Debian DSA-2207-1 : tomcat5.5 - several vulnerabilities

medium Nessus Plugin ID 53212

Synopsis

The remote Debian host is missing a security-related update.

Description

Various vulnerabilities have been discovered in the Tomcat Servlet and JSP engine, resulting in denial of service, cross-site scripting, information disclosure and WAR file traversal. Further details on the individual security issues can be found on the Apache Tomcat 5 vulnerabilities page.

Solution

Upgrade the tomcat5.5 packages.

For the oldstable distribution (lenny), this problem has been fixed in version 5.5.26-5lenny2.

The stable distribution (squeeze) no longer contains tomcat5.5.
tomcat6 is already fixed.

See Also

http://tomcat.apache.org/security-5.html

https://www.debian.org/security/2011/dsa-2207

Plugin Details

Severity: Medium

ID: 53212

File Name: debian_DSA-2207.nasl

Version: 1.18

Type: local

Agent: unix

Published: 3/30/2011

Updated: 1/4/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.2

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:P

CVSS v3

Risk Factor: Medium

Base Score: 4.2

Temporal Score: 3.9

Vector: CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:5.0, p-cpe:/a:debian:debian_linux:tomcat5.5

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/30/2011

Vulnerability Publication Date: 3/9/2009

Exploitable With

CANVAS (D2ExploitPack)

Reference Information

CVE: CVE-2008-5515, CVE-2009-0033, CVE-2009-0580, CVE-2009-0781, CVE-2009-0783, CVE-2009-2693, CVE-2009-2902, CVE-2010-1157, CVE-2010-2227

BID: 35193, 35196, 35263, 35416, 37944, 37945, 39635, 41544

CWE: 20, 200, 22, 79

DSA: 2207