According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :
The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)
It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.
(CVE-2016-5018)
It was discovered that when a SecurityManager was configured, Tomcat’s system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.
(CVE-2016-6794)
It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)
It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.
(CVE-2016-6797)
A vulnerability was discovered in tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application.(CVE-2017-5648)
A vulnerability was discovered in the error page mechanism in Tomcat’s DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page.(CVE-2017-5664)
Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(103030);
script_version("3.13");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/06");
script_cve_id(
"CVE-2016-0762",
"CVE-2016-5018",
"CVE-2016-6794",
"CVE-2016-6796",
"CVE-2016-6797",
"CVE-2017-5648",
"CVE-2017-5664"
);
script_name(english:"EulerOS 2.0 SP2 : tomcat (EulerOS-SA-2017-1192)");
script_summary(english:"Checks the rpm output for the updated packages.");
script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
script_set_attribute(attribute:"description", value:
"According to the versions of the tomcat packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :
- The Realm implementations did not process the supplied
password if the supplied user name did not exist. This
made a timing attack possible to determine valid user
names. Note that the default configuration includes the
LockOutRealm which makes exploitation of this
vulnerability harder. (CVE-2016-0762)
- It was discovered that a malicious web application
could bypass a configured SecurityManager via a Tomcat
utility method that was accessible to web applications.
(CVE-2016-5018)
- It was discovered that when a SecurityManager was
configured, Tomcat's system property replacement
feature for configuration files could be used by a
malicious web application to bypass the SecurityManager
and read system properties that should not be visible.
(CVE-2016-6794)
- It was discovered that a malicious web application
could bypass a configured SecurityManager via
manipulation of the configuration parameters for the
JSP Servlet. (CVE-2016-6796)
- It was discovered that it was possible for a web
application to access any global JNDI resource whether
an explicit ResourceLink had been configured or not.
(CVE-2016-6797)
- A vulnerability was discovered in tomcat. When running
an untrusted application under a SecurityManager it was
possible, under some circumstances, for that
application to retain references to the request or
response objects and thereby access and/or modify
information associated with another web
application.(CVE-2017-5648)
- A vulnerability was discovered in the error page
mechanism in Tomcat's DefaultServlet implementation. A
crafted HTTP request could cause undesired side
effects, possibly including the removal or replacement
of the custom error page.(CVE-2017-5664)
Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
# https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2017-1192
script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?5f74f127");
script_set_attribute(attribute:"solution", value:
"Update the affected tomcat packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:N");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"patch_publication_date", value:"2017/08/21");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/09/08");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-admin-webapps");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-el-2.2-api");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-jsp-2.2-api");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-lib");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-servlet-3.0-api");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-webapps");
script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Huawei Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
script_exclude_keys("Host/EulerOS/uvp_version");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");
sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");
uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);
if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);
flag = 0;
pkgs = ["tomcat-7.0.76-2",
"tomcat-admin-webapps-7.0.76-2",
"tomcat-el-2.2-api-7.0.76-2",
"tomcat-jsp-2.2-api-7.0.76-2",
"tomcat-lib-7.0.76-2",
"tomcat-servlet-3.0-api-7.0.76-2",
"tomcat-webapps-7.0.76-2"];
foreach (pkg in pkgs)
if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tomcat");
}
Vendor | Product | Version | CPE |
---|---|---|---|
huawei | euleros | tomcat | p-cpe:/a:huawei:euleros:tomcat |
huawei | euleros | tomcat-admin-webapps | p-cpe:/a:huawei:euleros:tomcat-admin-webapps |
huawei | euleros | tomcat-el-2.2-api | p-cpe:/a:huawei:euleros:tomcat-el-2.2-api |
huawei | euleros | tomcat-jsp-2.2-api | p-cpe:/a:huawei:euleros:tomcat-jsp-2.2-api |
huawei | euleros | tomcat-lib | p-cpe:/a:huawei:euleros:tomcat-lib |
huawei | euleros | tomcat-servlet-3.0-api | p-cpe:/a:huawei:euleros:tomcat-servlet-3.0-api |
huawei | euleros | tomcat-webapps | p-cpe:/a:huawei:euleros:tomcat-webapps |
huawei | euleros | 2.0 | cpe:/o:huawei:euleros:2.0 |
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0762
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5018
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6794
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6796
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6797
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5648
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664
www.nessus.org/u?5f74f127