Lucene search

HistoryMay 23, 2024 - 12:00 a.m.

Apache Tomcat 9.0.0.M1 < 9.0.0.M21

2024-05-2300:00:00

www.tenable.com

apache tomcat

vulnerability

error page

static file

default servlet

unexpected results

nessus scanner

cve-2017-5664

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

6.9 Medium

AI Score

Confidence

High

0.009 Low

EPSS

Percentile

82.7%

JSON

The version of Tomcat installed on the remote host is prior to 9.0.0.M21. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_9.0.0.m21_security-9 advisory.

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method.
If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page.
Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (CVE-2017-5664)

Note that Nessus has not tested for this issue but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
##

include('compat.inc');

if (description)
{
  script_id(197825);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2024/05/23");

  script_cve_id("CVE-2017-5664");

  script_name(english:"Apache Tomcat 9.0.0.M1 < 9.0.0.M21");

  script_set_attribute(attribute:"synopsis", value:
"The remote Apache Tomcat server is affected by a vulnerability");
  script_set_attribute(attribute:"description", value:
"The version of Tomcat installed on the remote host is prior to 9.0.0.M21. It is, therefore, affected by a vulnerability
as referenced in the fixed_in_apache_tomcat_9.0.0.m21_security-9 advisory.

  - The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an
    error page is configured for the error that occurred, the original request and response are forwarded to
    the error page. This means that the request is presented to the error page with the original HTTP method.
    If the error page is a static file, expected behaviour is to serve content of the file as if processing a
    GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to
    9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the
    original request this could lead to unexpected and undesirable results for static error pages including,
    if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page.
    Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP
    method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request,
    regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the
    HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET
    request, regardless of the actual method. (CVE-2017-5664)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://svn.apache.org/viewvc?view=rev&rev=1793468");
  script_set_attribute(attribute:"see_also", value:"https://svn.apache.org/viewvc?view=rev&rev=1793487");
  # https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.0.M21
  script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?a774a43b");
  script_set_attribute(attribute:"solution", value:
"Upgrade to Apache Tomcat version 9.0.0.M21 or later.");
  script_set_attribute(attribute:"agent", value:"all");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2017-5664");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2017/05/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2017/05/10");
  script_set_attribute(attribute:"plugin_publication_date", value:"2024/05/23");

  script_set_attribute(attribute:"plugin_type", value:"combined");
  script_set_attribute(attribute:"cpe", value:"cpe:/a:apache:tomcat:9");
  script_set_attribute(attribute:"generated_plugin", value:"former");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Web Servers");

  script_copyright(english:"This script is Copyright (C) 2024 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("os_fingerprint.nasl", "tomcat_error_version.nasl", "tomcat_win_installed.nbin", "apache_tomcat_nix_installed.nbin");
  script_require_keys("installed_sw/Apache Tomcat");

  exit(0);
}

include('vcf_extras.inc');

vcf::tomcat::initialize();
var app_info = vcf::combined_get_app_info(app:'Apache Tomcat');

var constraints = [
  { 'min_version' : '9.0.0.M1', 'max_version' : '9.0.0.M20', 'fixed_version' : '9.0.0.M21' }
];

vcf::check_all_backporting(app_info:app_info);
vcf::check_granularity(app_info:app_info, sig_segments:3);
vcf::check_version_and_report(
    app_info:app_info,
    constraints:constraints,
    severity:SECURITY_WARNING
);

VendorProductVersionCPE
apachetomcat9cpe:/a:apache:tomcat:9

Vendor	Product	Version	CPE
apache	tomcat	9	cpe:/a:apache:tomcat:9

References

cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664

www.nessus.org/u?a774a43b

svn.apache.org/viewvc?view=rev&rev=1793468

svn.apache.org/viewvc?view=rev&rev=1793487

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

6.9 Medium

AI Score

Confidence

High

0.009 Low

EPSS

Percentile

82.7%

JSON

Related for TOMCAT_9_0_0_M21.NASL