Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
symantecSymantec Security ResponseSMNTC-1329
HistoryJul 23, 2015 - 8:00 a.m.

SA100 : Apache Tomcat Vulnerabilities

2015-07-2308:00:00
Symantec Security Response
48

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON

SUMMARY

Blue Coat products using affected versions of Tomcat 8.x, 7.x, and 6.x are susceptible to multiple vulnerabilities. A remote attacker may exploit these vulnerabilities to gain unauthorized read access or escalated privileges, or to conduct denial of service, HTTP request smuggling, or session fixation attacks.

AFFECTED PRODUCTS

The following products are vulnerable:

Content Analysis System

CVE |Affected Version(s)|Remediation
CVE-2014-0227, CVE-2014-0119,
CVE-2014-0099, CVE-2014-0096,
CVE-2014-0075, CVE-2014-0050 | 1.3 and later | Not vulnerable, fixed in 1.3.1.1
1.2 | Upgrade to 1.2.4.5.
1.1 | Upgrade to later release with fixes.
CVE-2014-0230 | 1.3 and later | Not vulnerable, fixed in 1.3.1.1
1.2 (not vulnerable to known vectors of attack) | Upgrade to 1.2.4.5.
1.1 | Upgrade to later release with fixes.
CVE-2014-7810 | 2.1 and later | Not vulnerable, fixed in 2.1.1.1
1.3 (not vulnerable to known vectors of attack) | Upgrade to 1.3.7.1.
1.1, 1.2 | Upgrade to later release with fixes.

Director

CVE |Affected Version(s)|Remediation
CVE-2014-7810, CVE-2014-0230,
CVE-2014-0227 | 6.1 | Upgrade to 6.1.20.1.

IntelligenceCenter

CVE |Affected Version(s)|Remediation
All CVEs except CVE-2014-0095,
CVE-2014-0050 | 3.3 | Upgrade to 3.3.3.1.
3.2 | Upgrade to later release with fixes.

Management Center

CVE |Affected Version(s)|Remediation
CVE-2014-0230, CVE-2014-0227 | 1.5 and later | Not vulnerable, fixed in 1.5.1.1.
1.4 | Upgrade to 1.4.2.1.

X-Series XOS

CVE |Affected Version(s)|Remediation
All CVEs except CVE-2014-0095,
CVE-2014-0050 | 11.0 | Not available at this time

The following products have a vulnerable version of Apache Tomcat, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway

CVE |Affected Version(s)|Remediation
CVE-2014-0227, CVE-2014-7810 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1.
CVE-2014-0227 | 6.6 | Upgrade to 6.6.3.1.
CVE-2014-7810 | 6.6 | Upgrade to 6.6.5.1.

Mail Threat Defense

CVE |Affected Version(s)|Remediation
CVE-2014-7810 | 1.1 | Not available at this time

ADDITIONAL PRODUCT INFORMATION

The Blue Coat HSM Agent for the SafeNet Luna SP is not vulnerable, but the agent does use the Apache Tomcat instance installed on the SafeNet Luna SP. Customers using the agent are advised to contact SafeNet for more information about these vulnerabilities.

These vulnerabilities can be exploited only through the management interfaces for CAS, Director, Management Center, and X-Series XOS. Limiting the machines and IP address that able to connect to the management interface reduces the threat significantly, and thereby reduces the CVSS v2 base scores for each of the CVEs. The adjusted CVSS v2 base scores and severity are:

  • CVE-2014-7810 - 3.3 (LOW) (AV:A/AC:L/Au:N/C:N/I:P/A:N)
  • CVE-2014-0230 - 6.1 (MEDIUM)) (AV:A/AC:L/Au:N/C:N/I:N/A:C)
  • CVE-2014-0227 - 4.8 (MEDIUM) (AV:A/AC:L/Au:N/C:N/I:P/A:P)
  • CVE-2014-0119 - 2.9 (LOW) (AV:A/AC:M/Au:N/C:P/I:N/A:N)
  • CVE-2014-0099 - 2.9 (LOW) (AV:A/AC:M/Au:N/C:N/I:P/A:N)
  • CVE-2014-0096 - 2.9 (LOW) (AV:A/AC:M/Au:N/C:P/I:N/A:N)
  • CVE-2014-0095 - 3.3 (LOW) (AV:A/AC:L/Au:N/C:N/I:N/A:P)
  • CVE-2014-0075 - 3.3 (LOW) (AV:A/AC:L/Au:N/C:N/I:N/A:P)
  • CVE-2014-0050 - 3.3 (LOW) (AV:A/AC:L/Au:N/C:N/I:N/A:P)
  • CVE-2014-0033 - 2.9 (LOW) (AV:A/AC:M/Au:N/C:P/I:N/A:N)

Blue Coat products do not enable or use all functionality within Apache Tomcat. Products that do not utilize or enable the functionality described in a CVE are not vulnerable to that CVE. However, fixes for those CVEs will be included in the patches that are provided. The following products include vulnerable versions of Apache Tomcat, but do not use the functionality described in the CVEs and are not known to be vulnerable.

  • ASG: CVE-2014-0227, CVE-2014-7810
  • CAS: CVE-2014-7810 (1.1, 1.2, and 1.3), CVE-2014-0230 (1.1 and 1.2 only)
  • MTD: CVE-2014-7810
  • Management Center: CVE-2014-7810, CVE-2014-0119 (user supplied web applications are not supported)

The following products are not vulnerable:
Android Mobile Agent
Auth Connector
BCAAA
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter Data Collector
K9
Malware Analysis Appliance
Malware Analyzer G2
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
OPIC
PacketShaper
PacketShaper S-Series
PolicyCenter PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics Platform
SSL Visibility
Unified Agent
Web Isolation

The following products are under investigation:
X-Series XOS 10.0.5, 9.7.8, and 9.6.11

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2014-7810

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 74665 / NVD: CVE-2014-7810 Impact| Security control bypass Description | A flaw allows an attacker to bypass the SecurityManager protection using a malicious web application. This vulnerability affects Blue Coat products that accept input from untrusted sources.

CVE-2014-0230

Severity / CVSSv2 | High / 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) References| SecurityFocus: BID 74475 / NVD: CVE-2014-0230 Impact| Denial of service Description | A flaw in the handling of HTTP responses allows an attacker to send a series of aborted uploads resulting in memory exhaustion that could lead to a crash or degraded operation

CVE-2014-0227

Severity / CVSSv2 | Medium / 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P) References| SecurityFocus: BID 72717 / NVD: CVE-2014-0227 Impact| Security control bypass, denial of service Description | There exists a flaw in the handling of attempts to read data after an error has already occurred. An attacker can exploit this flaw to conduct HTTP request smuggling attacks or to cause a denial of service by streaming crafted data to the vulnerable host.

CVE-2014-0119

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 67669 / NVD: CVE-2014-0119 Impact| Information disclosure Description | A flaw allows an attacker to gain read access to unauthorized files using a crafted web application.

CVE-2014-0099

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 67668 / NVD: CVE-2014-0099 Impact| Security control bypass Description | A flaw allows an attacker to conduct HTTP request smuggling attacks using a crafted header when the Tomcat installation is behind a reverse proxy such as ProxySG.

CVE-2014-0096

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 67667 / NVD: CVE-2014-0096 Impact| Information disclosure Description | A flaw allows an attacker to bypass the SecurityManager protection using a crafted web application to read arbitrary files.

CVE-2014-0095

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 67673 / NVD: CVE-2014-0095 Impact| Denial of service Description | An input validation flaw allows an attacker to cause a denial of service.

CVE-2014-0075

Severity / CVSSv2 | Medium / 7.5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 67671 / NVD: CVE-2014-0075 Impact| Denial of service Description | A flaw allows an attacker to cause a denial of service due to resource consumption.

CVE-2014-0050

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 65400 / NVD: CVE-2014-0050 Impact| Denial of service Description | A flaw allows an attacker to cause a denial of service.

CVE-2014-0033

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 65769 / NVD: CVE-2014-0033 Impact| Session hijacking Description | A flaw in handling of session IDs in a URL allows an attacker to conduct session fixation attacks.

MITIGATION

Limit access to management consoles to only the machines, IP addresses, or subnets that require access.

REFERENCES

Apache Tomcat 8.x vulnerabilities - <https://tomcat.apache.org/security-8.html&gt;
Apache Tomcat 7.x vulnerabilities - <https://tomcat.apache.org/security-7.html&gt;
Apache Tomcat 6.x vulnerabilities - <https://tomcat.apache.org/security-6.html&gt;

REVISION

2020-04-18 Advisory status moved to Closed.
2019-10-02 Web Isolation is not vulnerable.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-07-20 MC 1.10 is not vulnerable.
2017-05-29 A fix for ASG is available in 6.6.5.1.
2017-05-17 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-02-15 MC 1.8 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-15 MC 1.6 and 1.7 are not vulnerable.
2016-09-15 ASG 6.6 has a vulnerable version of Apache Tomcat, but is not vulnerable to known vectors of attack.
2016-08-12 A fix for all CVEs in CAS 1.3 is available in 1.3.7.1.
2016-06-11 PolicyCenter S-Series is not vulnerable.
2016-05-24 MC 1.5 is not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-05-06 A fix for MC 1.4 is available in 1.4.2.1.
2016-05-02 A fix for IC 3.3 is available in 3.3.3.1.
2016-04-25 MTD 1.1 and CAS 1.3 have vulnerable code for CVE-2014-7810, but are not vulnerable to known vectors of attack. Previously it was reported that a fix for CVE-2014-7810 in CAS is provided in 1.2.4.5. New information indicates that all CAS 1.2.x versions contain the vulnerable code for this CVE, but are not vulnerable to known vectors of attack. A patch will be provided in CAS 1.3.
2015-10-01 CAS is vulnerable and a fix is available; CAS is not vulnerable to CVE-2014-0230 and CAS fix addresses all vulnerabilities
2015-07-23 initial public release

Related

ibm 47
nessus 43
securityvulns 5
redhat 15
mageia 1
ubuntu 4
openvas 36
tomcat 8
amazon 3
debian 4
fedora 1
threatpost 1
kaspersky 1
freebsd 2
oraclelinux 4
osv 5
centos 2
gentoo 1
ubuntucve 3
prion 3
debiancve 3
f5 4
github 2
cve 1
ibm
ibm
Security Bulletin: Tivoli Netcool Service Quality Manager is affected by the Open Source Tomcat vulnerabilities (CVE-2014-0075 CVE-2014-0095 CVE-2014-0096 CVE-2014-0099 CVE-2014-0119)
2018-06-17 14:47:05
Security Bulletin: Rational Insight - Open Source Tomcat reported in May 2014 X-Force Report
2018-06-17 04:56:52
Security Bulletin: Apache Tomcat Vulnerabilities in IBM UrbanCode Deploy (CVE-2014-0075,CVE-2014-0095,CVE-2014-0096,CVE-2014-0099,CVE-2014-0119)
2018-06-17 22:31:52
nessus
nessus
Mandriva Linux Security Advisory : tomcat6 (MDVSA-2015:053)
2015-03-19 00:00:00
Apache Tomcat 6.0.x < 6.0.40 Multiple Vulnerabilities
2014-05-30 00:00:00
Oracle Solaris Third-Party Patch Update : tomcat (cve_2014_0075_numeric_errors)
2015-01-19 00:00:00
securityvulns
securityvulns
Apache Tomcat multiple security vulnerabilities
2014-05-29 00:00:00
Apache Tomcat security vulnerabilities
2015-05-17 00:00:00
Apache Tomcat multiple security vulnerabilities
2014-03-31 00:00:00
redhat
redhat
(RHSA-2014:0842) Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 security update
2014-07-07 14:40:34
(RHSA-2014:0843) Moderate: Red Hat JBoss Enterprise Application Platform 6.2.4 security update
2014-07-07 00:00:00
(RHSA-2014:0833) Moderate: Red Hat JBoss Web Server 2.0.1 tomcat6 security update
2014-07-03 16:52:09
mageia
mageia
Updated tomcat and tomcat6 packages fix security vulnerabilities
2014-06-20 00:30:12
ubuntu
ubuntu
Tomcat vulnerabilities
2015-06-25 00:00:00
Tomcat vulnerabilities
2014-07-30 00:00:00
Tomcat vulnerabilities
2015-06-25 00:00:00
openvas
openvas
Ubuntu: Security Advisory (USN-2654-1)
2015-06-26 00:00:00
Mageia: Security Advisory (MGASA-2014-0268)
2022-01-28 00:00:00
Fedora Update for tomcat FEDORA-2015-2109
2015-02-25 00:00:00
tomcat
tomcat
Fixed in Apache Tomcat 8.0.5
2014-03-27 00:00:00
Fixed in Apache Tomcat 6.0.41
2014-05-23 00:00:00
Fixed in Apache Tomcat 7.0.53
2014-03-30 00:00:00
amazon
amazon
Medium: tomcat8
2015-05-14 14:40:00
Medium: tomcat7
2015-05-14 14:38:00
Medium: tomcat6
2016-03-10 16:30:00
debian
debian
[SECURITY] [DSA 3447-1] tomcat7 security update
2016-01-17 15:47:11
[SECURITY] [DSA 3447-1] tomcat7 security update
2016-01-17 15:47:11
[SECURITY] [DLA 232-1] tomcat6 security update
2015-05-28 19:25:54
fedora
fedora
[SECURITY] Fedora 21 Update: tomcat-7.0.59-1.fc21
2015-02-23 08:03:06
threatpost
threatpost
Apache Patches Bugs in Tomcat
2014-05-30 12:31:25
kaspersky
kaspersky
KLA10072 Multiple vulnerabilities in Apache Tomcat
2014-03-30 00:00:00
freebsd
freebsd
tomcat -- multiple vulnerabilities
2014-05-23 00:00:00
tomcat -- multiple vulnerabilities
2015-05-12 00:00:00
oraclelinux
oraclelinux
tomcat security update
2014-08-07 00:00:00
tomcat6 security and bug fix update
2014-07-09 00:00:00
tomcat security update
2014-07-23 00:00:00
osv
osv
tomcat6 - security update
2015-05-28 00:00:00
tomcat7 - security update
2016-01-17 00:00:00
tomcat8 - security update
2015-12-18 00:00:00
centos
centos
tomcat6 security update
2014-07-09 16:09:49
tomcat6 security update
2016-03-23 13:09:57
gentoo
gentoo
Apache Tomcat: Multiple vulnerabilities
2014-12-15 00:00:00
ubuntucve
ubuntucve
CVE-2014-7810
2015-06-07 00:00:00
CVE-2014-0119
2014-05-31 00:00:00
CVE-2014-0096
2014-05-31 00:00:00
prion
prion
Cross site request forgery (csrf)
2014-05-31 11:17:00
Session fixation
2014-02-26 14:55:00
Xxe
2014-05-31 11:17:00
debiancve
debiancve
CVE-2014-0095
2014-05-31 11:17:00
CVE-2014-7810
2015-06-07 23:59:00
CVE-2014-0096
2014-05-31 11:17:00
f5
f5
SOL15429 - Apache Tomcat vulnerability CVE-2014-0119
2014-07-17 00:00:00
K15429 : Apache Tomcat vulnerability CVE-2014-0119
2014-10-14 00:00:00
K38110373 : Apache Tomcat vulnerability CVE-2014-7810
2016-10-23 00:00:00
github
github
Improper Access Control in Apache Tomcat
2022-05-14 01:10:17
Improper Input Validation in Apache Tomcat
2022-05-14 01:10:18
cve
cve
CVE-2014-0033
2014-02-26 14:55:00

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

JSON
Related for SMNTC-1329
ibm47nessus43securityvulns5redhat15mageia1ubuntu4openvas36tomcat8amazon3debian4fedora1threatpost1kaspersky1freebsd2oraclelinux4osv5centos2gentoo1ubuntucve3prion3debiancve3f54github2cve1