SA156: Apache Tomcat Vulnerabilities Apr-Oct 2017

SUMMARY

Symantec Network Protection products using affected versions of Apache Tomcat are susceptible to multiple security vulnerabilities. A remote attacker, with access to the management interface, can obtain sensitive information from the server, modify information associated with a different web application, execute arbitrary code, modify server behavior, perform HTTP cache poisoning, or cause denial of service.

AFFECTED PRODUCTS

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2017-5647
CVE-2017-5664 | 7.2 | Upgrade to 7.2.1.1
7.1 | Upgrade to later release with fixes.
6.7 | Upgrade to 6.7.5.3
6.6 | Upgrade to later release with fixes.

Content Analysis (CA)

CVE |Affected Version(s)|Remediation
CVE-2017-5647
CVE-2017-5664 | 2.4 and later | Not vulnerable, fixed in 2.4.1.1
2.3 | Upgrade to 2.3.5.1.
1.3, 2.1, 2.2 | Upgrade to later version with fixes.

Director

CVE |Affected Version(s)|Remediation
CVE-2017-7674
CVE-2017-12615
CVE-2017-12616
CVE-2017-12617 | 6.1 | Upgrade to 6.1.23.3.

IntelligenceCenter (IC)

CVE |Affected Version(s)|Remediation
All CVEs | 3.3 | Upgrade to a version of NetDialog NetX with fixes.

IntelligenceCenter Data Collector (DC)

CVE |Affected Version(s)|Remediation
All CVEs | 3.3 | Upgrade to a version of NetDialog NetX with fixes.

Mail Threat Defense (MTD)

CVE |Affected Version(s)|Remediation
CVE-2017-5647
CVE-2017-5664 | 1.1 | Not available at this time

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2017-5647, CVE-2017-5650
CVE-2017-5651, CVE-2017-5664 | 2.0 and later | Not vulnerable, fixed in 2.0.1.1.
1.11 | Upgrade to later version with fixes.
CVE-2017-5648, CVE-2017-7674,
CVE-2017-7675 | 2.0 and later | Not vulnerable, fixed in 2.0.1.1.
1.11 (not vulnerable to known vectors of attack) | Upgrade to later version with fixes.
CVE-2017-12617 | 2.3 (not vulnerable to known vectors of attack) | Not vulnerable, fixed in 2.3.1.1.
2.2 (not vulnerable to known vectors of attack) | Upgrade to 2.2.2.1.
1.11 - 2.1 (not vulnerable to known vectors of attack) | Upgrade to later version with fixes.

X-Series XOS

CVE |Affected Version(s)|Remediation
CVE-2017-5664
CVE-2017-12615
CVE-2017-12617 | 11.0 | Not available at this time
10.0 | Not available at this time
9.7 | Upgrade to later version with fixes.
CVE-2017-5647
CVE-2017-12616 | 11.0 | Not available at this time

ADDITIONAL PRODUCT INFORMATION

Some Symantec Network Protection products do not enable or use all functionality within Apache Tomcat. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.

• ASG: CVE-2017-7674, CVE-2017-12615, CVE-2017-12616, and CVE-2017-12617
• CA: CVE-2017-5648 (2.2 only), CVE-2017-7674, CVE-2017-12615, CVE-2017-12616, and CVE-2017-12617
• MTD: CVE-2017-7674, CVE-2017-12615, CVE-2017-12616, and CVE-2017-12617
• MC: CVE-2017-5648, CVE-2017-7674, CVE-2017-7675, and CVE-2017-12617

The following products are not vulnerable:
**Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
General Auth Connector Login Application
K9
Malware Analysis
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics
SSL Visibility
Unified Agent
Web Isolation

**

ISSUES

CVE-2017-5647

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) References| NVD: CVE-2017-5647 Impact| Information disclosure, unauthorized modification Description | A flaw in pipelined request handling allows a remote attacker to send crafted pipelined HTTP requests and obtain sensitive information or cause the target to return incorrect responses to other pipelined requests.

CVE-2017-5648

Severity / CVSSv2 | Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) References| SecurityFocus: BID 97530 / NVD: CVE-2017-5648 Impact| Information disclosure, unauthorized modification Description | A flaw in servlet restrictions allows an untrusted web application under a SecurityManager to view and modify information associated with another web application. An attacker must be able to deploy a malicious web application to exploit this vulnerability.

CVE-2017-5650

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) References| SecurityFocus: BID 97531 / NVD: CVE-2017-5650 Impact| Denial of service Description | A flaw in resource deallocation allows a remote attacker to send crafted HTTP/2 requests and cause denial of service through resource exhaustion.

CVE-2017-5651

Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 97544 / NVD: CVE-2017-5651 Impact| Information disclosure, unauthorized modification Description | A flaw in request handling allows a remote attacker to send HTTP requests and obtain sensitive information or cause the target to return incorrect resonses to other HTTP requests.

CVE-2017-5664

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 98888 / NVD: CVE-2017-5664 Impact| Unauthorized modification Description | A flaw in HTTP error processing allows a remote attacker to send crafted HTTP requests and modify server behavior.

CVE-2017-7674

Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) References| SecurityFocus: BID 100280 / NVD: CVE-2017-7674 Impact| HTTP cache poisoning Description | A flaw in the CORS filter allows remote attackers to perform client and server side HTTP response cache poisoning.

CVE-2017-7675

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 100256 / NVD: CVE-2017-7675 Impact| Directory traversal Description | A flaw in the HTTP/2 implementation allows remote attackers to bypass security constraints and perform directory traversal.

CVE-2017-12615

Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 100901 / NVD: CVE-2017-12615 Impact| Code execution Description | A flaw allows remote attackers to send crafted requests to upload and execute arbitrary JSP code on the server. This is a different vulnerability from CVE-2017-12617.

CVE-2017-12616

Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) References| SecurityFocus: BID 100897 / NVD: CVE-2017-12616 Impact| Information disclosure Description | A flaw allows remote attackers to send crafted requests to bypass security constraints and view JSP source code.

CVE-2017-12617

Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) References| SecurityFocus: BID 100954 / NVD: CVE-2017-12617 Impact| Code execution Description | A flaw allows remote attackers to send crafted requests to upload and execute arbitrary JSP code on the server. This is a different vulnerability from CVE-2017-12615.

MITIGATION

These vulnerabilities can be exploited only through the management interfaces for all vulnerable products. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

REFERENCES

Apache Tomcat 7 vulnerabilities - <https://tomcat.apache.org/security-7.html&gt;
Apache Tomcat 8 vulnerabilities - <https://tomcat.apache.org/security-8.html&gt;
Apache Tomcat 9 vulnerabilities - <https://tomcat.apache.org/security-9.html&gt;

REVISION

2020-06-01 A fix for Advanced Secure Gateway (ASG) 7.2 is available in 7.2.1.1. Advisory Status changed to Closed.
2020-04-17 Content Analysis (CA) 2.4 is not vulnerable because a fix is available in 2.4.1.1.
2020-04-16 A fix for Advanced Secure Gateway (ASG) 6.7 is available in 6.7.5.3. ASG 7.1 and 7.2 are vulnerable to CVE-2017-5647 and CVE-2017-5664. A fix for ASG 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-10-03 Web Isolation is not vulnerable.
2019-09-05 A fix for MC 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-22 A fix for IntelligenceCenter (IC) 3.3 and IntelligenceCenter Data Collector (DC) 3.3 will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the vulnerability fixes.
2019-08-07 A fix for MC 2.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for CVE-2017-12617 in MC 2.2 is available in 2.2.2.1. MC 2.3 is not vulnerable because a fix is available in 2.3.1.1.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-02-04 A fix for CA 1.3 and CA 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-14 MC 2.1 has vulnerable code for CVE-2017-12617, but is not vulnerable to known vectors of attack. A fix for MC 1.11 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-11 A fix for CA 2.3 is available in 2.3.5.1. A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-07-26 MC 2.0 is not vulnerable to all CVEs except CVE-2017-12617 because a fix is available in 2.0.1.1.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CA 2.3 is vulnerable to CVE-2017-5647 and CVE-2017-5664.
2017-12-06 A fix for Director 6.1 is available in 6.1.23.3.
2017-11-07 initial public release