Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.ALA_ALAS-2019-1208.NASL
HistoryMay 21, 2019 - 12:00 a.m.

Amazon Linux AMI : tomcat8 (ALAS-2019-1208)

2019-05-2100:00:00
This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
23
JSON

When the default servlet in Apache Tomcat returned a redirect to a directory (e.g. redirecting to ‘/foo/’ when the user requested ‘/foo’) a specially crafted URL could be used to cause the redirect to be generated to any URI of the attackers choice. (CVE-2018-11784)

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange’s blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injec tions-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microso ft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command
-line-arguments-the-wrong-way/). (CVE-2019-0232)

The HTTP/2 implementation in Apache Tomcat accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API’s blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS. (CVE-2019-0199)

#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Amazon Linux AMI Security Advisory ALAS-2019-1208.
#

include("compat.inc");

if (description)
{
  script_id(125294);
  script_version("1.3");
  script_cvs_date("Date: 2019/07/03 12:01:40");

  script_cve_id("CVE-2018-11784", "CVE-2019-0199", "CVE-2019-0232");
  script_xref(name:"ALAS", value:"2019-1208");

  script_name(english:"Amazon Linux AMI : tomcat8 (ALAS-2019-1208)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Amazon Linux AMI host is missing a security update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"When the default servlet in Apache Tomcat returned a redirect to a
directory (e.g. redirecting to '/foo/' when the user requested '/foo')
a specially crafted URL could be used to cause the redirect to be
generated to any URI of the attackers choice. (CVE-2018-11784)

When running on Windows with enableCmdLineArguments enabled, the CGI
Servlet in Apache Tomcat is vulnerable to Remote Code Execution due to
a bug in the way the JRE passes command line arguments to Windows. The
CGI Servlet is disabled by default. The CGI option
enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will
be disabled by default in all versions in response to this
vulnerability). For a detailed explanation of the JRE behaviour, see
Markus Wulftange's blog
(https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injec
tions-in-windows.html) and this archived MSDN blog
(https://web.archive.org/web/20161228144344/https://blogs.msdn.microso
ft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command
-line-arguments-the-wrong-way/). (CVE-2019-0232)

The HTTP/2 implementation in Apache Tomcat accepted streams with
excessive numbers of SETTINGS frames and also permitted clients to
keep streams open without reading/writing request/response data. By
keeping streams open for requests that utilised the Servlet API's
blocking I/O, clients were able to cause server-side threads to block
eventually leading to thread exhaustion and a DoS. (CVE-2019-0199)"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://alas.aws.amazon.com/ALAS-2019-1208.html"
  );
  script_set_attribute(
    attribute:"solution", 
    value:"Run 'yum update tomcat8' to update your system."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-admin-webapps");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-docs-webapp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-el-3.0-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-javadoc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-lib");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-log4j");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:amazon:linux:tomcat8-webapps");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:amazon:linux");

  script_set_attribute(attribute:"vuln_publication_date", value:"2018/10/04");
  script_set_attribute(attribute:"patch_publication_date", value:"2019/05/20");
  script_set_attribute(attribute:"plugin_publication_date", value:"2019/05/21");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Amazon Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/AmazonLinux/release", "Host/AmazonLinux/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/AmazonLinux/release");
if (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, "Amazon Linux");
os_ver = pregmatch(pattern: "^AL(A|\d)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Amazon Linux");
os_ver = os_ver[1];
if (os_ver != "A")
{
  if (os_ver == 'A') os_ver = 'AMI';
  audit(AUDIT_OS_NOT, "Amazon Linux AMI", "Amazon Linux " + os_ver);
}

if (!get_kb_item("Host/AmazonLinux/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (rpm_check(release:"ALA", reference:"tomcat8-8.5.40-1.79.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-admin-webapps-8.5.40-1.79.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-docs-webapp-8.5.40-1.79.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-el-3.0-api-8.5.40-1.79.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-javadoc-8.5.40-1.79.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-jsp-2.3-api-8.5.40-1.79.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-lib-8.5.40-1.79.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-log4j-8.5.40-1.79.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-servlet-3.1-api-8.5.40-1.79.amzn1")) flag++;
if (rpm_check(release:"ALA", reference:"tomcat8-webapps-8.5.40-1.79.amzn1")) flag++;

if (flag)
{
  if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());
  else security_hole(0);
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tomcat8 / tomcat8-admin-webapps / tomcat8-docs-webapp / etc");
}
VendorProductVersionCPE
amazonlinuxtomcat8p-cpe:/a:amazon:linux:tomcat8
amazonlinuxtomcat8-admin-webappsp-cpe:/a:amazon:linux:tomcat8-admin-webapps
amazonlinuxtomcat8-docs-webappp-cpe:/a:amazon:linux:tomcat8-docs-webapp
amazonlinuxtomcat8-el-3.0-apip-cpe:/a:amazon:linux:tomcat8-el-3.0-api
amazonlinuxtomcat8-javadocp-cpe:/a:amazon:linux:tomcat8-javadoc
amazonlinuxtomcat8-jsp-2.3-apip-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api
amazonlinuxtomcat8-libp-cpe:/a:amazon:linux:tomcat8-lib
amazonlinuxtomcat8-log4jp-cpe:/a:amazon:linux:tomcat8-log4j
amazonlinuxtomcat8-servlet-3.1-apip-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api
amazonlinuxtomcat8-webappsp-cpe:/a:amazon:linux:tomcat8-webapps
Rows per page:
1-10 of 111

Related

amazon 4
nessus 41
openvas 28
fedora 3
osv 12
oraclelinux 1
ibm 20
kaspersky 4
debian 3
f5 3
redhatcve 4
prion 4
nuclei 1
veracode 5
suse 4
packetstorm 2
ubuntu 1
cve 4
ubuntucve 3
debiancve 4
zdt 2
checkpoint_advisories 2
centos 1
github 5
cisa 2
atlassian 4
tomcat 10
symantec 3
redhat 7
trendmicroblog 1
githubexploit 5
thn 1
metasploit 1
attackerkb 1
hackerone 1
exploitdb 2
amazon
amazon
Important: tomcat8
2019-05-16 23:11:00
Medium: tomcat
2019-04-04 22:00:00
Medium: tomcat7
2018-11-05 19:35:00
nessus
nessus
EulerOS 2.0 SP8 : tomcat (EulerOS-SA-2019-1772)
2019-07-25 00:00:00
Oracle Linux 7 : tomcat (ELSA-2019-0485)
2019-03-15 00:00:00
openSUSE Security Update : tomcat (openSUSE-2019-972)
2019-03-27 00:00:00
openvas
openvas
Huawei EulerOS: Security Advisory for tomcat (EulerOS-SA-2019-1772)
2020-01-23 00:00:00
Fedora Update for tomcat FEDORA-2019-d66febb5df
2019-07-05 00:00:00
Ubuntu: Security Advisory (USN-3787-1)
2018-10-11 00:00:00
fedora
fedora
[SECURITY] Fedora 29 Update: tomcat-9.0.21-1.fc29
2019-07-04 02:51:06
[SECURITY] Fedora 29 Update: tomcat-9.0.13-1.fc29
2019-02-13 02:48:13
[SECURITY] Fedora 30 Update: tomcat-9.0.21-1.fc30
2019-06-25 01:27:24
osv
osv
CVE-2018-11784
2018-10-04 13:29:00
Apache Tomcat Open Redirect vulnerability
2018-10-17 16:31:02
tomcat8 - security update
2018-10-15 00:00:00
oraclelinux
oraclelinux
tomcat security update
2019-03-13 00:00:00
ibm
ibm
Security Bulletin: Vulnerability in Apache Tomcat affects IBM Platform Symphony
2021-07-02 02:32:33
Security Bulletin: IBM QRadar SIEM is vulnerable to Apache Tomcat Publicly disclosed vulnerability (CVE-2018-11784)
2019-03-05 18:10:01
Security Bulletin: Security vulnerabilities in Apache Tomcat affect multiple IBM Rational products based on IBM's Jazz technology
2021-04-28 18:35:50
kaspersky
kaspersky
KLA11327 SB vulnerability in Apache Tomcat
2018-10-03 00:00:00
KLA11495 DOS vulnerability in Apache Tomcat
2019-02-08 00:00:00
KLA11494 DOS vulnerability in Apache Tomcat
2019-02-08 00:00:00
debian
debian
[SECURITY] [DLA 1545-1] tomcat8 security update
2018-10-15 16:56:28
[SECURITY] [DLA 1544-1] tomcat7 security update
2018-10-14 20:43:08
[SECURITY] [DSA 4596-1] tomcat8 security update
2019-12-27 22:15:49
f5
f5
K64921482 : Apache Tomcat vulnerability CVE-2018-11784
2018-10-25 00:00:00
K93000310 : Apache Tomcat vulnerability CVE-2019-0199
2019-04-09 00:00:00
K17321505 : Apache Tomcat vulnerability CVE-2019-10072
2019-06-27 00:00:00
redhatcve
redhatcve
CVE-2018-11784
2019-11-02 09:34:32
CVE-2019-0232
2020-03-30 08:14:34
CVE-2019-0199
2019-03-27 14:58:56
prion
prion
Design/Logic Flaw
2018-10-04 13:29:00
Remote code execution
2019-04-15 15:29:00
Open redirect
2019-04-10 15:29:00
nuclei
nuclei
Apache Tomcat - Open Redirect
2021-03-18 16:22:01
veracode
veracode
Open Redirection
2018-10-04 09:06:12
Open Redirection
2019-01-15 09:25:50
Remote Code Execution (RCE)
2019-04-11 09:53:46
suse
suse
Security update for tomcat (moderate)
2018-10-25 18:22:29
Security update for tomcat (moderate)
2018-12-08 00:21:25
Security update for tomcat (moderate)
2019-07-19 00:00:00
packetstorm
packetstorm
Apache Tomcat 9.0.0M1 Open Redirect
2021-07-11 00:00:00
Apache Tomcat CGIServlet enableCmdLineArguments Remote Code Execution
2019-07-02 00:00:00
ubuntu
ubuntu
Tomcat vulnerability
2018-10-10 00:00:00
cve
cve
CVE-2018-11784
2018-10-04 13:29:00
CVE-2019-0232
2019-04-15 15:29:00
CVE-2019-0199
2019-04-10 15:29:00
ubuntucve
ubuntucve
CVE-2018-11784
2018-10-04 00:00:00
CVE-2019-0232
2019-04-15 00:00:00
CVE-2019-0199
2019-04-10 00:00:00
debiancve
debiancve
CVE-2018-11784
2018-10-04 13:29:00
CVE-2019-0232
2019-04-15 15:29:00
CVE-2019-0199
2019-04-10 15:29:00
zdt
zdt
Apache Tomcat 9.0.0.M1 - Open Redirect Vulnerability
2021-07-13 00:00:00
Apache Tomcat CGIServlet enableCmdLineArguments Remote Code Execution Exploit
2019-07-02 00:00:00
checkpoint_advisories
checkpoint_advisories
Apache Tomcat Default Servlet Open Redirect (CVE-2018-11784)
2019-02-19 00:00:00
Apache Tomcat CGI Servlet Remote Code Execution (CVE-2019-0232)
2019-04-18 00:00:00
centos
centos
tomcat security update
2019-03-19 14:33:17
github
github
Apache Tomcat Open Redirect vulnerability
2018-10-17 16:31:02
Apache Tomcat Denial of Service vulnerability
2020-06-15 18:51:09
Apache Tomcat OS Command Injection vulnerability
2019-04-18 14:27:35
cisa
cisa
Apache Releases Security Updates for Apache Tomcat
2018-10-04 00:00:00
Apache Releases Security Updates for Apache Tomcat
2019-04-14 00:00:00
atlassian
atlassian
Update Tomcat to 8.5.34 to avoid CVE-2018-11784
2018-10-10 09:22:17
Update Tomcat to 8.5.34 to avoid CVE-2018-11784
2018-10-10 09:22:17
Upgrade Tomcat to 8.5.38 to fix CVE-2019-0199
2019-04-02 05:50:03
tomcat
tomcat
Fixed in Apache Tomcat 8.5.34
2018-09-10 00:00:00
Fixed in Apache Tomcat 7.0.91
2018-09-19 00:00:00
Fixed in Apache Tomcat 9.0.12
2018-09-10 00:00:00
symantec
symantec
Apache Tomcat CVE-2018-11784 Open Redirection Vulnerability
2018-10-03 00:00:00
Apache Tomcat CVE-2019-0232 Remote Code Execution Vulnerability
2019-04-15 00:00:00
Apache Tomcat Vulnerabilities Oct 2018 – Feb 2020
2020-05-12 19:02:01
redhat
redhat
(RHSA-2019:0485) Moderate: tomcat security update
2019-03-12 08:24:45
(RHSA-2019:3929) Important: Red Hat JBoss Web Server 5.2 security release
2019-11-20 15:52:12
(RHSA-2019:0131) Moderate: Red Hat JBoss Web Server 3.1 Service Pack 6 security and bug fix update
2019-01-22 13:28:13
trendmicroblog
trendmicroblog
This Week in Security News: Phishing Attacks and Ransomware
2019-04-26 12:00:16
githubexploit
githubexploit
Exploit for OS Command Injection in Apache Tomcat
2021-03-25 20:09:54
Exploit for OS Command Injection in Apache Tomcat
2020-11-12 04:06:30
Exploit for OS Command Injection in Apache Tomcat
2019-05-23 05:44:29
thn
thn
Apache Tomcat Patches Important Remote Code Execution Flaw
2019-04-15 07:56:00
metasploit
metasploit
Apache Tomcat CGIServlet enableCmdLineArguments Vulnerability
2019-06-18 20:28:11
attackerkb
attackerkb
CVE-2019-0232
2019-04-15 00:00:00
hackerone
hackerone
U.S. Dept Of Defense: Tomcat examples available for public, Disclosure Apache Tomcat version, Critical/High/Medium CVE
2020-05-14 19:38:44
exploitdb
exploitdb
Apache Tomcat 9.0.0.M1 - Open Redirect
2021-07-13 00:00:00
Apache Tomcat - CGIServlet enableCmdLineArguments Remote Code Execution (Metasploit)
2019-07-03 00:00:00
JSON
Related for ALA_ALAS-2019-1208.NASL
amazon4nessus41openvas28fedora3osv12oraclelinux1ibm20kaspersky4debian3f53redhatcve4prion4nuclei1veracode5suse4packetstorm2ubuntu1cve4ubuntucve3debiancve4zdt2checkpoint_advisories2centos1github5cisa2atlassian4tomcat10symantec3redhat7trendmicroblog1githubexploit5thn1metasploit1attackerkb1hackerone1exploitdb2