Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.EULEROS_SA-2020-1645.NASL
HistoryJun 17, 2020 - 12:00 a.m.

EulerOS 2.0 SP2 : tomcat (EulerOS-SA-2020-1645)

2020-06-1700:00:00
This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
21
JSON

According to the versions of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  • When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.(CVE-2020-1938)

  • When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.(CVE-2019-17563)

  • When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.(CVE-2019-12418)

  • When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server and b) the server is configured to use the PersistenceManager with a FileStore and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter=‘null’ (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control.
    Note that all of conditions a) to d) must be true for the attack to succeed.(CVE-2020-9484)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#

include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(137487);
  script_version("1.9");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/01/11");

  script_cve_id(
    "CVE-2019-12418",
    "CVE-2019-17563",
    "CVE-2020-1938",
    "CVE-2020-9484"
  );
  script_xref(name:"CISA-KNOWN-EXPLOITED", value:"2022/03/17");
  script_xref(name:"CEA-ID", value:"CEA-2021-0004");
  script_xref(name:"CEA-ID", value:"CEA-2020-0021");

  script_name(english:"EulerOS 2.0 SP2 : tomcat (EulerOS-SA-2020-1645)");

  script_set_attribute(attribute:"synopsis", value:
"The remote EulerOS host is missing multiple security updates.");
  script_set_attribute(attribute:"description", value:
"According to the versions of the tomcat packages installed, the
EulerOS installation on the remote host is affected by the following
vulnerabilities :

  - When using the Apache JServ Protocol (AJP), care must
    be taken when trusting incoming connections to Apache
    Tomcat. Tomcat treats AJP connections as having higher
    trust than, for example, a similar HTTP connection. If
    such connections are available to an attacker, they can
    be exploited in ways that may be surprising. In Apache
    Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0
    to 7.0.99, Tomcat shipped with an AJP Connector enabled
    by default that listened on all configured IP
    addresses. It was expected (and recommended in the
    security guide) that this Connector would be disabled
    if not required. This vulnerability report identified a
    mechanism that allowed: - returning arbitrary files
    from anywhere in the web application - processing any
    file in the web application as a JSP Further, if the
    web application allowed file upload and stored those
    files within the web application (or the attacker was
    able to control the content of the web application by
    some other means) then this, along with the ability to
    process a file as a JSP, made remote code execution
    possible. It is important to note that mitigation is
    only required if an AJP port is accessible to untrusted
    users. Users wishing to take a defence-in-depth
    approach and block the vector that permits returning
    arbitrary files and execution as JSP may upgrade to
    Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A
    number of changes were made to the default AJP
    Connector configuration in 9.0.31 to harden the default
    configuration. It is likely that users upgrading to
    9.0.31, 8.5.51 or 7.0.100 or later will need to make
    small changes to their configurations.(CVE-2020-1938)

  - When using FORM authentication with Apache Tomcat
    9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98
    there was a narrow window where an attacker could
    perform a session fixation attack. The window was
    considered too narrow for an exploit to be practical
    but, erring on the side of caution, this issue has been
    treated as a security vulnerability.(CVE-2019-17563)

  - When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47,
    7.0.0 and 7.0.97 is configured with the JMX Remote
    Lifecycle Listener, a local attacker without access to
    the Tomcat process or configuration files is able to
    manipulate the RMI registry to perform a
    man-in-the-middle attack to capture user names and
    passwords used to access the JMX interface. The
    attacker can then use these credentials to access the
    JMX interface and gain complete control over the Tomcat
    instance.(CVE-2019-12418)

  - When using Apache Tomcat versions 10.0.0-M1 to
    10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and
    7.0.0 to 7.0.103 if a) an attacker is able to control
    the contents and name of a file on the server and b)
    the server is configured to use the PersistenceManager
    with a FileStore and c) the PersistenceManager is
    configured with
    sessionAttributeValueClassNameFilter='null' (the
    default unless a SecurityManager is used) or a
    sufficiently lax filter to allow the attacker provided
    object to be deserialized and d) the attacker knows the
    relative file path from the storage location used by
    FileStore to the file the attacker has control over
    then, using a specifically crafted request, the
    attacker will be able to trigger remote code execution
    via deserialization of the file under their control.
    Note that all of conditions a) to d) must be true for
    the attack to succeed.(CVE-2020-9484)

Note that Tenable Network Security has extracted the preceding
description block directly from the EulerOS security advisory. Tenable
has attempted to automatically clean and format it as much as possible
without introducing additional issues.");
  # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2020-1645
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e11ba541");
  script_set_attribute(attribute:"solution", value:
"Update the affected tomcat packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2020-1938");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"patch_publication_date", value:"2020/06/16");
  script_set_attribute(attribute:"plugin_publication_date", value:"2020/06/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-admin-webapps");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-el-2.2-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-jsp-2.2-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-lib");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-servlet-3.0-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:huawei:euleros:tomcat-webapps");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:huawei:euleros:2.0");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Huawei Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/EulerOS/release", "Host/EulerOS/rpm-list", "Host/EulerOS/sp");
  script_exclude_keys("Host/EulerOS/uvp_version");

  exit(0);
}

include("audit.inc");
include("global_settings.inc");
include("rpm.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);

release = get_kb_item("Host/EulerOS/release");
if (isnull(release) || release !~ "^EulerOS") audit(AUDIT_OS_NOT, "EulerOS");
if (release !~ "^EulerOS release 2\.0(\D|$)") audit(AUDIT_OS_NOT, "EulerOS 2.0");

sp = get_kb_item("Host/EulerOS/sp");
if (isnull(sp) || sp !~ "^(2)$") audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2");

uvp = get_kb_item("Host/EulerOS/uvp_version");
if (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, "EulerOS 2.0 SP2", "EulerOS UVP " + uvp);

if (!get_kb_item("Host/EulerOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "aarch64" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "EulerOS", cpu);
if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i686 / x86_64", cpu);

flag = 0;

pkgs = ["tomcat-7.0.76-8.h8",
        "tomcat-admin-webapps-7.0.76-8.h8",
        "tomcat-el-2.2-api-7.0.76-8.h8",
        "tomcat-jsp-2.2-api-7.0.76-8.h8",
        "tomcat-lib-7.0.76-8.h8",
        "tomcat-servlet-3.0-api-7.0.76-8.h8",
        "tomcat-webapps-7.0.76-8.h8"];

foreach (pkg in pkgs)
  if (rpm_check(release:"EulerOS-2.0", sp:"2", reference:pkg)) flag++;

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_HOLE,
    extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tomcat");
}
VendorProductVersionCPE
huaweieulerostomcatp-cpe:/a:huawei:euleros:tomcat
huaweieulerostomcat-admin-webappsp-cpe:/a:huawei:euleros:tomcat-admin-webapps
huaweieulerostomcat-el-2.2-apip-cpe:/a:huawei:euleros:tomcat-el-2.2-api
huaweieulerostomcat-jsp-2.2-apip-cpe:/a:huawei:euleros:tomcat-jsp-2.2-api
huaweieulerostomcat-libp-cpe:/a:huawei:euleros:tomcat-lib
huaweieulerostomcat-servlet-3.0-apip-cpe:/a:huawei:euleros:tomcat-servlet-3.0-api
huaweieulerostomcat-webappsp-cpe:/a:huawei:euleros:tomcat-webapps
huaweieuleros2.0cpe:/o:huawei:euleros:2.0

Related

openvas 31
nessus 54
redhat 9
gentoo 2
amazon 4
mageia 2
osv 12
ibm 6
debian 5
ubuntu 1
atlassian 8
suse 2
tomcat 7
oraclelinux 3
cve 3
github 3
f5 3
symantec 2
kaspersky 4
debiancve 3
ubuntucve 3
photon 1
veracode 3
prion 3
redhatcve 3
cgr 2
fedora 2
broadcom 1
githubexploit 12
archlinux 3
centos 1
nuclei 1
openvas
openvas
Huawei EulerOS: Security Advisory for tomcat (EulerOS-SA-2020-1645)
2020-06-16 00:00:00
Huawei EulerOS: Security Advisory for tomcat (EulerOS-SA-2020-1438)
2020-04-16 00:00:00
Debian: Security Advisory (DLA-2209-1)
2020-05-29 00:00:00
nessus
nessus
EulerOS 2.0 SP3 : tomcat (EulerOS-SA-2020-1438)
2020-04-15 00:00:00
Debian DLA-2077-1 : tomcat7 security update
2020-01-28 00:00:00
Photon OS 2.0: Apache PHSA-2020-2.0-0200
2020-01-16 00:00:00
redhat
redhat
(RHSA-2020:0861) Important: Red Hat JBoss Web Server 3.1 Service Pack 8 security update
2020-03-17 12:51:11
(RHSA-2020:0860) Important: Red Hat JBoss Web Server 3.1 Service Pack 8 security update
2020-03-17 12:51:05
(RHSA-2020:1521) Important: Red Hat JBoss Web Server 5.3 release
2020-04-21 10:36:39
gentoo
gentoo
Apache Tomcat: Multiple vulnerabilities
2020-03-19 00:00:00
Apache Tomcat: Remote code execution
2020-06-15 00:00:00
amazon
amazon
Medium: tomcat8
2020-01-14 18:18:00
Important: tomcat
2023-05-11 17:49:00
Important: tomcat8
2020-06-23 06:47:00
mageia
mageia
Updated tomcat packages fix security vulnerabilities
2020-01-28 10:52:40
Updated tomcat packages fix security vulnerability
2020-07-05 14:26:44
osv
osv
tomcat8 - security update
2020-05-11 00:00:00
tomcat7 - security update
2020-01-27 00:00:00
tomcat9 - security update
2020-05-06 00:00:00
ibm
ibm
Security Bulletin: IBM Integration Bus affected by multiple Apache Tomcat (core only) vulnerabilities.
2020-04-24 04:47:22
Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (TADDM)(CVE-2019-12418, CVE-2019-17563)
2020-07-24 22:19:08
Security Bulletin: Vulnerabilities in Apache Tomcat affects IBM Platform Symphony
2020-02-11 07:10:49
debian
debian
[SECURITY] [DLA 2209-1] tomcat8 security update
2020-05-28 17:53:49
[SECURITY] [DLA 2077-1] tomcat7 security update
2020-01-27 23:13:25
[SECURITY] [DSA 4680-1] tomcat9 security update
2020-05-06 20:58:40
ubuntu
ubuntu
Tomcat vulnerabilities
2020-01-27 00:00:00
atlassian
atlassian
The version of Apache Tomcat included with Jira Server is affected by CVE-2020-1935, CVE-2020-1938, CVE-2019-17569
2020-04-30 09:04:13
Upgrade Tomcat to 8.5.50 to fix CVE-2019-17563 & CVE-2019-12418
2020-01-15 15:29:54
Upgrade Tomcat to 8.5.50 to fix CVE-2019-17563 & CVE-2019-12418
2020-01-15 15:29:54
suse
suse
Security update for tomcat (important)
2020-01-14 00:00:00
Security update for tomcat (important)
2020-05-25 00:00:00
tomcat
tomcat
Fixed in Apache Tomcat 7.0.99
2019-12-17 00:00:00
Fixed in Apache Tomcat 8.5.50
2019-12-12 00:00:00
Fixed in Apache Tomcat 9.0.30
2019-12-12 00:00:00
oraclelinux
oraclelinux
tomcat security and bug fix update
2020-10-06 00:00:00
tomcat security update
2020-06-11 00:00:00
tomcat6 security update
2020-06-12 00:00:00
cve
cve
CVE-2019-17563
2019-12-23 17:15:00
CVE-2019-12418
2019-12-23 18:15:00
CVE-2020-9484
2020-05-20 19:15:00
github
github
In Apache Tomcat, when using FORM authentication there was a narrow window where an attacker could perform a session fixation attack
2019-12-26 18:22:26
Potential remote code execution in Apache Tomcat
2020-05-21 18:52:29
Insufficiently Protected Credentials in Apache Tomcat
2019-12-26 18:22:36
f5
f5
K24551552 : Apache Tomcat vulnerability CVE-2019-17563
2020-01-23 00:00:00
K10107360 : Apache Tomcat vulnerability CVE-2019-12418
2020-01-07 00:00:00
K03121171 : Apache Tomcat vulnerability CVE-2020-9484
2020-05-27 00:00:00
symantec
symantec
Apache Tomcat CVE-2019-17563 Session Fixation Vulnerability
2019-12-18 00:00:00
Apache Tomcat CVE-2019-12418 Local Privilege Escalation Vulnerability
2019-12-18 00:00:00
kaspersky
kaspersky
KLA11626 SB vulnerability in Apache Tomcat
2019-12-12 00:00:00
KLA11785 Security vulnerability in Apache Tomcat
2020-05-11 00:00:00
KLA11627 SB vulnerability in Apache Tomcat
2019-11-21 00:00:00
debiancve
debiancve
CVE-2019-17563
2019-12-23 17:15:00
CVE-2019-12418
2019-12-23 18:15:00
CVE-2020-9484
2020-05-20 19:15:00
ubuntucve
ubuntucve
CVE-2019-17563
2019-12-23 00:00:00
CVE-2019-12418
2019-12-23 00:00:00
CVE-2020-9484
2020-05-20 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2020-0051
2020-01-23 00:00:00
veracode
veracode
Session Fixation
2019-12-19 08:29:44
Privilege Escalation
2019-12-23 08:45:46
Remote Code Execution
2020-05-21 03:52:01
prion
prion
Session fixation
2019-12-23 17:15:00
Design/Logic Flaw
2019-12-23 18:15:00
Deserialization of untrusted data
2020-05-20 19:15:00
redhatcve
redhatcve
CVE-2019-17563
2019-12-20 18:38:45
CVE-2019-12418
2020-04-09 10:13:44
CVE-2020-9484
2020-05-20 23:25:22
cgr
cgr
CVE-2019-17563 vulnerabilities
2024-04-25 21:08:41
CVE-2019-12418 vulnerabilities
2024-04-25 21:08:41
fedora
fedora
[SECURITY] Fedora 31 Update: tomcat-9.0.36-1.fc31
2020-06-23 01:14:05
[SECURITY] Fedora 32 Update: tomcat-9.0.36-1.fc32
2020-06-23 01:22:02
broadcom
broadcom
BSA-2022-1839
2022-05-03 00:00:00
githubexploit
githubexploit
Exploit for Deserialization of Untrusted Data in Apache Tomcat
2020-09-05 13:56:51
Exploit for Deserialization of Untrusted Data in Oracle Retail Order Broker
2021-01-15 17:59:50
Exploit for Deserialization of Untrusted Data in Apache Tomcat
2021-01-26 22:51:30
archlinux
archlinux
[ASA-202006-5] tomcat8: arbitrary code execution
2020-06-06 00:00:00
[ASA-202006-7] tomcat9: arbitrary code execution
2020-06-06 00:00:00
[ASA-202006-6] tomcat7: arbitrary code execution
2020-06-06 00:00:00
centos
centos
tomcat security update
2020-06-11 21:13:08
nuclei
nuclei
Apache Tomcat Remote Command Execution
2020-07-03 05:39:02
JSON
Related for EULEROS_SA-2020-1645.NASL
openvas31nessus54redhat9gentoo2amazon4mageia2osv12ibm6debian5ubuntu1atlassian8suse2tomcat7oraclelinux3cve3github3f53symantec2kaspersky4debiancve3ubuntucve3photon1veracode3prion3redhatcve3cgr2fedora2broadcom1githubexploit12archlinux3centos1nuclei1