SA118 : February 2016 Apache Tomcat Vulnerabilities

SUMMARY

Blue Coat products that include affected versions of Apache Tomcat are susceptible to multiple vulnerabilities. A remote attacker, with access to the management interface, can exploit these vulnerabilities to determine the existence of a directory that they are not authorized to view, and perform session fixation and CSRF attacks. An authenticated remote attacker, who can access the management interface and deploy a malicious web application, can also execute arbitrary code, impersonate authenticated clients, view the directory listing of the Apache Tomcat web applications directory, gain unauthorized read/write access to data owned by other deployed web applications, and disrupt other deployed web applications.

AFFECTED PRODUCTS

The following products are vulnerable:

Director

CVE |Affected Version(s)|Remediation
CVE-2015-5345 | 6.1 | Upgrade to 6.1.22.1.

IntelligenceCenter (IC)

CVE |Affected Version(s)|Remediation
CVE-2015-5174, CVE-2015-5345,
CVE-2016-0706, CVE-2016-0714 | 3.3 | Upgrade to 3.3.3.3.

IntelligenceCenter Data Collector (DC)

CVE |Affected Version(s)|Remediation
All CVes | 3.3 | Upgrade to a version of NetDialog NetX with fixes.

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2015-5345 | 1.11 and later | Not vulnerable, fixed in 1.11.1.1
1.5, 1.6, 1.7, 1.8, 1.9, 1.10 | Upgrade to later release with fixes.

X-Series XOS

CVE |Affected Version(s)|Remediation
CVE-2015-5174, CVE-2015-5345,
CVE-2015-5346, CVE-2016-0706,
CVE-2016-0714, CVE-2016-0763 | 11.0 | Not available at this time
10.0 | Not available at this time
9.7 | Upgrade to later release with fixes.

The following products have a vulnerable version of Apache Tomcat, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2015-5174, CVE-2015-5345,
CVE-2015-5346, CVE-2016-0706,
CVE-2016-0714, CVE-2016-0763 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1
6.6 | Upgrade to 6.6.5.8.

Content Analysis System (CAS)

CVE |Affected Version(s)|Remediation
CVE-2015-5174, CVE-2015-5345,
CVE-2015-5346, CVE-2016-0706,
CVE-2016-0714, CVE-2016-0763 | 2.1 and later | Not vulnerable, fixed in 2.1.1.1
1.3 | Upgrade to 1.3.7.5.
1.2 | Upgrade to later release with fixes

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
CVE-2015-5174, CVE-2015-5345,
CVE-2015-5346, CVE-2016-0706,
CVE-2016-0714, CVE-2016-0763 | 1.1 | Not available at this time

ADDITIONAL PRODUCT INFORMATION

Blue Coat products that use a native installation of Apache Tomcat but do not install or maintain it are not vulnerable to any of the CVEs in this Security Advisory. However, the underlying platform or application that installs and maintains Apache Tomcat may be vulnerable. Blue Coat urges customers using the Blue Coat HSM Agent for the SafeNet Luna SP to contact SafeNet for more information about these vulnerabilities.

Blue Coat products do not enable or use all functionality within Apache Tomcat. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.

• ASG: CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2016-0706, CVE-2016-0714, and CVE-2016-0763
• CAS: CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2016-0706, CVE-2016-0714, and CVE-2016-0763
• Director: CVE-2015-5174, CVE-2016-0706, and CVE-2016-0714
• MTD: CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2016-0706, CVE-2016-0714, and CVE-2016-0763
• MC: CVE-2015-5174, CVE-2015-5346, CVE-2016-0706, CVE-2016-0714, and CVE-2016-0763

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
K9
Malware Analysis Appliance
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics
SSL Visibility
Unified Agent
Web Isolation

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2015-5174

Severity / CVSSv2 | Medium / 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N) References| SecurityFocus: BID 83329 / NVD: CVE-2015-5174 Impact| Information disclosure Description | A flaw in the ServletContext class allows a remote attacker to bypass security restrictions and obtain the directory listing of the Tomcat web applications directory. The attacker must be able to deploy a malicious web application to exploit the vulnerability.

CVE-2015-5345

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 83328 / NVD: CVE-2015-5345 Impact| Information disclosure Description | A flaw in the request redirect logic allows a remote attacker to determine the existence of a directory that the attacker is not authorized to view.

CVE-2015-5346

Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 83323 / NVD: CVE-2015-5346 Impact| Session hijacking Description | A flaw in Request object recycling allows a remote attacker, who can force a client to use a recycled Request object, to perform a session fixation attack if the web application is configured to use the SSL session ID as the HTTP session ID. A successful session fixation attack allows the remote attacker to send malicious requests to the victim on behalf of an authenticated user.

CVE-2015-5351

Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 83330 / NVD: CVE-2015-5351 Impact| Cross-site request forgery (CSRF) Description | A flaw in the Manager and Host Manager applications allows a remote attacker to obtain a valid CSRF token and use the token perform a CSRF attack.

CVE-2016-0706

Severity / CVSSv2 | Medium / 4.0 (AV:N/AC:L/Au:S/C:P/I:N/A:N) References| SecurityFocus: BID 83324 / NVD: CVE-2016-0706 Impact| Information disclosure Description | A flaw in servlet restrictions allows a remote attacker to bypass security restrictions and obtain the currently processed HTTP request lines for all deployed web applications. The HTTP requests obtained include web application session IDs, which may allow the attacker to impersonate authenticated users of any deployed web application. The attacker must be able to deploy a malicious web application to exploit the vulnerability.

CVE-2016-0714

Severity / CVSSv2 | Medium / 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) References| SecurityFocus: BID 83327 / NVD: CVE-2016-0714 Impact| Code execution Description | A flaw in session persistence allows a remote attacker to bypass security restrictions and execute arbitrary code in a privileged context by passing a crafted object in a session. The attacker must be able to deploy a malicious web application to exploit the vulnerability.

CVE-2016-0763

Severity / CVSSv2 | Medium / 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P) References| SecurityFocus: BID 83326 / NVD: CVE-2016-0763 Impact| Information disclosure, unauthorized modification of data, denial of service Description | A flaw in the ResourceLinkFactory class allows a remote attacker to bypass security restrictions and gain unauthorized read and write access to data owned by deployed web applications. The attacker can also disrupt deployed web applications, causing denial of service. The attacker must be able to deploy a malicious web application to exploit the vulnerability.

MITIGATION

These vulnerabilities can be exploited only through the management interfaces for all vulnerable products. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

REFERENCES

Apache Tomcat 6 vulnerabilities - <https://tomcat.apache.org/security-6.html&gt;
Apache Tomcat 7 vulnerabilities - <https://tomcat.apache.org/security-7.html&gt;
Apache Tomcat 8 vulnerabilities - https://tomcat.apache.org/security-8.html
Apache Tomcat 9 vulnerabilities - https://tomcat.apache.org/security-9.html

REVISION

2020-04-21 Advisory status moved to Closed.
2019-10-03 Web Isolation is not vulnerable.
2019-08-20 A fix for IntelligenceCenter Data Collector (DC) 3.3 will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the vulnerability fixes.
2019-01-14 MC 2.0 and 2.1 are not vulnerable.
2018-04-22 CAS 2.2 and 2.3 are not vulnerable.
2017-11-07 MC 1.11 is not vulnerable because a fix is available in 1.11.1.1. A fix for MC 1.10 will not be provided. Please upgrade to a later version with the vulnerability fix.
2017-11-06 ASG 6.7 is not vulnerable.
2017-07-20 MC 1.10 is vulnerable to CVE-2015-5345. Exploiting the vulnerability does not have any security impact because MC does not have any non-public directories or web applications. A fix for CVE-2015-5345 in MC 1.9 will not be provided. Please upgrade to a later version with the vulnerability fix.
2017-05-26 A fix for CAS 1.3 is available in 1.3.7.5.
2017-05-19 A fix for ASG 6.6 is available in 6.6.5.8.
2017-05-18 CAS 2.1 is not vulnerable because a fix is available in 2.1.1.1.
2017-03-30 MC 1.9 is vulnerable to CVE-2015-5345. Exploiting the vulnerability does not have any security impact because MC does not have any non-public directories or web applications.
2017-03-06 MC 1.8 is vulnerable to CVE-2015-5345. Exploiting the vulnerability does not have any security impact because MC does not have any non-public directories or web applications.
2017-02-07 A fix for IntelligenceCenter is available in 3.3.3.3.
2016-11-29 A fix for Director is available in 6.1.22.1. Customers should contact Digital Guardian regarding vulnerability information for DLP.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable. MC 1.6 and 1.7 are vulnerable to CVE-2015-5345. Exploiting the vulnerability does not have any security impact because MC does not have any non-public directories or web applications.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-25 MTD 1.1 has vulnerable code for multiple CVEs, but is not vulnerable to known vectors of attack.
2016-04-22 IntelligenceCenter 3.3 is vulnerable to CVE-2015-5174, CVE-2015-5345, CVE-2016-0706, and CVE-2016-0714.
2016-03-23 Previously it was reported that CAS 1.2 and 1.3 are vulnerable to CVE-2015-5345 and CVE-2015-5346. Further investigation shows that CAS 1.2 and 1.3 only have vulnerable code for these CVEs, but are not vulnerable to known vectors of attack. Fixes for these CVEs will still included in the patches that are provided.
2016-03-23 X-Series XOS 9.7 is vulnerable CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2016-0706, CVE-2016-0714, and CVE-2016-0763.
2016-03-17 IntelligenceCenter Data Collector is vulnerable to all CVEs.
2016-03-15 initial public release