Oracle Solaris Third-Party Patch Update : tomcat (multiple_vulnerabilities_in_apache_tomcat4)

#%NASL_MIN_LEVEL 70300
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from the Oracle Third Party software advisories.
#
include('deprecated_nasl_level.inc');
include('compat.inc');

if (description)
{
  script_id(80793);
  script_version("1.6");
  script_set_attribute(attribute:"plugin_modification_date", value:"2021/01/14");

  script_cve_id("CVE-2012-3544", "CVE-2013-1571", "CVE-2013-4286", "CVE-2013-4322", "CVE-2013-4590", "CVE-2014-0033");

  script_name(english:"Oracle Solaris Third-Party Patch Update : tomcat (multiple_vulnerabilities_in_apache_tomcat4)");
  script_summary(english:"Check for the 'entire' version.");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Solaris system is missing a security patch for third-party
software."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"The remote Solaris system is missing necessary patches to address
security updates :

  - Apache Tomcat 6.x before 6.0.37 and 7.x before 7.0.30
    does not properly handle chunk extensions in chunked
    transfer coding, which allows remote attackers to cause
    a denial of service by streaming data. (CVE-2012-3544)

  - Unspecified vulnerability in the Javadoc component in
    Oracle Java SE 7 Update 21 and earlier, 6 Update 45 and
    earlier, and 5.0 Update 45 and earlier; JavaFX 2.2.21
    and earlier; and OpenJDK 7 allows remote attackers to
    affect integrity via unknown vectors related to Javadoc.
    NOTE: the previous information is from the June 2013
    CPU. Oracle has not commented on claims from another
    vendor that this issue is related to frame injection in
    HTML that is generated by Javadoc. (CVE-2013-1571)

  - Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x
    before 8.0.0-RC3, when an HTTP connector or AJP
    connector is used, does not properly handle certain
    inconsistent HTTP request headers, which allows remote
    attackers to trigger incorrect identification of a
    request's length and conduct request-smuggling attacks
    via (1) multiple Content-Length headers or (2) a
    Content-Length header and a 'Transfer-Encoding: chunked'
    header. NOTE: this vulnerability exists because of an
    incomplete fix for CVE-2005-2090. (CVE-2013-4286)

  - Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x
    before 8.0.0-RC10 processes chunked transfer coding
    without properly handling (1) a large total amount of
    chunked data or (2) whitespace characters in an HTTP
    header value within a trailer field, which allows remote
    attackers to cause a denial of service by streaming
    data. NOTE: this vulnerability exists because of an
    incomplete fix for CVE-2012-3544. (CVE-2013-4322)

  - Apache Tomcat before 6.0.39, 7.x before 7.0.50, and 8.x
    before 8.0.0-RC10 allows attackers to obtain 'Tomcat
    internals' information by leveraging the presence of an
    untrusted web application with a context.xml, web.xml,

    *.jspx, *.tagx, or *.tld XML document containing an
    external entity declaration in conjunction with an
    entity reference, related to an XML External Entity
    (XXE) issue. (CVE-2013-4590)

  - org/apache/catalina/connector/CoyoteAdapter.java in
    Apache Tomcat 6.0.33 through 6.0.37 does not consider
    the disableURLRewriting setting when handling a session
    ID in a URL, which allows remote attackers to conduct
    session fixation attacks via a crafted URL.
    (CVE-2014-0033)"
  );
  # https://www.oracle.com/technetwork/topics/security/thirdparty-patch-map-1482893.html
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?4a913f44"
  );
  # https://blogs.oracle.com/sunsecurity/multiple-vulnerabilities-in-apache-tomcat
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?ce09309a"
  );
  script_set_attribute(attribute:"solution", value:"Upgrade to Solaris 11.1.19.6.0.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:solaris:11.1");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:solaris:tomcat");

  script_set_attribute(attribute:"patch_publication_date", value:"2014/05/22");
  script_set_attribute(attribute:"plugin_publication_date", value:"2015/01/19");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Solaris Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Solaris11/release", "Host/Solaris11/pkg-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("misc_func.inc");
include("solaris.inc");

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/Solaris11/release");
if (isnull(release)) audit(AUDIT_OS_NOT, "Solaris11");
pkg_list = solaris_pkg_list_leaves();
if (isnull (pkg_list)) audit(AUDIT_PACKAGE_LIST_MISSING, "Solaris pkg-list packages");

if (empty_or_null(egrep(string:pkg_list, pattern:"^tomcat$"))) audit(AUDIT_PACKAGE_NOT_INSTALLED, "tomcat");

flag = 0;

if (solaris_check_release(release:"0.5.11-0.175.1.19.0.6.0", sru:"SRU 11.1.19.6.0") > 0) flag++;

if (flag)
{
  error_extra = 'Affected package : tomcat\n' + solaris_get_report2();
  error_extra = ereg_replace(pattern:"version", replace:"OS version", string:error_extra);
  if (report_verbosity > 0) security_warning(port:0, extra:error_extra);
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_PACKAGE_NOT_AFFECTED, "tomcat");