Security Fix(es) :
Note: This fix causes Tomcat to respond with an HTTP 400 Bad Request error when request contains characters that are not permitted by the HTTP specification to appear not encoded, even though they were previously accepted. The newly introduced system property tomcat.util.http.parser.HttpParser.requestTargetAllow can be used to configure Tomcat to accept curly braces ({ and }) and the pipe symbol (|) in not encoded form, as these are often used in URLs without being properly encoded.
#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text is (C) Scientific Linux.
#
include('deprecated_nasl_level.inc');
include('compat.inc');
if (description)
{
script_id(99353);
script_version("3.6");
script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");
script_cve_id("CVE-2016-6816", "CVE-2016-8745");
script_name(english:"Scientific Linux Security Update : tomcat on SL7.x (noarch) (20170412)");
script_summary(english:"Checks rpm output for the updated packages");
script_set_attribute(
attribute:"synopsis",
value:
"The remote Scientific Linux host is missing one or more security
updates."
);
script_set_attribute(
attribute:"description",
value:
"Security Fix(es) :
- It was discovered that the code that parsed the HTTP
request line permitted invalid characters. This could be
exploited, in conjunction with a proxy that also
permitted the invalid characters but with a different
interpretation, to inject data into the HTTP response.
By manipulating the HTTP response the attacker could
poison a web-cache, perform an XSS attack, or obtain
sensitive information from requests other then their
own. (CVE-2016-6816)
Note: This fix causes Tomcat to respond with an HTTP 400 Bad Request
error when request contains characters that are not permitted by the
HTTP specification to appear not encoded, even though they were
previously accepted. The newly introduced system property
tomcat.util.http.parser.HttpParser.requestTargetAllow can be used to
configure Tomcat to accept curly braces ({ and }) and the pipe symbol
(|) in not encoded form, as these are often used in URLs without being
properly encoded.
- A bug was discovered in the error handling of the send
file code for the NIO HTTP connector. This led to the
current Processor object being added to the Processor
cache multiple times allowing information leakage
between requests including, and not limited to, session
ID and the response body. (CVE-2016-8745)"
);
# https://listserv.fnal.gov/scripts/wa.exe?A2=ind1704&L=scientific-linux-errata&F=&S=&P=8502
script_set_attribute(
attribute:"see_also",
value:"http://www.nessus.org/u?b0863e9c"
);
script_set_attribute(attribute:"solution", value:"Update the affected packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P");
script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N");
script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
script_set_attribute(attribute:"exploit_available", value:"true");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-admin-webapps");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-docs-webapp");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-el-2.2-api");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-javadoc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-jsp-2.2-api");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-jsvc");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-lib");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-servlet-3.0-api");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:tomcat-webapps");
script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");
script_set_attribute(attribute:"vuln_publication_date", value:"2017/03/20");
script_set_attribute(attribute:"patch_publication_date", value:"2017/04/12");
script_set_attribute(attribute:"plugin_publication_date", value:"2017/04/13");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_copyright(english:"This script is Copyright (C) 2017-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_family(english:"Scientific Linux Local Security Checks");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");
exit(0);
}
include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("rpm.inc");
if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux");
os_ver = os_ver[1];
if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 7.x", "Scientific Linux " + os_ver);
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);
flag = 0;
if (rpm_check(release:"SL7", reference:"tomcat-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-admin-webapps-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-docs-webapp-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-el-2.2-api-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-javadoc-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-jsp-2.2-api-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-jsvc-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-lib-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-servlet-3.0-api-7.0.69-11.el7_3")) flag++;
if (rpm_check(release:"SL7", reference:"tomcat-webapps-7.0.69-11.el7_3")) flag++;
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_WARNING,
extra : rpm_report_get()
);
exit(0);
}
else
{
tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, "tomcat / tomcat-admin-webapps / tomcat-docs-webapp / etc");
}
Vendor | Product | Version | CPE |
---|---|---|---|
fermilab | scientific_linux | tomcat | p-cpe:/a:fermilab:scientific_linux:tomcat |
fermilab | scientific_linux | tomcat-admin-webapps | p-cpe:/a:fermilab:scientific_linux:tomcat-admin-webapps |
fermilab | scientific_linux | tomcat-docs-webapp | p-cpe:/a:fermilab:scientific_linux:tomcat-docs-webapp |
fermilab | scientific_linux | tomcat-el-2.2-api | p-cpe:/a:fermilab:scientific_linux:tomcat-el-2.2-api |
fermilab | scientific_linux | tomcat-javadoc | p-cpe:/a:fermilab:scientific_linux:tomcat-javadoc |
fermilab | scientific_linux | tomcat-jsp-2.2-api | p-cpe:/a:fermilab:scientific_linux:tomcat-jsp-2.2-api |
fermilab | scientific_linux | tomcat-jsvc | p-cpe:/a:fermilab:scientific_linux:tomcat-jsvc |
fermilab | scientific_linux | tomcat-lib | p-cpe:/a:fermilab:scientific_linux:tomcat-lib |
fermilab | scientific_linux | tomcat-servlet-3.0-api | p-cpe:/a:fermilab:scientific_linux:tomcat-servlet-3.0-api |
fermilab | scientific_linux | tomcat-webapps | p-cpe:/a:fermilab:scientific_linux:tomcat-webapps |