022-1627 advisory.

  - If a web application sends a WebSocket message concurrently with the WebSocket connection closing when     running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the     application will continue to use the socket after it has been closed. The error handling triggered in this     case could cause the a pooled object to be placed in the pool twice. This could result in subsequent     connections using the same object concurrently which could result in data being returned to the wrong use     and/or other errors. (CVE-2022-25762)

  - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and     8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an     untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and     integrity protection, it does not protect against all risks associated with running over any untrusted     network, particularly DoS risks. (CVE-2022-29885)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 8.5.38 to 8.5.78, 9.0.13 to 9.0.62, 10.0.0-M1 to 10.0.20 or 10.1.0-M1 to 10.1.0-M14. It is, therefore, affected by a denial of service vulnerability. The documentation for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and integrity protection, it does not protect against all risks associated with running over any untrusted network, particularly DoS risks.

Note that the scanner has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 9.0.63. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.63_security-9 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 8.5.79. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.79_security-8 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 10.1.0-M15. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.1.0-m15_security-10 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is < 10.0.21. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.0.21_security-10 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 9.0.63. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.63_security-9 advisory.

  - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and     8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an     untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and     integrity protection, it does not protect against all risks associated with running over any untrusted     network, particularly DoS risks. (CVE-2022-29885)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.0.21. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.0.21_security-10 advisory.

  - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and     8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an     untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and     integrity protection, it does not protect against all risks associated with running over any untrusted     network, particularly DoS risks. (CVE-2022-29885)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 10.1.0.M15. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_10.1.0-m15_security-10 advisory.

  - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and     8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an     untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and     integrity protection, it does not protect against all risks associated with running over any untrusted     network, particularly DoS risks. (CVE-2022-29885)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The version of Tomcat installed on the remote host is prior to 8.5.79. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_8.5.79_security-8 advisory.

  - The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to 10.0.20, 9.0.13 to 9.0.62 and     8.5.38 to 8.5.78 for the EncryptInterceptor incorrectly stated it enabled Tomcat clustering to run over an     untrusted network. This was not correct. While the EncryptInterceptor does provide confidentiality and     integrity protection, it does not protect against all risks associated with running over any untrusted     network, particularly DoS risks. (CVE-2022-29885)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
204963	Ubuntu 16.04 LTS / 18.04 LTS / 20.04 LTS / 22.04 LTS : Tomcat vulnerabilities (USN-6943-1)	Nessus	Ubuntu Local Security Checks	high
202300	RHEL 9 : tomcat (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
202297	RHEL 6 : tomcat (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	medium
202296	RHEL 8 : tomcat (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
202293	RHEL 7 : tomcat (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	medium
195449	RHEL 8 : tomcat (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	high
195432	RHEL 6 : tomcat (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	high
195383	RHEL 9 : tomcat (Unpatched Vulnerability) (deprecated)	Nessus	Red Hat Local Security Checks	high
191754	IBM Engineering Requirements Management DOORS 9.7.2.x < 9.7.2.8 Multiple Vulnerabilities (7124058)	Nessus	Windows	critical
181988	Amazon Linux 2 : tomcat (ALASTOMCAT8.5-2023-005)	Nessus	Amazon Linux Local Security Checks	critical
170557	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.6)	Nessus	Misc.	critical
167224	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.20.5)	Nessus	Misc.	critical
166706	Debian DSA-5265-1 : tomcat9 - security update	Nessus	Debian Local Security Checks	high
166572	Debian DLA-3160-1 : tomcat9 - LTS security update	Nessus	Debian Local Security Checks	high
164613	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-5.20.4.5)	Nessus	Misc.	high
164600	Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.1.1.5)	Nessus	Misc.	high
163869	Amazon Linux AMI : tomcat8 (ALAS-2022-1627)	Nessus	Amazon Linux Local Security Checks	high
113236	Apache Tomcat 8.5.38 < 8.5.79 EncryptInterceptor DoS	Web App Scanning	Component Vulnerability	high
113235	Apache Tomcat 9.0.13 < 9.0.63 EncryptInterceptor DoS	Web App Scanning	Component Vulnerability	high
113234	Apache Tomcat 10.0.0-M1 < 10.0.21 EncryptInterceptor DoS	Web App Scanning	Component Vulnerability	high
113233	Apache Tomcat 10.1.0-M1 < 10.1.0-M15 EncryptInterceptor DoS	Web App Scanning	Component Vulnerability	high
701405	Apache Tomcat < 9.0.63 Vulnerability	Nessus Network Monitor	Web Servers	high
701404	Apache Tomcat < 8.5.79 Vulnerability	Nessus Network Monitor	Web Servers	high
701403	Apache Tomcat < 10.1.0-M15 Vulnerability	Nessus Network Monitor	Web Servers	high
701402	Apache Tomcat < 10.0.21 Vulnerability	Nessus Network Monitor	Web Servers	high
160894	Apache Tomcat 9.0.13 < 9.0.63	Nessus	Web Servers	high
160893	Apache Tomcat 10.0.0.M1 < 10.0.21	Nessus	Web Servers	high
160892	Apache Tomcat 10.1.0.M1 < 10.1.0.M15	Nessus	Web Servers	high
160891	Apache Tomcat 8.5.38 < 8.5.79	Nessus	Web Servers	high

Detections

Analytics

CVE-2022-29885

high

Tenable Plugins

high

high

medium

high

medium

high

high

high

critical

critical

critical

critical

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high