Detections
Analytics
Debian DSA-3974-1 : tomcat8 - security update
high Nessus Plugin ID 103259
Language:
Synopsis
The remote Debian host is missing a security-related update.Description
Two issues were discovered in the Tomcat servlet and JSP engine.- CVE-2017-7674 Rick Riemer discovered that the Cross-Origin Resource Sharing filter did not add a Vary header indicating possible different responses, which could lead to cache poisoning.
- CVE-2017-7675 (stretch only) Markus Dorschmidt found that the HTTP/2 implementation bypassed some security checks, thus allowing an attacker to conduct directory traversal attacks by using specially crafted URLs.
Solution
Upgrade the tomcat8 packages.For the oldstable distribution (jessie), these problems have been fixed in version 8.0.14-1+deb8u11.
For the stable distribution (stretch), these problems have been fixed in version 8.5.14-1+deb9u2.
See Also
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=802312
https://security-tracker.debian.org/tracker/CVE-2017-7674
https://security-tracker.debian.org/tracker/CVE-2017-7675
https://packages.debian.org/source/jessie/tomcat8
Plugin Details
Severity: High
ID: 103259
File Name: debian_DSA-3974.nasl
Version: 3.6
Type: local
Agent: unix
Family: Debian Local Security Checks
Published: 9/18/2017
Updated: 1/4/2021
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: Low
Score: 3.6
CVSS v2
Risk Factor: Medium
Base Score: 5
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS v3
Risk Factor: High
Base Score: 7.5
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Vulnerability Information
CPE: cpe:/o:debian:debian_linux:9.0, cpe:/o:debian:debian_linux:8.0, p-cpe:/a:debian:debian_linux:tomcat8
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Patch Publication Date: 9/15/2017
Reference Information
CVE: CVE-2017-7674, CVE-2017-7675
DSA: 3974