8 Replies Latest reply on Aug 15, 2014 8:49 AM by nicole pauls

    Apache Tomcat 6.0.36 vulnerabilities

    evanr

      We have been failing our internal pen-test scans since adding LEM into our environment.  Are there any plans to upgrade the version of Apache Tomcat?

        • Re: Apache Tomcat 6.0.36 vulnerabilities
          nicole pauls

          Yes, we do. We also have a list of mitigation/comments on how or whether different vulnerabilities even apply to LEM if you want us to respond to anything specific. Our version of Tomcat is patched, so if it's just by version string alone it may not be accurate. We know it'll still trip some things, though.

            • Re: Apache Tomcat 6.0.36 vulnerabilities
              evanr

              It's CVE 2013-2067 and yes it does only appear to be querying the version. 

               

              <title>Apache Tomcat/6.0.36 - Error report</title>

              • Re: Apache Tomcat 6.0.36 vulnerabilities
                evanr

                Any new info on this?  We are still getting dinged with this even though its only querying the version.  I'm not sure I will be able to get an exception this year with 3.0

                 

                Threat:

                Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.
                Multiple vulnerabilities affecting Apache Tomcat have been reported:

                1) It was possible to craft a malformed chunk size as part of a chucked request that enabled an unlimited amount of data to be streamed to the server, bypassing the various size limits enforced on a request. This enabled a denial of service attack (CVE-2014-0075).
                2)  The default servlet allows web applications to define (at multiple levels) an XSLT to be used to format a directory listing. When running under a security manager, the processing of these was not subject to the same constraints as the web application. This enabled a malicious web application to bypass the file access constraints imposed by the security manager via the use of external XML entities (CVE-2014-96).
                3) The code used to parse the request content length header did not check for overflow in the result. This exposed a request smuggling vulnerability when Tomcat was located behind a reverse proxy that correctly processed the content length header (CVE-2014-0099).
                4) In limited circumstances it was possible for a malicious web application to replace the XML parsers used by Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs) and tag plugin configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or have visibility of the XML files processed for other web applications deployed on the same Tomcat instance (CVE-2014-0119).

                Affected Versions:
                Apache Tomcat versions prior to 6.0.41, 7.0.54, 8.0.8

                 

                Solution:

                Updated versions of Apache Tomcat are available that fix these vulnerabilities.

                Patch:
                Following are links for downloading patches to fix the vulnerabilities:
                Apache Tomcat 6.x (http://tomcat.apache.org/download-60.cgi) Apache Tomcat 7.x (http://tomcat.apache.org/download-70.cgi)  Apache Tomcat 8.x (http://tomcat.apache.org/download-80.cgi)

                 

                 

                <title>Apache Tomcat/6.0.37 - Error report</title>#

                  • Re: Apache Tomcat 6.0.36 vulnerabilities
                    curtisi

                    Like colby said, I think if you were to actually try this exploit on the LEM, you'd find that the Apache has been fixed so it's not possible, so the PEN test is just tripping on the version string.

                     

                    At the same time, the LEM shouldn't be open to the Internet (we don't support that), so the potential list of "hackers" consists of people on your internal network.  That cuts a lot of riff-raff, and lets you hit people with a stick if they try anything, an option that is sadly lacking from the Internet at large.

                     

                    You can use the RestrictConsole command in the CMC shell to further restrict what IPs can even open a connection with the LEM (this command modifies the IPTABLES), and therefore further reduce the potential number of people who can even try to exploit Apache.

                • Re: Apache Tomcat 6.0.36 vulnerabilities
                  nicole pauls

                  Wanted to confirm, we have a service release in progress that includes many security-oriented changes/fixes. The tomcat versions in that release are: 6.0.41 (console) and 6.0.37 (database/reports access). We have ran nessus scans that come up clean, but not sure about other scanners, since as you said they could be only checking versions.