Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.GENTOO_GLSA-202208-34.NASL
HistoryAug 25, 2022 - 12:00 a.m.

GLSA-202208-34 : Apache Tomcat: Multiple Vulnerabilities

2022-08-2500:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
36
JSON

The remote host is affected by the vulnerability described in GLSA-202208-34 (Apache Tomcat: Multiple Vulnerabilities)

  • When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A’s request.
    (CVE-2021-25122)

  • The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue. (CVE-2021-25329)

  • A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag associated with the Request object was not reset between requests. This meant that once a non-blocking I/O error occurred, all future requests handled by that request object would fail. Users were able to trigger non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64. (CVE-2021-30639)

  • A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)

  • Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;
    and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
    (CVE-2021-33037)

  • The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
    (CVE-2021-42340)

  • In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web application displayed user provided data without filtering, exposing a XSS vulnerability. (CVE-2022-34305)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
#
# (C) Tenable, Inc.
#
# @NOAGENT@
#
# The descriptive text and package checks in this plugin were
# extracted from Gentoo Linux Security Advisory GLSA 202208-34.
#
# The advisory text is Copyright (C) 2001-2021 Gentoo Foundation, Inc.
# and licensed under the Creative Commons - Attribution / Share Alike
# license. See http://creativecommons.org/licenses/by-sa/3.0/
#

include('compat.inc');

if (description)
{
  script_id(164434);
  script_version("1.5");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/13");

  script_cve_id(
    "CVE-2021-25122",
    "CVE-2021-25329",
    "CVE-2021-30639",
    "CVE-2021-30640",
    "CVE-2021-33037",
    "CVE-2021-42340",
    "CVE-2022-34305"
  );
  script_xref(name:"IAVA", value:"2022-A-0398-S");

  script_name(english:"GLSA-202208-34 : Apache Tomcat: Multiple Vulnerabilities");

  script_set_attribute(attribute:"synopsis", value:
"");
  script_set_attribute(attribute:"description", value:
"The remote host is affected by the vulnerability described in GLSA-202208-34 (Apache Tomcat: Multiple Vulnerabilities)

  - When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to
    9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one
    request to another meaning user A and user B could both see the results of user A's request.
    (CVE-2021-25122)

  - The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to
    9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be
    used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published
    prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to
    this issue. (CVE-2021-25329)

  - A vulnerability in Apache Tomcat allows an attacker to remotely trigger a denial of service. An error
    introduced as part of a change to improve error handling during non-blocking I/O meant that the error flag
    associated with the Request object was not reset between requests. This meant that once a non-blocking I/O
    error occurred, all future requests handled by that request object would fail. Users were able to trigger
    non-blocking I/O errors, e.g. by dropping a connection, thereby creating the possibility of triggering a
    DoS. Applications that do not use non-blocking I/O are not exposed to this vulnerability. This issue
    affects Apache Tomcat 10.0.3 to 10.0.4; 9.0.44; 8.5.64. (CVE-2021-30639)

  - A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of
    a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue
    affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)

  - Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP
    transfer-encoding request header in some circumstances leading to the possibility to request smuggling
    when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if
    the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding;
    and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding.
    (CVE-2021-33037)

  - The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to
    9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP
    upgrade connections was not released for WebSocket connections once the connection was closed. This
    created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError.
    (CVE-2021-42340)

  - In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to 9.0.64 and 8.5.50 to 8.5.81 the
    Form authentication example in the examples web application displayed user provided data without
    filtering, exposing a XSS vulnerability. (CVE-2022-34305)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security.gentoo.org/glsa/202208-34");
  script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=773571");
  script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=801916");
  script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=818160");
  script_set_attribute(attribute:"see_also", value:"https://bugs.gentoo.org/show_bug.cgi?id=855971");
  script_set_attribute(attribute:"solution", value:
"All Apache Tomcat 10.x users should upgrade to the latest version:

          # emerge --sync
          # emerge --ask --oneshot --verbose >=www-servers/tomcat-10.0.23:10
        
All Apache Tomcat 9.x users should upgrade to the latest version:

          # emerge --sync
          # emerge --ask --oneshot --verbose >=www-servers/tomcat-9.0.65:9
        
All Apache Tomcat 8.5.x users should upgrade to the latest version:

          # emerge --sync
          # emerge --ask --oneshot --verbose >=www-servers/tomcat-8.5.82:8.5");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2021-30640");
  script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2021-25122");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/02/02");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/08/21");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/08/25");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:tomcat");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Gentoo Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list");

  exit(0);
}
include("qpkg.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo");
if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

var flag = 0;

var packages = [
  {
    'name' : "www-servers/tomcat",
    'unaffected' : make_list("ge 10.0.23", "lt 10.0.0"),
    'vulnerable' : make_list("lt 10.0.23")
  },
  {
    'name' : "www-servers/tomcat",
    'unaffected' : make_list("ge 8.5.82", "lt 8.0.0"),
    'vulnerable' : make_list("lt 8.5.82")
  },
  {
    'name' : "www-servers/tomcat",
    'unaffected' : make_list("ge 9.0.65", "lt 9.0.0"),
    'vulnerable' : make_list("lt 9.0.65")
  }
];

foreach package( packages ) {
  if (isnull(package['unaffected'])) package['unaffected'] = make_list();
  if (isnull(package['vulnerable'])) package['vulnerable'] = make_list();
  if (qpkg_check(package: package['name'] , unaffected: package['unaffected'], vulnerable: package['vulnerable'])) flag++;
}

# This plugin has a different number of unaffected and vulnerable versions for
# one or more packages. To ensure proper detection, a separate line should be 
# used for each fixed/vulnerable version pair.

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : qpkg_report_get()
  );
  exit(0);
}
else
{
  qpkg_tests = list_uniq(qpkg_tests);
  var tested = qpkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, "Apache Tomcat");
}
VendorProductVersionCPE
gentoolinuxtomcatp-cpe:/a:gentoo:linux:tomcat
gentoolinuxcpe:/o:gentoo:linux

Related

gentoo 1
atlassian 12
openvas 31
nessus 43
mageia 2
tomcat 12
debiancve 4
osv 12
github 4
suse 3
prion 3
amazon 2
ubuntucve 3
cve 4
debian 5
f5 3
redhatcve 4
ubuntu 1
redhat 6
photon 8
kaspersky 6
ibm 15
veracode 4
attackerkb 1
rosalinux 2
redos 4
freebsd 2
cisa 1
cnvd 1
gentoo
gentoo
Apache Tomcat: Multiple Vulnerabilities
2022-08-21 00:00:00
atlassian
atlassian
Upgrade the bundled version of Apache Tomcat to 8.5.68 or later
2021-07-14 11:35:20
Upgrade the bundled version of Apache Tomcat to 8.5.68 or later
2021-07-14 11:35:20
Tomcat PersistenceManager vulnerabilities - CVE-2021-25329 and CVE-2021-25122
2021-03-11 19:39:59
openvas
openvas
Huawei EulerOS: Security Advisory for tomcat (EulerOS-SA-2021-1891)
2021-05-19 00:00:00
Mageia: Security Advisory (MGASA-2021-0357)
2022-01-28 00:00:00
Debian: Security Advisory (DLA-2594-1)
2023-03-08 00:00:00
nessus
nessus
Apache Tomcat 8.5.0 < 8.5.63 Multiple Vulnerabilities
2021-03-04 00:00:00
Apache Tomcat 9.0.0.M1 < 9.0.43 Multiple Vulnerabilities
2021-03-05 00:00:00
Apache Tomcat 10.0.0-M1 < 10.0.2 multiple vulnerabilities
2021-06-17 00:00:00
mageia
mageia
Updated tomcat packages fix security vulnerabilities
2021-07-20 13:46:47
Updated tomcat packages fix security vulnerability
2021-10-23 13:05:28
tomcat
tomcat
Fixed in Apache Tomcat 9.0.43
2021-02-02 00:00:00
Fixed in Apache Tomcat 10.0.2
2021-02-02 00:00:00
Fixed in Apache Tomcat 8.5.63
2021-02-02 00:00:00
debiancve
debiancve
CVE-2021-25329
2021-03-01 12:15:00
CVE-2021-30639
2021-07-12 15:15:00
CVE-2022-34305
2022-06-23 11:15:00
osv
osv
Potential remote code execution in Apache Tomcat
2021-03-19 20:11:13
BIT-tomcat-2021-25329
2024-03-06 11:10:17
tomcat9 vulnerabilities
2022-03-31 18:51:57
github
github
Potential remote code execution in Apache Tomcat
2021-03-19 20:11:13
Improper Handling of Exceptional Conditions in Apache Tomcat
2021-08-13 15:21:02
Missing Release of Resource after Effective Lifetime in Apache Tomcat
2021-10-15 18:51:34
suse
suse
Security update for tomcat (important)
2021-04-02 00:00:00
Security update for tomcat (moderate)
2021-11-19 00:00:00
Security update for tomcat (moderate)
2021-11-16 00:00:00
prion
prion
Design/Logic Flaw
2021-03-01 12:15:00
Design/Logic Flaw
2021-07-12 15:15:00
Memory corruption
2021-10-14 20:15:00
amazon
amazon
Low: tomcat7
2021-04-07 00:18:00
Important: tomcat8
2021-03-23 23:07:00
ubuntucve
ubuntucve
CVE-2021-25329
2021-03-01 00:00:00
CVE-2021-30639
2021-07-12 00:00:00
CVE-2022-34305
2022-06-23 00:00:00
cve
cve
CVE-2021-25329
2021-03-01 12:15:00
CVE-2021-30639
2021-07-12 15:15:00
CVE-2021-33037
2021-07-12 15:15:00
debian
debian
[SECURITY] [DLA 2596-1] tomcat8 security update
2021-03-16 05:29:03
[SECURITY] [DLA 2733-1] tomcat8 security update
2021-08-05 21:40:35
[SECURITY] [DSA 4952-1] tomcat9 security update
2021-08-09 21:06:14
f5
f5
K73648110 : Apache Tomcat vulnerability CVE-2021-25329
2021-03-16 00:00:00
K87895241 : Apache Tomcat vulnerability CVE-2021-30639
2021-07-29 00:00:00
K00303143 : Apache Tomcat vulnerability CVE-2022-34305
2022-07-11 00:00:00
redhatcve
redhatcve
CVE-2021-25329
2021-03-02 12:32:45
CVE-2021-30639
2021-07-12 19:46:17
CVE-2022-34305
2022-06-30 18:05:42
ubuntu
ubuntu
Tomcat vulnerabilities
2022-03-31 00:00:00
redhat
redhat
(RHSA-2021:2562) Moderate: Red Hat JBoss Web Server 5.5.0 security release
2021-06-29 08:35:57
(RHSA-2021:2561) Moderate: Red Hat JBoss Web Server 5.5.0 Security release
2021-06-29 08:34:12
(RHSA-2021:4863) Important: Red Hat JBoss Web Server 5.6.0 Security release
2021-11-30 14:21:16
photon
photon
Important Photon OS Security Update - PHSA-2021-0208
2021-03-17 00:00:00
Home Download Photon OS User Documentation FAQ Security Advisories Related Information Lightwave - PHSA-2021-1.0-0372
2021-03-18 00:00:00
Important Photon OS Security Update - PHSA-2021-0066
2021-07-21 00:00:00
kaspersky
kaspersky
KLA12104 Multiple vulnerabilities in Apache Tomcat
2021-02-02 00:00:00
KLA12216 DoS vulnerability in Apache Tomcat
2021-04-06 00:00:00
KLA19260 XSS vulnerability in Apache Tomcat
2022-08-28 00:00:00
ibm
ibm
Security Bulletin: IBM UrbanCode Build is affected by CVE-2021-25122 and CVE-2021-25329
2022-02-09 16:30:32
Security Bulletin: IBM UrbanCode Release is affected by CVE-2021-25122 and CVE-2021-25329
2022-01-25 07:54:02
Security Bulletin: Open Source Apache Tomcat vulnerabilities affect IBM Tivoli Application Dependency Discovery Manager (CVE-2021-25122, CVE-2021-25329)
2021-04-13 10:45:28
veracode
veracode
Remote Code Execution (RCE)
2021-03-02 07:51:38
Remote Code Execution
2021-03-03 06:05:38
Cross-site Scripting (XSS)
2022-06-24 04:07:07
attackerkb
attackerkb
CVE-2020-9484 — PersistentManager Java deserialization vulnerability
2020-05-20 00:00:00
rosalinux
rosalinux
Advisory ROSA-SA-2023-2258
2023-10-21 16:49:43
Advisory ROSA-SA-2021-1988
2021-07-02 18:17:52
redos
redos
ROS-2-622
2021-09-08 00:00:00
ROS-2-588
2021-09-08 00:00:00
ROS-2-454
2021-09-08 00:00:00
freebsd
freebsd
tomcat -- Remote Denial of Service in multiple versions
2021-03-24 00:00:00
tomcat -- HTTP request smuggling in multiple versions
2021-05-07 00:00:00
cisa
cisa
Apache Releases Security Advisory for Tomcat  
2021-10-15 00:00:00
cnvd
cnvd
Apache Tomcat Resource Management Error Vulnerability (CNVD-2021-83785)
2021-10-18 00:00:00
JSON
Related for GENTOO_GLSA-202208-34.NASL
gentoo1atlassian12openvas31nessus43mageia2tomcat12debiancve4osv12github4suse3prion3amazon2ubuntucve3cve4debian5f53redhatcve4ubuntu1redhat6photon8kaspersky6ibm15veracode4attackerkb1rosalinux2redos4freebsd2cisa1cnvd1