Scientific Linux Security Update : tomcat on SL7.x (noarch)

2017-04-13T00:00:00
ID SL_20170412_TOMCAT_ON_SL7_X.NASL
Type nessus
Reporter Tenable
Modified 2018-01-26T00:00:00

Description

Security Fix(es) :

  • It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)

Note: This fix causes Tomcat to respond with an HTTP 400 Bad Request error when request contains characters that are not permitted by the HTTP specification to appear not encoded, even though they were previously accepted. The newly introduced system property tomcat.util.http.parser.HttpParser.requestTargetAllow can be used to configure Tomcat to accept curly braces ({ and }) and the pipe symbol (|) in not encoded form, as these are often used in URLs without being properly encoded.

  • A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)

                                        
                                            #
# (C) Tenable Network Security, Inc.
#
# The descriptive text is (C) Scientific Linux.
#

include("compat.inc");

if (description)
{
  script_id(99353);
  script_version("$Revision: 3.2 $");
  script_cvs_date("$Date: 2018/01/26 17:50:30 $");

  script_cve_id("CVE-2016-6816", "CVE-2016-8745");

  script_name(english:"Scientific Linux Security Update : tomcat on SL7.x (noarch)");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Scientific Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"Security Fix(es) :

  - It was discovered that the code that parsed the HTTP
    request line permitted invalid characters. This could be
    exploited, in conjunction with a proxy that also
    permitted the invalid characters but with a different
    interpretation, to inject data into the HTTP response.
    By manipulating the HTTP response the attacker could
    poison a web-cache, perform an XSS attack, or obtain
    sensitive information from requests other then their
    own. (CVE-2016-6816)

Note: This fix causes Tomcat to respond with an HTTP 400 Bad Request
error when request contains characters that are not permitted by the
HTTP specification to appear not encoded, even though they were
previously accepted. The newly introduced system property
tomcat.util.http.parser.HttpParser.requestTargetAllow can be used to
configure Tomcat to accept curly braces ({ and }) and the pipe symbol
(|) in not encoded form, as these are often used in URLs without being
properly encoded.

  - A bug was discovered in the error handling of the send
    file code for the NIO HTTP connector. This led to the
    current Processor object being added to the Processor
    cache multiple times allowing information leakage
    between requests including, and not limited to, session
    ID and the response body. (CVE-2016-8745)"
  );
  # http://listserv.fnal.gov/scripts/wa.exe?A2=ind1704&L=scientific-linux-errata&F=&S=&P=8502
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?449de15c"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2017/04/12");
  script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/13");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2017-2018 Tenable Network Security, Inc.");
  script_family(english:"Scientific Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);


flag = 0;
if (rpm_check(release:"SL7", reference:"tomcat-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-admin-webapps-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-docs-webapp-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-el-2.2-api-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-javadoc-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-jsp-2.2-api-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-jsvc-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-lib-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-servlet-3.0-api-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-webapps-7.0.69-11.el7_3")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");