#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Miracle Linux Security Advisory AXSA:2016-704:01.
##
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(289327);
script_version("1.2");
script_set_attribute(attribute:"plugin_modification_date", value:"2026/02/10");
script_cve_id(
"CVE-2014-7810",
"CVE-2015-5346",
"CVE-2016-5388",
"CVE-2016-5425",
"CVE-2016-6325"
);
script_xref(name:"IAVB", value:"2016-B-0160-S");
script_name(english:"MiracleLinux 7 : tomcat-7.0.54-8.el7 (AXSA:2016-704:01)");
script_set_attribute(attribute:"synopsis", value:
"The remote MiracleLinux host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the
AXSA:2016-704:01 advisory.
Tomcat is the servlet container that is used in the official Reference
Implementation for the Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by
Sun under the Java Community Process.
Tomcat is developed in an open and participatory environment and
released under the Apache Software License version 2.0. Tomcat is intended
to be a collaboration of the best-of-breed developers from around the world.
Security issues fixed with this release:
CVE-2014-7810
The Expression Language (EL) implementation in Apache Tomcat 6.x
before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not
properly consider the possibility of an accessible interface
implemented by an inaccessible class, which allows attackers to bypass
a SecurityManager protection mechanism via a web application that
leverages use of incorrect privileges during EL evaluation.
CVE-2015-5346
Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x
before 8.0.30, and 9.x before 9.0.0.M2, when different session
settings are used for deployments of multiple versions of the same web
application, might allow remote attackers to hijack web sessions by
leveraging use of a requestedSessionSSL field for an unintended
request, related to CoyoteAdapter.java and Request.java.
CVE-2016-5388
Apache Tomcat through 8.5.4, when the CGI Servlet is enabled, follows
RFC 3875 section 4.1.18 and therefore does not protect applications
from the presence of untrusted client data in the HTTP_PROXY
environment variable, which might allow remote attackers to redirect
an application's outbound HTTP traffic to an arbitrary proxy server
via a crafted Proxy header in an HTTP request, aka an httpoxy issue.
NOTE: the vendor states A mitigation is planned for future releases
of Tomcat, tracked as CVE-2016-5388; in other words, this is not a
CVE ID for a vulnerability.
CVE-2016-5425
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
CVE-2016-6325
** RESERVED **
This candidate has been reserved by an organization or individual that
will use it when announcing a new security problem. When the
candidate has been publicized, the details for this candidate will be
provided.
Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://tsn.miraclelinux.com/en/node/7136");
script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C");
script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-6325");
script_set_attribute(attribute:"cvss3_score_source", value:"CVE-2016-5388");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"metasploit_name", value:'Apache Tomcat on RedHat Based Systems Insecure Temp Config Privilege Escalation');
script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
script_set_attribute(attribute:"vendor_severity", value:"High");
script_set_attribute(attribute:"vuln_publication_date", value:"2015/01/16");
script_set_attribute(attribute:"patch_publication_date", value:"2016/10/11");
script_set_attribute(attribute:"plugin_publication_date", value:"2026/01/16");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:tomcat");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:tomcat-admin-webapps");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:tomcat-el-2.2-api");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:tomcat-jsp-2.2-api");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:tomcat-lib");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:tomcat-servlet-3.0-api");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:miracle:linux:tomcat-webapps");
script_set_attribute(attribute:"cpe", value:"cpe:/o:miracle:linux:7");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_set_attribute(attribute:"stig_severity", value:"I");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Miracle Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2026 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/MiracleLinux/release", "Host/MiracleLinux/rpm-list", "Host/cpu");
exit(0);
}
include('rpm2.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_product = get_kb_item('installed_os/local/SSH/0/product');
if (isnull(os_product) || 'MIRACLE LINUX' >!< os_product) audit(AUDIT_OS_NOT, 'MIRACLE LINUX');
var os_version = get_kb_item('installed_os/local/SSH/0/version');
if (isnull(os_version)) audit(AUDIT_UNKNOWN_APP_VER, 'MIRACLE LINUX');
if (! preg(pattern:"^7([^0-9]|$)", string:os_version)) audit(AUDIT_OS_NOT, 'MiracleLinux 7.x', 'MIRACLE LINUX ' + os_version);
if (!get_kb_item('Host/MiracleLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('aarch64' >!< cpu && 'ppc' >!< cpu && 's390' >!< cpu && 'x86_64' >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'MIRACLE LINUX', cpu);
var constraints = [
{
'release': '7',
'pkgs': [
{'reference':'tomcat-7.0.54-8.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'tomcat-admin-webapps-7.0.54-8.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'tomcat-el-2.2-api-7.0.54-8.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'tomcat-jsp-2.2-api-7.0.54-8.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'tomcat-lib-7.0.54-8.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'tomcat-servlet-3.0-api-7.0.54-8.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'},
{'reference':'tomcat-webapps-7.0.54-8.el7', 'rpm_spec_vers_cmp':TRUE, 'epoch':'0'}
]
}
];
var os_release = get_one_kb_item('installed_os/local/SSH/0/release');
var os_sp = get_one_kb_item('Host/*/minor_release');
var flag = 0;
var reference;
var sp;
var _cpu;
var el_string;
var rpm_spec_vers_cmp;
var epoch;
var allowmaj;
var exists_check;
var cves;
foreach var constraint ( constraints ) {
# Check that the target release is equal to the affected release
if (!empty_or_null(constraint['release'])){
if (constraint['release'] != os_release) continue;
}
if (!empty_or_null(constraint['sp'])){
if (constraint['sp'] != os_sp) continue;
}
foreach var pkg ( constraint['pkgs'] ) {
reference = NULL;
sp = NULL;
_cpu = NULL;
el_string = NULL;
rpm_spec_vers_cmp = NULL;
epoch = NULL;
allowmaj = NULL;
exists_check = NULL;
cves = NULL;
if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
if (reference &&
## (no known rpm to check OR known rpm_exists)
(!exists_check || rpm_exists(rpm:exists_check)) &&
rpm_check(sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
}
}
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'tomcat / tomcat-admin-webapps / tomcat-el-2.2-api / etc');
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation