Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.REDHAT-RHSA-2024-1318.NASL
HistoryMar 18, 2024 - 12:00 a.m.

RHEL 7 / 8 / 9 : Red Hat JBoss Web Server 5.7.8 (RHSA-2024:1318)

2024-03-1800:00:00
This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
13
red hat jboss
apache tomcat
input validation
dh key
denial of service
http/2
vulnerabilities
rhel 7
rhel 9
nessus

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.6 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.1%

JSON

The remote Redhat Enterprise Linux 7 / 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2024:1318 advisory.

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web     applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),     the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

This release of Red Hat JBoss Web Server 5.7.8 serves as a replacement for Red Hat JBoss Web Server 5.7.7.
This release includes bug fixes, enhancements and component upgrades, which are documented in the Release     Notes linked to in the References section.

Security Fix(es):

* openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or     parameters may be very slow (CVE-2023-5678)
* tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)
* tomcat: : Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Red Hat Security Advisory RHSA-2024:1318. The text
# itself is copyright (C) Red Hat, Inc.
##

include('compat.inc');

if (description)
{
  script_id(192194);
  script_version("1.2");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/06/03");

  script_cve_id("CVE-2023-5678", "CVE-2023-46589", "CVE-2024-24549");
  script_xref(name:"RHSA", value:"2024:1318");

  script_name(english:"RHEL 7 / 8 / 9 : Red Hat JBoss Web Server 5.7.8 (RHSA-2024:1318)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Red Hat host is missing one or more security updates for Red Hat JBoss Web Server 5.7.8.");
  script_set_attribute(attribute:"description", value:
"The remote Redhat Enterprise Linux 7 / 8 / 9 host has packages installed that are affected by multiple vulnerabilities
as referenced in the RHSA-2024:1318 advisory.

    Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web
    applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),
    the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

    This release of Red Hat JBoss Web Server 5.7.8 serves as a replacement for Red Hat JBoss Web Server 5.7.7.
    This release includes bug fixes, enhancements and component upgrades, which are documented in the Release
    Notes linked to in the References section.

    Security Fix(es):

    * openssl: Generating excessively long X9.42 DH keys or checking excessively long X9.42 DH keys or
    parameters may be very slow (CVE-2023-5678)
    * tomcat: HTTP request smuggling via malformed trailer headers (CVE-2023-46589)
    * tomcat: : Apache Tomcat: HTTP/2 header handling DoS (CVE-2024-24549)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and
    other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  # https://access.redhat.com/documentation/en-us/red_hat_jboss_web_server/5.7/html/red_hat_jboss_web_server_5.7_service_pack_8_release_notes
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a7ce8b71");
  # https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1318.json
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?d3da2c2e");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/security/updates/classification/#important");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2248616");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2252050");
  script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=2269607");
  script_set_attribute(attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2024:1318");
  script_set_attribute(attribute:"solution", value:
"Update the RHEL Red Hat JBoss Web Server 5.7.8 package based on the guidance in RHSA-2024:1318.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:C/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-46589");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(20, 325, 444);
  script_set_attribute(attribute:"vendor_severity", value:"Important");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/08/25");
  script_set_attribute(attribute:"patch_publication_date", value:"2024/03/18");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/03/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:7");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:8");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-admin-webapps");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-docs-webapp");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-el-3.0-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-java-jdk11");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-java-jdk8");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-javadoc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-jsp-2.3-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-lib");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-native");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-selinux");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-servlet-4.0-api");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-webapps");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Red Hat Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl", "redhat_repos.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu");

  exit(0);
}


include('rpm.inc');
include('rhel.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RedHat/release');
if (isnull(os_release) || 'Red Hat' >!< os_release) audit(AUDIT_OS_NOT, 'Red Hat');
var os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Red Hat');
os_ver = os_ver[1];
if (!rhel_check_release_list(operator: 'ge', os_version: os_ver, rhel_versions: ['7','8','9'])) audit(AUDIT_OS_NOT, 'Red Hat 7.x / 8.x / 9.x', 'Red Hat ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu && 'ppc' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Red Hat', cpu);

var constraints = [
  {
    'repo_relative_urls': [
      'content/dist/layered/rhel8/x86_64/jws/5/debug',
      'content/dist/layered/rhel8/x86_64/jws/5/os',
      'content/dist/layered/rhel8/x86_64/jws/5/source/SRPMS',
      'content/dist/middleware/jws/1.0/x86_64/os'
    ],
    'pkgs': [
      {'reference':'jws5-tomcat-9.0.62-41.redhat_00020.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-admin-webapps-9.0.62-41.redhat_00020.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-docs-webapp-9.0.62-41.redhat_00020.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-el-3.0-api-9.0.62-41.redhat_00020.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-javadoc-9.0.62-41.redhat_00020.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-jsp-2.3-api-9.0.62-41.redhat_00020.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-lib-9.0.62-41.redhat_00020.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-native-1.2.31-17.redhat_17.el8jws', 'cpu':'x86_64', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-5678', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-selinux-9.0.62-41.redhat_00020.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-servlet-4.0-api-9.0.62-41.redhat_00020.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-webapps-9.0.62-41.redhat_00020.1.el8jws', 'release':'8', 'el_string':'el8jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']}
    ]
  },
  {
    'repo_relative_urls': [
      'content/dist/layered/rhel9/x86_64/jws/5/debug',
      'content/dist/layered/rhel9/x86_64/jws/5/os',
      'content/dist/layered/rhel9/x86_64/jws/5/source/SRPMS'
    ],
    'pkgs': [
      {'reference':'jws5-tomcat-9.0.62-41.redhat_00020.1.el9jws', 'release':'9', 'el_string':'el9jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-admin-webapps-9.0.62-41.redhat_00020.1.el9jws', 'release':'9', 'el_string':'el9jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-docs-webapp-9.0.62-41.redhat_00020.1.el9jws', 'release':'9', 'el_string':'el9jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-el-3.0-api-9.0.62-41.redhat_00020.1.el9jws', 'release':'9', 'el_string':'el9jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-javadoc-9.0.62-41.redhat_00020.1.el9jws', 'release':'9', 'el_string':'el9jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-jsp-2.3-api-9.0.62-41.redhat_00020.1.el9jws', 'release':'9', 'el_string':'el9jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-lib-9.0.62-41.redhat_00020.1.el9jws', 'release':'9', 'el_string':'el9jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-native-1.2.31-17.redhat_17.el9jws', 'cpu':'x86_64', 'release':'9', 'el_string':'el9jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-5678', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-selinux-9.0.62-41.redhat_00020.1.el9jws', 'release':'9', 'el_string':'el9jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-servlet-4.0-api-9.0.62-41.redhat_00020.1.el9jws', 'release':'9', 'el_string':'el9jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-webapps-9.0.62-41.redhat_00020.1.el9jws', 'release':'9', 'el_string':'el9jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']}
    ]
  },
  {
    'repo_relative_urls': [
      'content/dist/rhel/server/7/7Server/x86_64/jws/5/debug',
      'content/dist/rhel/server/7/7Server/x86_64/jws/5/os',
      'content/dist/rhel/server/7/7Server/x86_64/jws/5/source/SRPMS'
    ],
    'pkgs': [
      {'reference':'jws5-tomcat-9.0.62-41.redhat_00020.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-admin-webapps-9.0.62-41.redhat_00020.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-docs-webapp-9.0.62-41.redhat_00020.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-el-3.0-api-9.0.62-41.redhat_00020.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-java-jdk11-9.0.62-41.redhat_00020.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-java-jdk8-9.0.62-41.redhat_00020.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-javadoc-9.0.62-41.redhat_00020.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-jsp-2.3-api-9.0.62-41.redhat_00020.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-lib-9.0.62-41.redhat_00020.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-native-1.2.31-17.redhat_17.el7jws', 'cpu':'x86_64', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-5678', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-selinux-9.0.62-41.redhat_00020.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-servlet-4.0-api-9.0.62-41.redhat_00020.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']},
      {'reference':'jws5-tomcat-webapps-9.0.62-41.redhat_00020.1.el7jws', 'release':'7', 'el_string':'el7jws', 'rpm_spec_vers_cmp':TRUE, 'exists_check':'jws5', 'cves':['CVE-2023-46589', 'CVE-2024-24549']}
    ]
  }
];

var applicable_repo_urls = rhel_determine_applicable_repository_urls(constraints:constraints);
if(applicable_repo_urls == RHEL_REPOS_NO_OVERLAP_MESSAGE) exit(0, RHEL_REPO_NOT_ENABLED);

var flag = 0;
foreach var constraint_array ( constraints ) {
  var repo_relative_urls = NULL;
  if (!empty_or_null(constraint_array['repo_relative_urls'])) repo_relative_urls = constraint_array['repo_relative_urls'];
  foreach var pkg ( constraint_array['pkgs'] ) {
    var reference = NULL;
    var _release = NULL;
    var sp = NULL;
    var _cpu = NULL;
    var el_string = NULL;
    var rpm_spec_vers_cmp = NULL;
    var epoch = NULL;
    var allowmaj = NULL;
    var exists_check = NULL;
    var cves = NULL;
    if (!empty_or_null(pkg['reference'])) reference = pkg['reference'];
    if (!empty_or_null(pkg['release'])) _release = 'RHEL' + pkg['release'];
    if (!empty_or_null(pkg['sp'])) sp = pkg['sp'];
    if (!empty_or_null(pkg['cpu'])) _cpu = pkg['cpu'];
    if (!empty_or_null(pkg['el_string'])) el_string = pkg['el_string'];
    if (!empty_or_null(pkg['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = pkg['rpm_spec_vers_cmp'];
    if (!empty_or_null(pkg['epoch'])) epoch = pkg['epoch'];
    if (!empty_or_null(pkg['allowmaj'])) allowmaj = pkg['allowmaj'];
    if (!empty_or_null(pkg['exists_check'])) exists_check = pkg['exists_check'];
    if (!empty_or_null(pkg['cves'])) cves = pkg['cves'];
    if (reference &&
        _release &&
        rhel_decide_repo_relative_url_check(required_repo_url_list:repo_relative_urls) &&
        (applicable_repo_urls || (!exists_check || rpm_exists(release:_release, rpm:exists_check))) &&
        rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj, cves:cves)) flag++;
  }
}

if (flag)
{
  var extra = NULL;
  if (isnull(applicable_repo_urls) || !applicable_repo_urls) extra = rpm_report_get() + redhat_report_repo_caveat();
  else extra = rpm_report_get();
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : extra
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'jws5-tomcat / jws5-tomcat-admin-webapps / jws5-tomcat-docs-webapp / etc');
}
VendorProductVersionCPE
redhatenterprise_linuxjws5-tomcatp-cpe:/a:redhat:enterprise_linux:jws5-tomcat
redhatenterprise_linuxjws5-tomcat-libp-cpe:/a:redhat:enterprise_linux:jws5-tomcat-lib
redhatenterprise_linuxjws5-tomcat-docs-webappp-cpe:/a:redhat:enterprise_linux:jws5-tomcat-docs-webapp
redhatenterprise_linuxjws5-tomcat-java-jdk11p-cpe:/a:redhat:enterprise_linux:jws5-tomcat-java-jdk11
redhatenterprise_linuxjws5-tomcat-webappsp-cpe:/a:redhat:enterprise_linux:jws5-tomcat-webapps
redhatenterprise_linuxjws5-tomcat-admin-webappsp-cpe:/a:redhat:enterprise_linux:jws5-tomcat-admin-webapps
redhatenterprise_linuxjws5-tomcat-jsp-2.3-apip-cpe:/a:redhat:enterprise_linux:jws5-tomcat-jsp-2.3-api
redhatenterprise_linux8cpe:/o:redhat:enterprise_linux:8
redhatenterprise_linuxjws5-tomcat-selinuxp-cpe:/a:redhat:enterprise_linux:jws5-tomcat-selinux
redhatenterprise_linuxjws5-tomcat-javadocp-cpe:/a:redhat:enterprise_linux:jws5-tomcat-javadoc
Rows per page:
1-10 of 161

Related

redhat 10
osv 16
debian 4
openvas 31
nessus 52
ibm 15
ubuntucve 2
cgr 3
veracode 3
cvelist 2
cve 2
github 2
almalinux 4
f5 1
kaspersky 4
tomcat 8
atlassian 8
debiancve 2
amazon 2
oraclelinux 4
redhatcve 3
nvd 2
prion 2
wolfi 2
vulnrichment 1
hackerone 1
rocky 2
openssl 1
cbl_mariner 5
freebsd 1
redos 1
fedora 2
mageia 1
redhat
redhat
(RHSA-2024:1319) Important: Red Hat JBoss Web Server 5.7.8 release and security update
2024-03-18 11:12:11
(RHSA-2024:1318) Important: Red Hat JBoss Web Server 5.7.8 release and security update
2024-03-18 11:11:50
(RHSA-2024:1325) Important: Red Hat JBoss Web Server 6.0.1 release and security update
2024-03-18 14:38:33
osv
osv
tomcat10 - security update
2024-04-17 00:00:00
tomcat9 - security update
2024-04-19 00:00:00
BIT-tomcat-2024-24549
2024-04-01 14:18:33
debian
debian
[SECURITY] [DSA 5665-1] tomcat10 security update
2024-04-17 22:03:15
[SECURITY] [DSA 5667-1] tomcat9 security update
2024-04-19 20:06:14
[SECURITY] [DLA 3707-1] tomcat9 security update
2024-01-05 09:40:41
openvas
openvas
Debian: Security Advisory (DSA-5667-1)
2024-04-22 00:00:00
Debian: Security Advisory (DSA-5665-1)
2024-04-18 00:00:00
SUSE: Security Advisory (SUSE-SU-2024:0209-1)
2024-01-25 00:00:00
nessus
nessus
RHEL 8 / 9 : Red Hat JBoss Web Server 6.0.1 (RHSA-2024:1324)
2024-03-18 00:00:00
Debian dsa-5665 : libtomcat10-embed-java - security update
2024-04-18 00:00:00
Debian dsa-5667 : libtomcat9-embed-java - security update
2024-04-20 00:00:00
ibm
ibm
Security Bulletin: IBM DevOps Release 7.0.0.1 addresses multiple vulnerabilities.
2024-03-27 17:25:57
Security Bulletin: IBM DevOps Build 7.0.0.1 addresses multiple vulnerabilities.
2024-03-27 17:19:49
Security Bulletin: Due to use of Apache Tomcat, App Connect Professional is vulnerable to HTTP request smuggling.
2024-02-16 13:15:11
ubuntucve
ubuntucve
CVE-2024-24549
2024-03-13 00:00:00
CVE-2023-46589
2023-11-28 00:00:00
cgr
cgr
CVE-2024-24549 vulnerabilities
2024-05-19 03:07:16
CVE-2023-46589 vulnerabilities
2024-05-19 03:07:16
CVE-2023-5678 vulnerabilities
2024-05-19 03:07:16
veracode
veracode
Denial Of Service (DoS)
2024-03-16 20:57:13
Request Smuggling
2023-11-29 06:11:28
Denial Of Service (DoS)
2023-11-09 17:00:15
cvelist
cvelist
CVE-2024-24549 Apache Tomcat: HTTP/2 header handling DoS
2024-03-13 15:46:53
CVE-2023-46589 Apache Tomcat: HTTP request smuggling via malformed trailer headers
2023-11-28 15:31:52
cve
cve
CVE-2024-24549
2024-03-13 16:15:29
CVE-2023-46589
2023-11-28 16:15:06
github
github
Apache Tomcat Denial of Service due to improper input validation vulnerability for HTTP/2 requests
2024-03-13 18:31:34
Apache Tomcat Improper Input Validation vulnerability
2023-11-28 18:30:23
almalinux
almalinux
Important: tomcat security update
2024-01-29 00:00:00
Important: tomcat security update
2024-03-05 00:00:00
Important: tomcat security and bug fix update
2024-05-23 00:00:00
f5
f5
K000137926 : Apache Tomcat vulnerability CVE-2023-46589
2023-12-18 00:00:00
kaspersky
kaspersky
KLA62192 ACE vulnerability in Apache Tomcat
2023-11-13 00:00:00
KLA62193 ACE vulnerability in Apache Tomcat
2023-11-14 00:00:00
KLA62191 ACE vulnerability in Apache Tomcat
2023-11-15 00:00:00
tomcat
tomcat
Fixed in Apache Tomcat 8.5.96
2023-11-13 00:00:00
Fixed in Apache Tomcat 9.0.83
2023-11-15 00:00:00
Fixed in Apache Tomcat 10.1.16
2023-11-14 00:00:00
atlassian
atlassian
Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Confluence Data Center and Server
2024-01-17 06:46:32
Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Bamboo Data Center and Server
2023-12-14 07:45:15
Request Smuggling org.apache.tomcat:tomcat-catalina Dependency in Jira Software Data Center and Server
2024-01-11 06:46:14
debiancve
debiancve
CVE-2023-46589
2023-11-28 16:15:06
CVE-2024-24549
2024-03-13 16:15:29
amazon
amazon
Medium: tomcat8
2024-01-19 01:19:00
Important: tomcat8
2024-06-19 18:46:00
oraclelinux
oraclelinux
tomcat security update
2024-01-29 00:00:00
tomcat security update
2024-03-07 00:00:00
tomcat security and bug fix update
2024-05-23 00:00:00
redhatcve
redhatcve
CVE-2023-46589
2023-11-29 09:26:39
CVE-2023-5678
2023-11-08 06:27:08
CVE-2024-24549
2024-03-14 21:40:09
nvd
nvd
CVE-2024-24549
2024-03-13 16:15:29
CVE-2023-46589
2023-11-28 16:15:06
prion
prion
Input validation
2024-03-13 16:15:00
Input validation
2023-11-28 16:15:00
wolfi
wolfi
CVE-2024-24549 vulnerabilities
2024-06-28 21:08:33
CVE-2023-5678 vulnerabilities
2024-06-28 21:08:33
vulnrichment
vulnrichment
CVE-2024-24549 Apache Tomcat: HTTP/2 header handling DoS
2024-03-13 15:46:53
hackerone
hackerone
Internet Bug Bounty: Denial of Service caused by HTTP/2 CONTINUATION Flood
2024-01-25 12:51:50
rocky
rocky
tomcat security update
2024-02-12 20:16:50
tomcat security and bug fix update
2024-06-14 14:00:40
openssl
openssl
Vulnerability in OpenSSL CVE-2023-5678
2023-11-06 00:00:00
cbl_mariner
cbl_mariner
CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28
2024-05-17 21:38:35
CVE-2023-5678 affecting package openssl for versions less than 1.1.1k-28
2024-06-28 21:08:33
CVE-2023-5678 affecting package kata-containers for versions less than 3.2.0.azl1-1
2024-05-17 21:38:35
freebsd
freebsd
OpenSSL -- DoS in DH generation
2023-11-08 00:00:00
redos
redos
ROS-20240401-02
2024-04-01 00:00:00
fedora
fedora
[SECURITY] Fedora 40 Update: tomcat-9.0.89-1.fc40
2024-06-23 06:52:19
[SECURITY] Fedora 39 Update: tomcat-9.0.89-1.fc39
2024-06-13 03:03:35
mageia
mageia
Updated tomcat packages fix security vulnerabilities
2024-03-27 01:02:49

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

7.6 High

AI Score

Confidence

High

0.005 Low

EPSS

Percentile

76.1%

JSON
Related for REDHAT-RHSA-2024-1318.NASL
redhat10osv16debian4openvas31nessus52ibm15ubuntucve2cgr3veracode3cvelist2cve2github2almalinux4f51kaspersky4tomcat8atlassian8debiancve2amazon2oraclelinux4redhatcve3nvd2prion2wolfi2vulnrichment1hackerone1rocky2openssl1cbl_mariner5freebsd1redos1fedora2mageia1