Search...

Debian DSA-3428-1 : tomcat8 - security update

2015-12-21T00:00:00

ID DEBIAN_DSA-3428.NASL
Type nessus
Reporter Tenable
Modified 2016-04-28T00:00:00

Description

It was discovered that malicious web applications could use the Expression Language to bypass protections of a Security Manager as expressions were evaluated within a privileged code section.

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were  
# extracted from Debian Security Advisory DSA-3428. The text 
# itself is copyright (C) Software in the Public Interest, Inc.
#

include("compat.inc");

if (description)
{
  script_id(87511);
  script_version("$Revision: 2.5 $");
  script_cvs_date("$Date: 2016/04/28 18:33:24 $");

  script_cve_id("CVE-2014-7810");
  script_osvdb_id(122158);
  script_xref(name:"DSA", value:"3428");

  script_name(english:"Debian DSA-3428-1 : tomcat8 - security update");
  script_summary(english:"Checks dpkg output for the updated package");

  script_set_attribute(
    attribute:"synopsis", 
    value:"The remote Debian host is missing a security-related update."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"It was discovered that malicious web applications could use the
Expression Language to bypass protections of a Security Manager as
expressions were evaluated within a privileged code section."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://packages.debian.org/source/jessie/tomcat8"
  );
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.debian.org/security/2015/dsa-3428"
  );
  script_set_attribute(
    attribute:"solution", 
    value:
"Upgrade the tomcat8 packages.

For the stable distribution (jessie), this problem has been fixed in
version 8.0.14-1+deb8u1."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:tomcat8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:8.0");

  script_set_attribute(attribute:"patch_publication_date", value:"2015/12/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/12/21");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.");
  script_family(english:"Debian Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}


include("audit.inc");
include("debian_package.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);


flag = 0;
if (deb_check(release:"8.0", prefix:"libservlet3.1-java", reference:"8.0.14-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libservlet3.1-java-doc", reference:"8.0.14-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"libtomcat8-java", reference:"8.0.14-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"tomcat8", reference:"8.0.14-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"tomcat8-admin", reference:"8.0.14-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"tomcat8-common", reference:"8.0.14-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"tomcat8-docs", reference:"8.0.14-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"tomcat8-examples", reference:"8.0.14-1+deb8u1")) flag++;
if (deb_check(release:"8.0", prefix:"tomcat8-user", reference:"8.0.14-1+deb8u1")) flag++;

if (flag)
{
  if (report_verbosity &gt; 0) security_warning(port:0, extra:deb_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");

JSON Vulners Source

Initial Source

{"published": "2015-12-21T00:00:00", "id": "DEBIAN_DSA-3428.NASL", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "history": [{"differentElements": ["cpe"], "edition": 1, "lastseen": "2016-09-26T17:26:36", "bulletin": {"enchantments": {}, "published": "2015-12-21T00:00:00", "id": "DEBIAN_DSA-3428.NASL", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "history": [], "cpe": [], "hash": "0bf33a1200cce3cad72fa90380cc545cacdfd4899aeeb5ecba7dfe73a096b727", "description": "It was discovered that malicious web applications could use the Expression Language to bypass protections of a Security Manager as expressions were evaluated within a privileged code section.", "type": "nessus", "pluginID": "87511", "lastseen": "2016-09-26T17:26:36", "edition": 1, "title": "Debian DSA-3428-1 : tomcat8 - security update", "href": "https://www.tenable.com/plugins/index.php?view=single&id=87511", "modified": "2016-04-28T00:00:00", "bulletinFamily": "scanner", "viewCount": 0, "cvelist": ["CVE-2014-7810"], "references": ["https://packages.debian.org/source/jessie/tomcat8", "http://www.debian.org/security/2015/dsa-3428"], "naslFamily": "Debian Local Security Checks", "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3428. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87511);\n script_version(\"$Revision: 2.5 $\");\n script_cvs_date(\"$Date: 2016/04/28 18:33:24 $\");\n\n script_cve_id(\"CVE-2014-7810\");\n script_osvdb_id(122158);\n script_xref(name:\"DSA\", value:\"3428\");\n\n script_name(english:\"Debian DSA-3428-1 : tomcat8 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that malicious web applications could use the\nExpression Language to bypass protections of a Security Manager as\nexpressions were evaluated within a privileged code section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/tomcat8\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2015/dsa-3428\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the tomcat8 packages.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 8.0.14-1+deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libservlet3.1-java\", reference:\"8.0.14-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libservlet3.1-java-doc\", reference:\"8.0.14-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libtomcat8-java\", reference:\"8.0.14-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8\", reference:\"8.0.14-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-admin\", reference:\"8.0.14-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-common\", reference:\"8.0.14-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-docs\", reference:\"8.0.14-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-examples\", reference:\"8.0.14-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-user\", reference:\"8.0.14-1+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "hashmap": [{"hash": "7682593865fe3c4bfddc41a9be4d6e7d", "key": "modified"}, {"hash": "1a3e991f1270d1299d7f25f2519bac72", "key": "pluginID"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "badb37b6ea56e6f6ed47b3e692c1fed8", "key": "references"}, {"hash": "26769fd423968d45be7383413e2552f1", "key": "cvss"}, {"hash": "042bae3a06ddca216b6ffa156921831d", "key": "title"}, {"hash": "172b6217f06be9ebf1a4e81944a65518", "key": "sourceData"}, {"hash": "13b226fb85121a44cc26e24e64c73de6", "key": "description"}, {"hash": "622d8025e3b28396cdac8d7bca94bbf2", "key": "cvelist"}, {"hash": "9cbb53f4166931607d769bd0f59fdae8", "key": "published"}, {"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}, {"hash": "94ba03e8da0c711307ffa20fda4c0654", "key": "href"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "cpe"}, {"hash": "74562d71b087df9eabd0c21f99b132cc", "key": "naslFamily"}], "objectVersion": "1.2"}}], "description": "It was discovered that malicious web applications could use the Expression Language to bypass protections of a Security Manager as expressions were evaluated within a privileged code section.", "hash": "609d3252b0c517872691eb70ec9c12e420138c76bc2af62f889a8784572b17d1", "enchantments": {"vulnersScore": 5.0}, "type": "nessus", "pluginID": "87511", "lastseen": "2017-10-29T13:45:25", "edition": 2, "cpe": ["cpe:/o:debian:debian_linux:8.0", "p-cpe:/a:debian:debian_linux:tomcat8"], "title": "Debian DSA-3428-1 : tomcat8 - security update", "href": "https://www.tenable.com/plugins/index.php?view=single&id=87511", "modified": "2016-04-28T00:00:00", "bulletinFamily": "scanner", "viewCount": 0, "cvelist": ["CVE-2014-7810"], "references": ["https://packages.debian.org/source/jessie/tomcat8", "http://www.debian.org/security/2015/dsa-3428"], "naslFamily": "Debian Local Security Checks", "reporter": "Tenable", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-3428. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(87511);\n script_version(\"$Revision: 2.5 $\");\n script_cvs_date(\"$Date: 2016/04/28 18:33:24 $\");\n\n script_cve_id(\"CVE-2014-7810\");\n script_osvdb_id(122158);\n script_xref(name:\"DSA\", value:\"3428\");\n\n script_name(english:\"Debian DSA-3428-1 : tomcat8 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that malicious web applications could use the\nExpression Language to bypass protections of a Security Manager as\nexpressions were evaluated within a privileged code section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/jessie/tomcat8\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2015/dsa-3428\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the tomcat8 packages.\n\nFor the stable distribution (jessie), this problem has been fixed in\nversion 8.0.14-1+deb8u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/12/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/12/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libservlet3.1-java\", reference:\"8.0.14-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libservlet3.1-java-doc\", reference:\"8.0.14-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libtomcat8-java\", reference:\"8.0.14-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8\", reference:\"8.0.14-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-admin\", reference:\"8.0.14-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-common\", reference:\"8.0.14-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-docs\", reference:\"8.0.14-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-examples\", reference:\"8.0.14-1+deb8u1\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-user\", reference:\"8.0.14-1+deb8u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "hashmap": [{"hash": "bbdaea376f500d25f6b0c1050311dd07", "key": "bulletinFamily"}, {"hash": "0c26cbe1df6ba78f5a148d30d2c8b039", "key": "cpe"}, {"hash": "622d8025e3b28396cdac8d7bca94bbf2", "key": "cvelist"}, {"hash": "26769fd423968d45be7383413e2552f1", "key": "cvss"}, {"hash": "13b226fb85121a44cc26e24e64c73de6", "key": "description"}, {"hash": "94ba03e8da0c711307ffa20fda4c0654", "key": "href"}, {"hash": "7682593865fe3c4bfddc41a9be4d6e7d", "key": "modified"}, {"hash": "74562d71b087df9eabd0c21f99b132cc", "key": "naslFamily"}, {"hash": "1a3e991f1270d1299d7f25f2519bac72", "key": "pluginID"}, {"hash": "9cbb53f4166931607d769bd0f59fdae8", "key": "published"}, {"hash": "badb37b6ea56e6f6ed47b3e692c1fed8", "key": "references"}, {"hash": "9cf00d658b687f030ebe173a0528c567", "key": "reporter"}, {"hash": "172b6217f06be9ebf1a4e81944a65518", "key": "sourceData"}, {"hash": "042bae3a06ddca216b6ffa156921831d", "key": "title"}, {"hash": "5e0bd03bec244039678f2b955a2595aa", "key": "type"}], "objectVersion": "1.3"}

{"result": {"cve": [{"id": "CVE-2014-7810", "type": "cve", "title": "CVE-2014-7810", "description": "The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.", "published": "2015-06-07T19:59:03", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7810", "cvelist": ["CVE-2014-7810"], "lastseen": "2017-11-09T11:53:13"}], "f5": [{"id": "SOL38110373", "type": "f5", "title": "SOL38110373 - Apache Tomcat vulnerability CVE-2014-7810", "description": "Vulnerability Recommended Actions\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to SOL21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems.\n\nMitigation\n\nTo mitigate this vulnerability for affected F5 products, you should permit management access to F5 products only over a secure network and limit shell access to only trusted users.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n * SOL4918: Overview of the F5 critical issue hotfix policy\n", "published": "2016-10-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/k/38/sol38110373.html", "cvelist": ["CVE-2014-7810"], "lastseen": "2016-10-23T21:23:55"}, {"id": "F5:K38110373", "type": "f5", "title": "Apache Tomcat vulnerability CVE-2014-7810", "description": "\nF5 Product Development has assigned ID 466436 (ARX), and INSTALLER-2786 (Traffix) to this vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP AFM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP Analytics| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1| Not vulnerable| None \nBIG-IP APM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP DNS| None| 12.0.0 - 12.1.1| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1 \n11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 12.0.0 - 12.1.1 \n11.4.0 - 11.6.1| Not vulnerable| None \nBIG-IP PSM| None| 11.4.0 - 11.4.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.2.1 \n10.2.1 - 10.2.4| Not vulnerable| None \nBIG-IP WebSafe| None| 12.0.0 - 12.1.0 \n11.6.0 - 11.6.1| Not vulnerable \n\n| None \nARX| 6.2.0 - 6.4.0| None| Low| Apache Tomcat / WebUI \nEnterprise Manager| None| 3.1.1| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nBIG-IQ Centralized Management| None| 5.0.0 - 5.1.0 \n4.6.0| Not vulnerable| None \nBIG-IQ Cloud and Orchestration| None| 1.0.0| Not vulnerable| None \nF5 iWorkflow| None| 2.0.0 - 2.0.1| Not vulnerable| None \nLineRate| None| 2.5.0 - 2.6.1| Not vulnerable| None \nTraffix SDC| 4.0.0 - 4.4.0| 5.0.0| Low| WebUI\n\nIf you are running a version listed in the **Versions known to be vulnerable** column, you can eliminate this vulnerability by upgrading to a version listed in the **Versions known to be not vulnerable** column. If the table lists only an older version than what you are currently running, or does not list a non-vulnerable version, then no upgrade candidate currently exists.\n\nTo determine the necessary upgrade path for your BIG-IQ system, you should understand the BIG-IQ product offering name changes. For more information, refer to [K21232150: Considerations for upgrading BIG-IQ or F5 iWorkflow systems](<https://support.f5.com/csp/article/K21232150>).\n\nMitigation\n\nTo mitigate this vulnerability for affected F5 products, you should permit management access to F5 products only over a secure network and limit shell access to only trusted users.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n * [K4918: Overview of the F5 critical issue hotfix policy](<https://support.f5.com/csp/article/K4918>)\n", "published": "2016-10-23T20:28:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://support.f5.com/csp/article/K38110373", "cvelist": ["CVE-2014-7810"], "lastseen": "2017-06-08T00:16:06"}], "openvas": [{"id": "OPENVAS:1361412562310805701", "type": "openvas", "title": "Apache Tomcat SecurityManager Security Bypass Vulnerability - Jun15 (Linux)", "description": "This host is installed with Apache Tomcat\n and is prone to security bypass vulnerability.", "published": "2015-06-16T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805701", "cvelist": ["CVE-2014-7810"], "lastseen": "2017-10-25T14:40:45"}, {"id": "OPENVAS:1361412562310882434", "type": "openvas", "title": "CentOS Update for tomcat6 CESA-2016:0492 centos6 ", "description": "Check the version of tomcat6", "published": "2016-03-24T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882434", "cvelist": ["CVE-2014-7810"], "lastseen": "2017-07-25T10:54:59"}, {"id": "OPENVAS:1361412562310703428", "type": "openvas", "title": "Debian Security Advisory DSA 3428-1 (tomcat8 - security update)", "description": "It was discovered that malicious web\napplications could use the Expression Language to bypass protections of a Security\nManager as expressions were evaluated within a privileged code section.", "published": "2015-12-18T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703428", "cvelist": ["CVE-2014-7810"], "lastseen": "2018-04-06T11:28:29"}, {"id": "OPENVAS:703428", "type": "openvas", "title": "Debian Security Advisory DSA 3428-1 (tomcat8 - security update)", "description": "It was discovered that malicious web\napplications could use the Expression Language to bypass protections of a Security\nManager as expressions were evaluated within a privileged code section.", "published": "2015-12-18T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=703428", "cvelist": ["CVE-2014-7810"], "lastseen": "2017-07-24T12:53:34"}, {"id": "OPENVAS:1361412562310805702", "type": "openvas", "title": "Apache Tomcat SecurityManager Security Bypass Vulnerability - Jun15 (Windows)", "description": "This host is installed with Apache Tomcat\n and is prone to security bypass vulnerability.", "published": "2015-06-16T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805702", "cvelist": ["CVE-2014-7810"], "lastseen": "2017-10-25T14:40:01"}, {"id": "OPENVAS:1361412562310871581", "type": "openvas", "title": "RedHat Update for tomcat6 RHSA-2016:0492-01", "description": "Check the version of tomcat6", "published": "2016-03-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871581", "cvelist": ["CVE-2014-7810"], "lastseen": "2017-07-27T10:54:30"}, {"id": "OPENVAS:1361412562310122909", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2016-0492", "description": "Oracle Linux Local Security Checks ELSA-2016-0492", "published": "2016-03-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310122909", "cvelist": ["CVE-2014-7810"], "lastseen": "2017-07-24T12:54:26"}, {"id": "OPENVAS:1361412562310120646", "type": "openvas", "title": "Amazon Linux Local Check: alas-2016-656", "description": "Amazon Linux Local Security Checks", "published": "2016-03-11T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120646", "cvelist": ["CVE-2014-0230", "CVE-2014-7810"], "lastseen": "2017-07-24T12:54:33"}, {"id": "OPENVAS:1361412562310120647", "type": "openvas", "title": "Amazon Linux Local Check: alas-2016-657", "description": "Amazon Linux Local Security Checks", "published": "2016-03-11T00:00:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120647", "cvelist": ["CVE-2015-5346", "CVE-2015-5174", "CVE-2014-7810"], "lastseen": "2017-07-24T12:54:10"}, {"id": "OPENVAS:1361412562310842262", "type": "openvas", "title": "Ubuntu Update for tomcat6 USN-2655-1", "description": "Check the version of tomcat6", "published": "2015-06-26T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310842262", "cvelist": ["CVE-2014-0227", "CVE-2014-0230", "CVE-2014-7810"], "lastseen": "2017-12-04T11:24:28"}], "debian": [{"id": "DSA-3447", "type": "debian", "title": "tomcat7 -- security update", "description": "It was discovered that malicious web applications could use the Expression Language to bypass protections of a Security Manager as expressions were evaluated within a privileged code section.\n\nFor the oldstable distribution (wheezy), this problem has been fixed in version 7.0.28-4+deb7u3. This update also provides fixes for [CVE-2013-4444](<https://security-tracker.debian.org/tracker/CVE-2013-4444>), [CVE-2014-0075](<https://security-tracker.debian.org/tracker/CVE-2014-0075>), [CVE-2014-0099](<https://security-tracker.debian.org/tracker/CVE-2014-0099>), [CVE-2014-0227](<https://security-tracker.debian.org/tracker/CVE-2014-0227>) and [CVE-2014-0230](<https://security-tracker.debian.org/tracker/CVE-2014-0230>), which were all fixed for the stable distribution (jessie) already.\n\nFor the stable distribution (jessie), this problem has been fixed in version 7.0.56-3+deb8u1.\n\nFor the testing distribution (stretch), this problem has been fixed in version 7.0.61-1.\n\nFor the unstable distribution (sid), this problem has been fixed in version 7.0.61-1.\n\nWe recommend that you upgrade your tomcat7 packages.", "published": "2016-01-17T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://www.debian.org/security/dsa-3447", "cvelist": ["CVE-2014-7810"], "lastseen": "2016-09-02T18:26:57"}, {"id": "DSA-3428", "type": "debian", "title": "tomcat8 -- security update", "description": "It was discovered that malicious web applications could use the Expression Language to bypass protections of a Security Manager as expressions were evaluated within a privileged code section.\n\nFor the stable distribution (jessie), this problem has been fixed in version 8.0.14-1+deb8u1.\n\nFor the testing distribution (stretch), this problem has been fixed in version 8.0.21-2.\n\nFor the unstable distribution (sid), this problem has been fixed in version 8.0.21-2.\n\nWe recommend that you upgrade your tomcat8 packages.", "published": "2015-12-18T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://www.debian.org/security/dsa-3428", "cvelist": ["CVE-2014-7810"], "lastseen": "2016-09-02T18:23:36"}, {"id": "DLA-232", "type": "debian", "title": "tomcat6 -- LTS security update", "description": "The following vulnerabilities were found in Apache Tomcat 6:\n\n * [CVE-2014-0227](<https://security-tracker.debian.org/tracker/CVE-2014-0227>)\n\nThe Tomcat security team identified that it was possible to conduct HTTP request smuggling attacks or cause a DoS by streaming malformed data.\n\n * [CVE-2014-0230](<https://security-tracker.debian.org/tracker/CVE-2014-0230>)\n\nAntBean@secdig, from the Baidu Security Team, disclosed that it was possible to cause a limited DoS attack by feeding data by aborting an upload.\n\n * [CVE-2014-7810](<https://security-tracker.debian.org/tracker/CVE-2014-7810>)\n\nThe Tomcat security team identified that malicious web applications could bypass the Security Manager by the use of expression language.\n\nFor Debian 6 Squeeze, these issues have been fixed in tomcat6 version 6.0.41-2+squeeze7.", "published": "2015-05-28T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://www.debian.org/security/2015/dla-232", "cvelist": ["CVE-2014-0227", "CVE-2014-0230", "CVE-2014-7810"], "lastseen": "2016-09-02T12:57:06"}, {"id": "DSA-3530", "type": "debian", "title": "tomcat6 -- security update", "description": "Multiple security vulnerabilities have been fixed in the Tomcat servlet and JSP engine, which may result on bypass of security manager restrictions, information disclosure, denial of service or session fixation.\n\nFor the oldstable distribution (wheezy), these problems have been fixed in version 6.0.45+dfsg-1~deb7u1.\n\nWe recommend that you upgrade your tomcat6 packages.", "published": "2016-03-25T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3530", "cvelist": ["CVE-2015-5351", "CVE-2014-0227", "CVE-2014-0230", "CVE-2016-0714", "CVE-2015-5345", "CVE-2016-0763", "CVE-2014-0099", "CVE-2014-0119", "CVE-2013-4322", "CVE-2015-5346", "CVE-2013-4286", "CVE-2015-5174", "CVE-2013-4590", "CVE-2014-7810", "CVE-2016-0706", "CVE-2014-0096", "CVE-2014-0075", "CVE-2014-0033"], "lastseen": "2016-09-02T18:24:14"}], "redhat": [{"id": "RHSA-2016:0492", "type": "redhat", "title": "(RHSA-2016:0492) Moderate: tomcat6 security and bug fix update", "description": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nIt was found that the expression language resolver evaluated expressions\nwithin a privileged code section. A malicious web application could use\nthis flaw to bypass security manager protections. (CVE-2014-7810)\n\nThis update also fixes the following bug:\n\n* Previously, using a New I/O (NIO) connector in the Apache Tomcat 6 \nservlet resulted in a large memory leak. An upstream patch has been applied\nto fix this bug, and the memory leak no longer occurs. (BZ#1301646)\n\nAll Tomcat 6 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. Tomcat must be\nrestarted for this update to take effect.\n", "published": "2016-03-22T04:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2016:0492", "cvelist": ["CVE-2014-7810"], "lastseen": "2017-03-10T13:18:33"}, {"id": "RHSA-2016:22545", "type": "redhat", "title": "(RHSA-2016:22545) Moderate: tomcat6 security and bug fix update", "description": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nIt was found that the expression language resolver evaluated expressions\nwithin a privileged code section. A malicious web application could use\nthis flaw to bypass security manager protections. (CVE-2014-7810)\n\nThis update also fixes the following bug:\n\n* Previously, using a New I/O (NIO) connector in the Apache Tomcat 6 \nservlet resulted in a large memory leak. An upstream patch has been applied\nto fix this bug, and the memory leak no longer occurs. (BZ#1301646)\n\nAll Tomcat 6 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. Tomcat must be\nrestarted for this update to take effect.\n", "published": "2016-01-25T05:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://access.redhat.com/errata/RHSA-2016:22545", "cvelist": ["CVE-2014-7810"], "lastseen": "2016-03-17T18:30:27"}, {"id": "RHSA-2015:1622", "type": "redhat", "title": "(RHSA-2015:1622) Moderate: Red Hat JBoss Web Server 2.1.0 tomcat security update", "description": "Red Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the Apache\nHTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector\n(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat\nNative library.\n\nIt was found that the expression language resolver evaluated expressions\nwithin a privileged code section. A malicious web application could use\nthis flaw to bypass security manager protections. (CVE-2014-7810)\n\nIt was found that Tomcat would keep connections open after processing\nrequests with a large enough request body. A remote attacker could\npotentially use this flaw to exhaust the pool of available connections and\npreventing further, legitimate connections to the Tomcat server to be made.\n(CVE-2014-0230)\n\nAll users of Red Hat JBoss Web Server 2.1.0 as provided from the Red Hat\nCustomer Portal are advised to apply this update. The Red Hat JBoss Web\nServer process must be restarted for the update to take effect.", "published": "2015-08-13T19:24:28", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:1622", "cvelist": ["CVE-2014-0230", "CVE-2014-7810"], "lastseen": "2018-03-19T12:36:55"}, {"id": "RHSA-2016:2046", "type": "redhat", "title": "(RHSA-2016:2046) Important: tomcat security update", "description": "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)\n\n* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)\n\n* A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)\n\nRed Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.", "published": "2016-10-10T22:29:51", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2016:2046", "cvelist": ["CVE-2014-7810", "CVE-2015-5346", "CVE-2016-5388", "CVE-2016-5425", "CVE-2016-6325"], "lastseen": "2018-04-15T14:24:38"}], "nessus": [{"id": "ORACLELINUX_ELSA-2016-0492.NASL", "type": "nessus", "title": "Oracle Linux 6 : tomcat6 (ELSA-2016-0492)", "description": "From Red Hat Security Advisory 2016:0492 :\n\nUpdated tomcat6 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nIt was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)\n\nThis update also fixes the following bug :\n\n* Previously, using a New I/O (NIO) connector in the Apache Tomcat 6 servlet resulted in a large memory leak. An upstream patch has been applied to fix this bug, and the memory leak no longer occurs.\n(BZ#1301646)\n\nAll Tomcat 6 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.", "published": "2016-03-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=90111", "cvelist": ["CVE-2014-7810"], "lastseen": "2017-10-29T13:46:12"}, {"id": "DEBIAN_DSA-3447.NASL", "type": "nessus", "title": "Debian DSA-3447-1 : tomcat7 - security update", "description": "It was discovered that malicious web applications could use the Expression Language to bypass protections of a Security Manager as expressions were evaluated within a privileged code section.", "published": "2016-01-19T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=87979", "cvelist": ["CVE-2014-7810"], "lastseen": "2017-10-29T13:43:10"}, {"id": "REDHAT-RHSA-2016-0492.NASL", "type": "nessus", "title": "RHEL 6 : tomcat6 (RHSA-2016:0492)", "description": "Updated tomcat6 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nIt was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)\n\nThis update also fixes the following bug :\n\n* Previously, using a New I/O (NIO) connector in the Apache Tomcat 6 servlet resulted in a large memory leak. An upstream patch has been applied to fix this bug, and the memory leak no longer occurs.\n(BZ#1301646)\n\nAll Tomcat 6 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.", "published": "2016-03-23T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=90115", "cvelist": ["CVE-2014-7810"], "lastseen": "2017-10-29T13:38:08"}, {"id": "CENTOS_RHSA-2016-0492.NASL", "type": "nessus", "title": "CentOS 6 : tomcat6 (CESA-2016:0492)", "description": "Updated tomcat6 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nIt was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)\n\nThis update also fixes the following bug :\n\n* Previously, using a New I/O (NIO) connector in the Apache Tomcat 6 servlet resulted in a large memory leak. An upstream patch has been applied to fix this bug, and the memory leak no longer occurs.\n(BZ#1301646)\n\nAll Tomcat 6 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.", "published": "2016-03-24T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=90121", "cvelist": ["CVE-2014-7810"], "lastseen": "2017-10-29T13:35:28"}, {"id": "SL_20160323_TOMCAT6_ON_SL6_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : tomcat6 on SL6.x i386/x86_64", "description": "It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)\n\nThis update also fixes the following bug :\n\n - Previously, using a New I/O (NIO) connector in the Apache Tomcat 6 servlet resulted in a large memory leak.\n An upstream patch has been applied to fix this bug, and the memory leak no longer occurs.\n\nTomcat must be restarted for this update to take effect.", "published": "2016-03-24T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=90146", "cvelist": ["CVE-2014-7810"], "lastseen": "2017-10-29T13:35:42"}, {"id": "TOMCAT_8_0_17.NASL", "type": "nessus", "title": "Apache Tomcat 8.0.x < 8.0.17 Security Manager Bypass", "description": "According to its self-reported version number, the Apache Tomcat server listening on the remote host is 8.0.x prior to 8.0.17. It is, therefore, affected by a security bypass vulnerability due to a flaw that occurs when handling expression language. A remote attacker can exploit this, via a crafted web application, to bypass the security manager protection and execute arbitrary code.\n\nNote that Nessus has not attempted to exploit this issue but has instead relied only on the application's self-reported version number.", "published": "2015-05-21T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=83765", "cvelist": ["CVE-2014-7810"], "lastseen": "2018-01-24T11:03:08"}, {"id": "TOMCAT_7_0_59.NASL", "type": "nessus", "title": "Apache Tomcat 7.0.x < 7.0.59 Security Manager Bypass", "description": "According to its self-reported version number, the Apache Tomcat server listening on the remote host is 7.0.x prior to 7.0.59. It is, therefore, affected by a security bypass vulnerability due to a flaw that occurs when handling expression language. A remote attacker can exploit this, via a crafted web application, to bypass the security manager protection and execute arbitrary code.\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "published": "2015-05-21T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=83764", "cvelist": ["CVE-2014-7810"], "lastseen": "2018-01-24T10:59:46"}, {"id": "FREEBSD_PKG_25E0593D13C011E59AFB3C970E169BC2.NASL", "type": "nessus", "title": "FreeBSD : tomcat -- multiple vulnerabilities (25e0593d-13c0-11e5-9afb-3c970e169bc2)", "description": "Apache Software Foundation reports :\n\nLow: Denial of Service CVE-2014-0230\n\nWhen a response for a request with a request body is returned to the user agent before the request body is fully read, by default Tomcat swallows the remaining request body so that the next request on the connection may be processed. There was no limit to the size of request body that Tomcat would swallow. This permitted a limited Denial of Service as Tomcat would never close the connection and a processing thread would remain allocated to the connection.\n\nModerate: Security Manager bypass CVE-2014-7810\n\nMalicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section.", "published": "2015-06-16T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=84201", "cvelist": ["CVE-2014-0230", "CVE-2014-7810"], "lastseen": "2017-10-29T13:34:29"}, {"id": "REDHAT-RHSA-2015-1622.NASL", "type": "nessus", "title": "RHEL 5 / 6 : JBoss Web Server (RHSA-2015:1622)", "description": "Updated tomcat6 and tomcat7 packages that fix two security issues are now available for Red Hat JBoss Web Server 2.1.0 on Red Hat Enterprise Linux 5, 6, and 7.\n\nRed Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nRed Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nIt was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)\n\nIt was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made. (CVE-2014-0230)\n\nAll users of Red Hat JBoss Web Server 2.1.0 as provided from the Red Hat Customer Portal are advised to apply this update. The Red Hat JBoss Web Server process must be restarted for the update to take effect.", "published": "2015-08-17T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=85441", "cvelist": ["CVE-2014-0230", "CVE-2014-7810"], "lastseen": "2017-10-29T13:42:45"}, {"id": "ALA_ALAS-2016-656.NASL", "type": "nessus", "title": "Amazon Linux AMI : tomcat6 (ALAS-2016-656)", "description": "It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)\n\nIt was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made. (CVE-2014-0230)", "published": "2016-03-11T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=89837", "cvelist": ["CVE-2014-0230", "CVE-2014-7810"], "lastseen": "2018-04-19T08:11:03"}], "oraclelinux": [{"id": "ELSA-2016-0492", "type": "oraclelinux", "title": "tomcat6 security and bug fix update", "description": "[0:6.0.24-94]\n- Resolves: rhbz#1293289 CVE-2014-7810 tomcat6 security manager bypass via EL expressions\n[0:6.0.24-93]\n- Resolves: rhbz#1301646 Resolving NIO connector memory leak", "published": "2016-03-22T00:00:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://linux.oracle.com/errata/ELSA-2016-0492.html", "cvelist": ["CVE-2014-7810"], "lastseen": "2016-09-04T11:16:00"}, {"id": "ELSA-2016-2046", "type": "oraclelinux", "title": "tomcat security update", "description": "[0:7.0.54-8]\n- Resolves: rhbz#1368121\n[0:7.0.54-7]\n- Resolves: rhbz#1362212 Tomcat: CGI sets environmental variable based on user supplied Proxy request header\n- Resolves: rhbz#1368121\n[0:7.0.54-5]\n- Resolves: rhbz#1362567\n[0:7.0.54-4]\n- Resolves: CVE-2015-5346\n[0:7.0.54-3]\n- Resolves: CVE-2014-7810", "published": "2016-10-10T00:00:00", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2016-2046.html", "cvelist": ["CVE-2016-5425", "CVE-2016-6325", "CVE-2016-5388", "CVE-2015-5346", "CVE-2014-7810"], "lastseen": "2016-11-25T17:23:42"}, {"id": "ELSA-2016-2599", "type": "oraclelinux", "title": "tomcat security, bug fix, and enhancement update", "description": "[0:7.0.69-10]\n- Related: rhbz#1368122\n[0:7.0.69-9]\n- Resolves: rhbz#1362213 Tomcat: CGI sets environmental variable based on user supplied Proxy request header\n- Resolves: rhbz#1368122\n[0:7.0.69-7]\n- Resolves: rhbz#1362545\n[0:7.0.69-6]\n- Related: rhbz#1201409 Added /etc/sysconfig/tomcat to the systemd unit for tomcat-jsvc.service\n[0:7.0.69-5]\n- Resolves: rhbz#1347860 The systemd service unit does not allow tomcat to shut down gracefully\n[0:7.0.69-4]\n- Resolves: rhbz#1350438 CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service\n[0:7.0.69-3]\n- Resolves: rhbz#1347774 The security manager doesn't work correctly (JSPs cannot be compiled)\n[0:7.0.69-2]\n- Rebase Resolves: rhbz#1311622 Getting NoSuchElementException while handling attributes with empty string value in tomcat\n- Rebase Resolves: rhbz#1320853 Add HSTS support\n- Rebase Resolves: rhbz#1293292 CVE-2014-7810 tomcat: Tomcat/JBossWeb: security manager bypass via EL expressions\n- Rebase Resolves: rhbz#1347144 CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet\n- Rebase Resolves: rhbz#1347139 CVE-2015-5346 tomcat: Session fixation\n- Rebase Resolves: rhbz#1347136 CVE-2015-5345 tomcat: directory disclosure\n- Rebase Resolves: rhbz#1347129 CVE-2015-5174 tomcat: URL Normalization issue\n- Rebase Resolves: rhbz#1347146 CVE-2016-0763 tomcat: security manager bypass via setGlobalContext()\n- Rebase Resolves: rhbz#1347142 CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms\n- Rebase Resolves: rhbz#1347133 CVE-2015-5351 tomcat: CSRF token leak\n[0:7.0.69-1]\n- Resolves: rhbz#1287928 Rebase to tomcat 7.0.69\n- Resolves: rhbz#1327326 rpm -V tomcat fails on /var/log/tomcat/catalina.out\n- Resolves: rhbz#1277197 tomcat user has non-existing default shell set\n- Resolves: rhbz#1240279 The command tomcat-digest doesn't work with RHEL 7\n- Resolves: rhbz#1229476 Tomcat startup ONLY options\n- Resolves: rhbz#1133070 Need to include full implementation of tomcat-juli.jar and tomcat-juli-adapters.jar\n- Resolves: rhbz#1201409 Fix the broken tomcat-jsvc service unit\n- Resolves: rhbz#1221896 tomcat.service loads /etc/sysconfig/tomcat without shell expansion\n- Resolves: rhbz#1208402 Mark web.xml in tomcat-admin-webapps as config file", "published": "2016-11-09T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2016-2599.html", "cvelist": ["CVE-2015-5351", "CVE-2016-0714", "CVE-2016-3092", "CVE-2015-5345", "CVE-2016-0763", "CVE-2015-5346", "CVE-2015-5174", "CVE-2014-7810", "CVE-2016-0706"], "lastseen": "2016-11-09T21:24:04"}, {"id": "ELSA-2017-2247", "type": "oraclelinux", "title": "tomcat security, bug fix, and enhancement update", "description": "[0:7.0.76-2]\n- Resolves: rhbz#1459747 CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism\n- Resolves: rhbz#1441481 CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used\n[0:7.0.76-1]\n- Resolves: rhbz#1414895 Rebase tomcat to the current release\n[0:7.0.69-10]\n- Related: rhbz#1368122\n[0:7.0.69-9]\n- Resolves: rhbz#1362213 Tomcat: CGI sets environmental variable based on user supplied Proxy request header\n- Resolves: rhbz#1368122\n[0:7.0.69-7]\n- Resolves: rhbz#1362545\n[0:7.0.69-6]\n- Related: rhbz#1201409 Added /etc/sysconfig/tomcat to the systemd unit for tomcat-jsvc.service\n[0:7.0.69-5]\n- Resolves: rhbz#1347860 The systemd service unit does not allow tomcat to shut down gracefully\n[0:7.0.69-4]\n- Resolves: rhbz#1350438 CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service\n[0:7.0.69-3]\n- Resolves: rhbz#1347774 The security manager doesn't work correctly (JSPs cannot be compiled)\n[0:7.0.69-2]\n- Rebase Resolves: rhbz#1311622 Getting NoSuchElementException while handling attributes with empty string value in tomcat\n- Rebase Resolves: rhbz#1320853 Add HSTS support\n- Rebase Resolves: rhbz#1293292 CVE-2014-7810 tomcat: Tomcat/JBossWeb: security manager bypass via EL expressions\n- Rebase Resolves: rhbz#1347144 CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet\n- Rebase Resolves: rhbz#1347139 CVE-2015-5346 tomcat: Session fixation\n- Rebase Resolves: rhbz#1347136 CVE-2015-5345 tomcat: directory disclosure\n- Rebase Resolves: rhbz#1347129 CVE-2015-5174 tomcat: URL Normalization issue\n- Rebase Resolves: rhbz#1347146 CVE-2016-0763 tomcat: security manager bypass via setGlobalContext()\n- Rebase Resolves: rhbz#1347142 CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms\n- Rebase Resolves: rhbz#1347133 CVE-2015-5351 tomcat: CSRF token leak\n[0:7.0.69-1]\n- Resolves: rhbz#1287928 Rebase to tomcat 7.0.69\n- Resolves: rhbz#1327326 rpm -V tomcat fails on /var/log/tomcat/catalina.out\n- Resolves: rhbz#1277197 tomcat user has non-existing default shell set\n- Resolves: rhbz#1240279 The command tomcat-digest doesn't work with RHEL 7\n- Resolves: rhbz#1229476 Tomcat startup ONLY options\n- Resolves: rhbz#1133070 Need to include full implementation of tomcat-juli.jar and tomcat-juli-adapters.jar\n- Resolves: rhbz#1201409 Fix the broken tomcat-jsvc service unit\n- Resolves: rhbz#1221896 tomcat.service loads /etc/sysconfig/tomcat without shell expansion\n- Resolves: rhbz#1208402 Mark web.xml in tomcat-admin-webapps as config file\n[0:7.0.54-2]\n- Resolves: CVE-2014-0227\n[0:7.0.54-1]\n- Resolves: rhbz#1141372 - Remove systemv artifacts. Add new systemd\n- artifacts. Rebase on 7.0.54.\n[0:7.0.43-6]\n- Resolves: CVE-2014-0099\n- Resolves: CVE-2014-0096\n- Resolves: CVE-2014-0075\n[0:7.0.42-5]\n- Related: CVE-2013-4286\n- Related: CVE-2013-4322\n- Related: CVE-2014-0050\n- revisit patches for above.\n[0:7.0.42-4]\n- Related: rhbz#1056696 correct packaging for sbin tomcat\n[0:7.0.42-3]\n- Related: CVE-2013-4286. increment build number. missed doing\n- it.\n- Resolves: rhbz#1038183 remove BR for ant-nodeps. it's\n- no long used.\n[0:7.0.42-2]\n- Resolves: rhbz#1056673 Invocation of useradd with shell\n- other than sbin nologin\n- Resolves: rhbz#1056677 preun systemv scriptlet unconditionally\n- stops service\n- Resolves: rhbz#1056696 init.d tomcat does not conform to RHEL7\n- systemd rules. systemv subpackage is removed.\n- Resolves: CVE-2013-4286\n- Resolves: CVE-2013-4322\n- Resolves: CVE-2014-0050\n- Built for rhel-7 RC\n[0:7.0.42-1]\n- Resolves: rhbz#1051657 update to 7.0.42. Ant-nodeps is\n- deprecated.\n[07.0.40-3]\n- Mass rebuild 2013-12-27\n[0:7.0.40-1]\n- Updated to 7.0.40\n- Resolves: rhbz 956569 added missing commons-pool link\n[0:7.0.37-2]\n- Add depmaps for org.eclipse.jetty.orbit\n- Resolves: rhbz#917626\n[0:7.0.39-1]\n- Updated to 7.0.39\n[0:7.0.37-1]\n- Updated to 7.0.37\n[0:7.0.35-1]\n- Updated to 7.0.35\n- systemd SuccessExitStatus=143 for proper stop exit code processing\n[0:7.0.34-1]\n- Updated to 7.0.34\n- ecj >= 4.2.1 now required\n- Resolves: rhbz 889395 concat classpath correctly; chdir to \n[0:7.0.33-2]\n- Resolves: rhbz 883806 refix logdir ownership\n[0:7.0.33-1]\n- Updated to 7.0.33\n- Resolves: rhbz 873620 need chkconfig for update-alternatives\n[0:7.0.32-1]\n- Updated to 7.0.32\n- Resolves: rhbz 842620 symlinks to taglibs\n[0:7.0.29-1]\n- Updated to 7.0.29\n- Add pidfile as tmpfile\n- Use systemd for running as unprivileged user\n- Resolves: rhbz 847751 upgrade path was broken\n- Resolves: rhbz 850343 use new systemd-rpm macros\n[0:7.0.28-2]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_18_Mass_Rebuild\n[0:7.0.28-1]\n- Updated to 7.0.28\n- Resolves: rhbz 820119 Remove bundled apache-commons-dbcp\n- Resolves: rhbz 814900 Added tomcat-coyote POM\n- Resolves: rhbz 810775 Remove systemv stuff from %post scriptlet\n- Remove redhat-lsb R\n[0:7.0.27-2]\n- Fixed native download hack\n[0:7.0.27-1]\n- Updated to 7.0.27\n- Fixed jakarta-taglibs-standard BR and R\n[0:7.0.26-2]\n- Add more depmaps to J2EE apis to help jetty/glassfish updates\n[0:7.0.26-2]\n- Added the POM files for tomcat-api and tomcat-util (#803495)\n[0:7.0.26-1]\n- Updated to 7.0.26\n- Bug 790334: Change ownership of logdir for logrotate\n[0:7.0.25-4]\n- Bug 790694: Priorities of jsp, servlet and el packages updated.\n[0:7.0.25-3]\n- Dropped indirect dependecy to tomcat 5\n[0:7.0.25-2]\n- Added hack for maven depmap of tomcat-juli absolute link [ -f ] pass correctly\n[0:7.0.25-1]\n- Updated to 7.0.25\n- Removed EntityResolver patch (changes already in upstream sources)\n- Place poms and depmaps in the same package as jars\n- Added javax.servlet.descriptor to export-package of servlet-api\n- Move several chkconfig actions and reqs to systemv subpackage\n- New maven depmaps generation method\n- Add patch to support java7. (patch sent upstream).\n- Require java >= 1:1.6.0\n[0:7.0.23-5]\n- Exported javax.servlet.* packages in version 3.0 as 2.6 to make\n servlet-api compatible with Eclipse.\n[0:7.0.23-4]\n- Move jsvc support to subpackage\n[0:7.0.23-2]\n- Add EntityResolver setter patch to jasper for jetty's need. (patch sent upstream).\n[0:7.0.23-3]\n- Added support to /usr/sbin/tomcat-sysd and /usr/sbin/tomcat for\n starting tomcat with jsvc, which allows tomcat to perform some\n privileged operations (e.g. bind to a port < 1024) and then switch\n identity to a non-privileged user. Must add USE_JSVC='true' to\n /etc/tomcat/tomcat.conf or /etc/sysconfig/tomcat.\n[0:7.0.23-1]\n- Updated to 7.0.23\n[0:7.0.22-2]\n- Move tomcat-juli.jar to lib package\n- Drop %update_maven_depmap as in tomcat6\n- Provide native systemd unit file ported from tomcat6\n[0:7.0.22-1]\n- Updated to 7.0.22\n[0:7.0.21-3.1]\n- rebuild (java), rel-eng#4932\n[0:7.0.21-3]\n- Fix basedir mode\n[0:7.0.21-2]\n- Add manifests for el-api, jasper-el, jasper, tomcat, and tomcat-juli.\n[0:7.0.21-1]\n- Updated to 7.0.21\n[0:7.0.20-3]\n- Require java = 1:1.6.0\n[0:7.0.20-2]\n- Require java < 1.7.0\n[0:7.0.20-1]\n- Updated to 7.0.20\n[0:7.0.19-1]\n- Updated to 7.0.19\n[0:7.0.16-1]\n- Updated to 7.0.16\n[0:7.0.14-3]\n- Added initial systemd service\n- Fix some paths\n[0:7.0.14-2]\n- Fixed http source link\n- Securify some permissions\n- Added licenses for el-api and servlet-api\n- Added dependency on jpackage-utils for the javadoc subpackage\n[0:7.0.14-1]\n- Updated to 7.0.14\n[0:7.0.12-4]\n- Provided local paths for libs\n- Fixed dependencies\n- Fixed update temp/work cleanup\n[0:7.0.12-3]\n- Fixed package groups\n- Fixed some permissions\n- Fixed some links\n- Removed old tomcat6 crap\n[0:7.0.12-2]\n- Package now named just tomcat instead of tomcat7\n- Removed Provides: tomcat-log4j\n- Switched to apache-commons-* names instead of jakarta-commons-* .\n- Remove the old changelog\n- BR/R java >= 1:1.6.0 , same for java-devel\n- Removed old tomcat6 crap\n[0:7.0.12-1]\n- Tomcat7", "published": "2017-08-07T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2017-2247.html", "cvelist": ["CVE-2015-5351", "CVE-2016-6796", "CVE-2014-0227", "CVE-2016-0714", "CVE-2016-3092", "CVE-2015-5345", "CVE-2016-0762", "CVE-2016-0763", "CVE-2014-0099", "CVE-2017-5647", "CVE-2013-4322", "CVE-2014-0050", "CVE-2015-5346", "CVE-2013-4286", "CVE-2015-5174", "CVE-2016-5018", "CVE-2014-7810", "CVE-2016-0706", "CVE-2017-5664", "CVE-2014-0096", "CVE-2014-0075", "CVE-2016-6794", "CVE-2016-6797"], "lastseen": "2017-08-08T04:23:44"}], "centos": [{"id": "CESA-2016:0492", "type": "centos", "title": "tomcat6 security update", "description": "**CentOS Errata and Security Advisory** CESA-2016:0492\n\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer\nPages (JSP) technologies.\n\nIt was found that the expression language resolver evaluated expressions\nwithin a privileged code section. A malicious web application could use\nthis flaw to bypass security manager protections. (CVE-2014-7810)\n\nThis update also fixes the following bug:\n\n* Previously, using a New I/O (NIO) connector in the Apache Tomcat 6 \nservlet resulted in a large memory leak. An upstream patch has been applied\nto fix this bug, and the memory leak no longer occurs. (BZ#1301646)\n\nAll Tomcat 6 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues. Tomcat must be\nrestarted for this update to take effect.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-March/021766.html\n\n**Affected packages:**\ntomcat6\ntomcat6-admin-webapps\ntomcat6-docs-webapp\ntomcat6-el-2.1-api\ntomcat6-javadoc\ntomcat6-jsp-2.1-api\ntomcat6-lib\ntomcat6-servlet-2.5-api\ntomcat6-webapps\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-0492.html", "published": "2016-03-23T13:09:57", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:PARTIAL/A:NONE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2016-March/021766.html", "cvelist": ["CVE-2014-7810"], "lastseen": "2017-10-03T18:25:14"}, {"id": "CESA-2016:2046", "type": "centos", "title": "tomcat security update", "description": "**CentOS Errata and Security Advisory** CESA-2016:2046\n\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)\n\n* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)\n\n* A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)\n\nRed Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2016-October/022121.html\n\n**Affected packages:**\ntomcat\ntomcat-admin-webapps\ntomcat-docs-webapp\ntomcat-el-2.2-api\ntomcat-javadoc\ntomcat-jsp-2.2-api\ntomcat-jsvc\ntomcat-lib\ntomcat-servlet-3.0-api\ntomcat-webapps\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2016-2046.html", "published": "2016-10-11T18:36:52", "cvss": {"score": 7.2, "vector": "AV:LOCAL/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2016-October/022121.html", "cvelist": ["CVE-2016-5425", "CVE-2016-6325", "CVE-2016-5388", "CVE-2015-5346", "CVE-2014-7810"], "lastseen": "2017-10-03T18:26:54"}], "amazon": [{"id": "ALAS-2016-656", "type": "amazon", "title": "Medium: tomcat6", "description": "**Issue Overview:**\n\nIt was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. ([CVE-2014-7810 __](<https://access.redhat.com/security/cve/CVE-2014-7810>))\n\nIt was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made. ([CVE-2014-0230 __](<https://access.redhat.com/security/cve/CVE-2014-0230>))\n\n \n**Affected Packages:** \n\n\ntomcat6\n\n \n**Issue Correction:** \nRun _yum update tomcat6_ to update your system. \n\n\n \n**New Packages:**\n \n \n noarch: \n tomcat6-el-2.1-api-6.0.44-1.3.amzn1.noarch \n tomcat6-6.0.44-1.3.amzn1.noarch \n tomcat6-lib-6.0.44-1.3.amzn1.noarch \n tomcat6-servlet-2.5-api-6.0.44-1.3.amzn1.noarch \n tomcat6-admin-webapps-6.0.44-1.3.amzn1.noarch \n tomcat6-javadoc-6.0.44-1.3.amzn1.noarch \n tomcat6-jsp-2.1-api-6.0.44-1.3.amzn1.noarch \n tomcat6-webapps-6.0.44-1.3.amzn1.noarch \n tomcat6-docs-webapp-6.0.44-1.3.amzn1.noarch \n \n src: \n tomcat6-6.0.44-1.3.amzn1.src \n \n \n", "published": "2016-03-10T16:30:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2016-656.html", "cvelist": ["CVE-2014-0230", "CVE-2014-7810"], "lastseen": "2016-09-28T21:04:00"}, {"id": "ALAS-2016-658", "type": "amazon", "title": "Medium: tomcat8", "description": "**Issue Overview:**\n\nA directory traversal vulnerability in RequestUtil.java was discovered which allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call. ([CVE-2015-5174 __](<https://access.redhat.com/security/cve/CVE-2015-5174>))\n\nThe Mapper component processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. ([CVE-2015-5345 __](<https://access.redhat.com/security/cve/CVE-2015-5345>))\n\nIt was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. ([CVE-2014-7810 __](<https://access.redhat.com/security/cve/CVE-2014-7810>))\n\n \n**Affected Packages:** \n\n\ntomcat8\n\n \n**Issue Correction:** \nRun _yum update tomcat8_ to update your system. \n\n\n \n**New Packages:**\n \n \n noarch: \n tomcat8-8.0.30-1.57.amzn1.noarch \n tomcat8-log4j-8.0.30-1.57.amzn1.noarch \n tomcat8-lib-8.0.30-1.57.amzn1.noarch \n tomcat8-admin-webapps-8.0.30-1.57.amzn1.noarch \n tomcat8-javadoc-8.0.30-1.57.amzn1.noarch \n tomcat8-servlet-3.1-api-8.0.30-1.57.amzn1.noarch \n tomcat8-el-3.0-api-8.0.30-1.57.amzn1.noarch \n tomcat8-docs-webapp-8.0.30-1.57.amzn1.noarch \n tomcat8-jsp-2.3-api-8.0.30-1.57.amzn1.noarch \n tomcat8-webapps-8.0.30-1.57.amzn1.noarch \n \n src: \n tomcat8-8.0.30-1.57.amzn1.src \n \n \n", "published": "2016-03-10T16:30:00", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "href": "https://alas.aws.amazon.com/ALAS-2016-658.html", "cvelist": ["CVE-2015-5345", "CVE-2015-5174", "CVE-2014-7810"], "lastseen": "2016-09-28T21:04:03"}, {"id": "ALAS-2016-657", "type": "amazon", "title": "Medium: tomcat7", "description": "**Issue Overview:**\n\nA directory traversal vulnerability in RequestUtil.java was discovered which allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call. ([CVE-2015-5174 __](<https://access.redhat.com/security/cve/CVE-2015-5174>))\n\nA session fixation vulnerability was discovered that might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request when different session settings are used for deployments of multiple versions of the same web application. ([CVE-2015-5346 __](<https://access.redhat.com/security/cve/CVE-2015-5346>))\n\nIt was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. ([CVE-2014-7810 __](<https://access.redhat.com/security/cve/CVE-2014-7810>))\n\n \n**Affected Packages:** \n\n\ntomcat7\n\n \n**Issue Correction:** \nRun _yum update tomcat7_ to update your system. \n\n\n \n**New Packages:**\n \n \n noarch: \n tomcat7-el-2.2-api-7.0.67-1.13.amzn1.noarch \n tomcat7-log4j-7.0.67-1.13.amzn1.noarch \n tomcat7-7.0.67-1.13.amzn1.noarch \n tomcat7-docs-webapp-7.0.67-1.13.amzn1.noarch \n tomcat7-webapps-7.0.67-1.13.amzn1.noarch \n tomcat7-admin-webapps-7.0.67-1.13.amzn1.noarch \n tomcat7-lib-7.0.67-1.13.amzn1.noarch \n tomcat7-jsp-2.2-api-7.0.67-1.13.amzn1.noarch \n tomcat7-servlet-3.0-api-7.0.67-1.13.amzn1.noarch \n tomcat7-javadoc-7.0.67-1.13.amzn1.noarch \n \n src: \n tomcat7-7.0.67-1.13.amzn1.src \n \n \n", "published": "2016-03-10T16:30:00", "cvss": {"score": 6.8, "vector": "AV:NETWORK/AC:MEDIUM/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}, "href": "https://alas.aws.amazon.com/ALAS-2016-657.html", "cvelist": ["CVE-2015-5346", "CVE-2015-5174", "CVE-2014-7810"], "lastseen": "2016-09-28T21:03:59"}], "freebsd": [{"id": "25E0593D-13C0-11E5-9AFB-3C970E169BC2", "type": "freebsd", "title": "tomcat -- multiple vulnerabilities", "description": "\nApache Software Foundation reports:\n\nLow: Denial of Service CVE-2014-0230\nWhen a response for a request with a request body is\n\t returned to the user agent before the request body is\n\t fully read, by default Tomcat swallows the remaining\n\t request body so that the next request on the connection\n\t may be processed. There was no limit to the size of\n\t request body that Tomcat would swallow. This permitted\n\t a limited Denial of Service as Tomcat would never close\n\t the connection and a processing thread would remain\n\t allocated to the connection.\nModerate: Security Manager bypass CVE-2014-7810\nMalicious web applications could use expression\n\t language to bypass the protections of a Security\n\t Manager as expressions were evaluated within a\n\t privileged code section.\n\n", "published": "2015-05-12T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/25e0593d-13c0-11e5-9afb-3c970e169bc2.html", "cvelist": ["CVE-2014-0230", "CVE-2014-7810"], "lastseen": "2017-03-18T03:16:18"}], "ubuntu": [{"id": "USN-2655-1", "type": "ubuntu", "title": "Tomcat vulnerabilities", "description": "It was discovered that Tomcat incorrectly handled data with malformed chunked transfer coding. A remote attacker could possibly use this issue to conduct HTTP request smuggling attacks, or cause Tomcat to consume resources, resulting in a denial of service. (CVE-2014-0227)\n\nIt was discovered that Tomcat incorrectly handled HTTP responses occurring before the entire request body was finished being read. A remote attacker could possibly use this issue to cause a limited denial of service. (CVE-2014-0230)\n\nIt was discovered that the Tomcat Expression Language (EL) implementation incorrectly handled accessible interfaces implemented by inaccessible classes. An attacker could possibly use this issue to bypass a SecurityManager protection mechanism. (CVE-2014-7810)", "published": "2015-06-25T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2655-1/", "cvelist": ["CVE-2014-0227", "CVE-2014-0230", "CVE-2014-7810"], "lastseen": "2018-03-29T18:17:23"}, {"id": "USN-2654-1", "type": "ubuntu", "title": "Tomcat vulnerabilities", "description": "It was discovered that the Tomcat XML parser incorrectly handled XML External Entities (XXE). A remote attacker could possibly use this issue to read arbitrary files. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-0119)\n\nIt was discovered that Tomcat incorrectly handled data with malformed chunked transfer coding. A remote attacker could possibly use this issue to conduct HTTP request smuggling attacks, or cause Tomcat to consume resources, resulting in a denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-0227)\n\nIt was discovered that Tomcat incorrectly handled HTTP responses occurring before the entire request body was finished being read. A remote attacker could possibly use this issue to cause a limited denial of service. This issue only affected Ubuntu 14.04 LTS. (CVE-2014-0230)\n\nIt was discovered that the Tomcat Expression Language (EL) implementation incorrectly handled accessible interfaces implemented by inaccessible classes. An attacker could possibly use this issue to bypass a SecurityManager protection mechanism. (CVE-2014-7810)", "published": "2015-06-25T00:00:00", "cvss": {"score": 7.8, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:NONE/I:NONE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2654-1/", "cvelist": ["CVE-2014-0227", "CVE-2014-0230", "CVE-2014-0119", "CVE-2014-7810"], "lastseen": "2018-03-29T18:20:20"}]}}