Apache Tomcat 8.5.0 < 8.5.5 multiple vulnerabilities

critical Nessus Plugin ID 94578

Synopsis

The remote Apache Tomcat server is affected by multiple vulnerabilities

Description

The version of Tomcat installed on the remote host is prior to 8.5.5. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_8.5.5_and_8.0.37_security-8 advisory.

- The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)

- A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)

- When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)

- In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)

- The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
(CVE-2016-0762)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Apache Tomcat version 8.5.5 or later.

See Also

https://svn.apache.org/viewvc?view=rev&rev=1754726

https://svn.apache.org/viewvc?view=rev&rev=1754727

https://svn.apache.org/viewvc?view=rev&rev=1754900

https://svn.apache.org/viewvc?view=rev&rev=1754901

https://svn.apache.org/viewvc?view=rev&rev=1757272

https://svn.apache.org/viewvc?view=rev&rev=1757273

https://svn.apache.org/viewvc?view=rev&rev=1758493

https://svn.apache.org/viewvc?view=rev&rev=1758494

https://svn.apache.org/viewvc?view=rev&rev=1758500

https://svn.apache.org/viewvc?view=rev&rev=1758501

https://svn.apache.org/viewvc?view=rev&rev=1760305

https://svn.apache.org/viewvc?view=rev&rev=1760307

https://svn.apache.org/viewvc?view=rev&rev=1763233

https://svn.apache.org/viewvc?view=rev&rev=1763234

http://www.nessus.org/u?47795ca8

Plugin Details

Severity: Critical

ID: 94578

File Name: tomcat_8_5_5.nasl

Version: 1.18

Type: combined

Agent: windows, macosx, unix

Family: Web Servers

Published: 11/4/2016

Updated: 5/23/2024

Configuration: Enable thorough checks

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.0

CVSS v2

Risk Factor: Medium

Base Score: 6.4

Temporal Score: 5

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N

CVSS Score Source: CVE-2016-6797

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:apache:tomcat:8

Required KB Items: installed_sw/Apache Tomcat

Exploit Ease: No known exploits are available

Patch Publication Date: 10/27/2016

Vulnerability Publication Date: 10/27/2016

Reference Information

CVE: CVE-2016-0762, CVE-2016-5018, CVE-2016-6794, CVE-2016-6796, CVE-2016-6797

BID: 93939, 93940, 93942, 93943, 93944