Detections
Analytics
Apache Tomcat 6.0.x < 6.0.43 Multiple Vulnerabilities (POODLE)
high Nessus Plugin ID 81649
Language:
Synopsis
The remote Apache Tomcat server is affected by multiple vulnerabilities.Description
According to its self-reported version number, the Apache Tomcat service listening on the remote host is 6.0.x prior to 6.0.43. It is, therefore, affected by the following vulnerabilities :- An error exists in the function 'ssl3_read_bytes' that can allow data to be injected into other sessions or allow denial of service attacks. Note that this issue is exploitable only if 'SSL_MODE_RELEASE_BUFFERS' is enabled. (CVE-2010-5298)
- A buffer overflow error exists related to invalid DTLS fragment handling that can lead to the execution of arbitrary code. Note that this issue only affects OpenSSL when used as a DTLS client or server.
(CVE-2014-0195)
- An error exists in the function 'do_ssl3_write' that can allow a NULL pointer to be dereferenced leading to denial of service attacks. Note that this issue is exploitable only if 'SSL_MODE_RELEASE_BUFFERS' is enabled. (CVE-2014-0198)
- An error exists related to DTLS handshake handling that can lead to denial of service attacks. Note that this issue only affects OpenSSL when used as a DTLS client.
(CVE-2014-0221)
- An unspecified error exists in how ChangeCipherSpec messages are processed that can allow an attacker to cause usage of weak keying material, leading to simplified man-in-the-middle attacks. (CVE-2014-0224)
- An unspecified error exists related to anonymous ECDH cipher suites that can allow denial of service attacks.
Note that this issue only affects OpenSSL TLS clients.
(CVE-2014-3470)
- A memory double-free error exists in 'd1_both.c' related to handling DTLS packets that allows denial of service attacks. (CVE-2014-3505)
- An unspecified error exists in 'd1_both.c' related to handling DTLS handshake messages that allows denial of service attacks due to large amounts of memory being consumed. (CVE-2014-3506)
- A memory leak error exists in 'd1_both.c' related to handling specially crafted DTLS packets that allows denial of service attacks. (CVE-2014-3507)
- An error exists in the 'OBJ_obj2txt' function when various 'X509_name_*' pretty printing functions are used, which leak process stack data, resulting in an information disclosure. (CVE-2014-3508)
- An error exists related to 'ec point format extension' handling and multithreaded clients that allows freed memory to be overwritten during a resumed session.
(CVE-2014-3509)
- A NULL pointer dereference error exists related to handling anonymous ECDH cipher suites and crafted handshake messages that allows denial of service attacks against clients. (CVE-2014-3510)
- An error exists related to handling fragmented 'ClientHello' messages that allows a man-in-the-middle attacker to force usage of TLS 1.0 regardless of higher protocol levels being supported by both the server and the client. (CVE-2014-3511)
- Buffer overflow errors exist in 'srp_lib.c' related to handling Secure Remote Password protocol (SRP) parameters, which can allow a denial of service or have other unspecified impact. (CVE-2014-3512)
- A memory leak issue exists in 'd1_srtp.c' related to the DTLS SRTP extension handling and specially crafted handshake messages that can allow denial of service attacks. (CVE-2014-3513)
- An error exists related to the way SSL 3.0 handles padding bytes when decrypting messages encrypted using block ciphers in cipher block chaining (CBC) mode.
Man-in-the-middle attackers can decrypt a selected byte of a cipher text in as few as 256 tries if they are able to force a victim application to repeatedly send the same data over newly created SSL 3.0 connections. This is also known as the 'POODLE' issue. (CVE-2014-3566)
- A memory leak issue exists in 't1_lib.c' related to session ticket handling that can allow denial of service attacks. (CVE-2014-3567)
- An error exists related to the build configuration process and the 'no-ssl3' build option that allows servers and clients to process insecure SSL 3.0 handshake messages. (CVE-2014-3568)
- A NULL pointer dereference error exists in 't1_lib.c', related to handling Secure Remote Password protocol (SRP) ServerHello messages, which allows a malicious server to crash a client, resulting in a denial of service. (CVE-2014-5139)
Note that Nessus has not attempted to exploit these issues but has instead relied only on the application's self-reported version number.
Solution
Update to Apache Tomcat version 6.0.43 or later.See Also
http://tomcat.apache.org/tomcat-6.0-doc/changelog.html
https://www.imperialviolet.org/2014/10/14/poodle.html
https://www.openssl.org/~bodo/ssl-poodle.pdf
https://tools.ietf.org/html/draft-ietf-tls-downgrade-scsv-00
Plugin Details
Severity: High
ID: 81649
File Name: tomcat_6_0_43.nasl
Version: 1.16
Type: combined
Agent: windows, macosx, unix
Family: Web Servers
Published: 3/5/2015
Updated: 5/6/2024
Configuration: Enable thorough checks
Supported Sensors: Nessus Agent, Nessus
Risk Information
VPR
Risk Factor: High
Score: 7.7
CVSS v2
Risk Factor: High
Base Score: 7.5
Temporal Score: 6.2
Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P
CVSS Score Source: CVE-2014-3512
CVSS v3
Risk Factor: High
Base Score: 7.3
Temporal Score: 6.8
Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C
Vulnerability Information
CPE: cpe:/a:apache:tomcat:6
Required KB Items: installed_sw/Apache Tomcat
Exploit Available: true
Exploit Ease: Exploits are available
Patch Publication Date: 11/14/2014
Vulnerability Publication Date: 4/11/2014
Exploitable With
Core Impact
Reference Information
CVE: CVE-2010-5298, CVE-2014-0195, CVE-2014-0198, CVE-2014-0221, CVE-2014-0224, CVE-2014-3470, CVE-2014-3505, CVE-2014-3506, CVE-2014-3507, CVE-2014-3508, CVE-2014-3509, CVE-2014-3510, CVE-2014-3511, CVE-2014-3512, CVE-2014-3513, CVE-2014-3566, CVE-2014-3567, CVE-2014-3568, CVE-2014-5139
BID: 66801, 67193, 67898, 67899, 67900, 67901, 69075, 69076, 69077, 69078, 69079, 69081, 69082, 69083, 69084, 70574, 70584, 70585, 70586