Apache Tomcat Vulnerabilities Jan-Aug 2018

SUMMARY

Symantec Network Protection products using affected versions of Apache Tomcat are susceptible to multiple security vulnerabilities. A remote attacker, with access to the management interface, can gain unauthorized access to a web application resource or cause denial of service in the Tomcat server. A remote SSL/TLS client can authenticate with a revoked client certificate. A malicious TLS WebSocket server can impersonate a trusted server. A Tomcat user can obtain sensitive information associated with other Tomcat users.

AFFECTED PRODUCTS

Advanced Secure Gateway (ASG)

CVE |Affected Version(s)|Remediation
CVE-2018-1336 | 6.7 starting with 6.7.3.1 | Upgrade to 6.7.5.3.
7.1 | Upgrade to later version with fixes.
7.2 | Upgrade to 7.2.1.1.

Content Analysis (CA)

CVE |Affected Version(s)|Remediation
CVE-2018-1336, CVE-2018-8019
CVE-2018-8020, CVE-2018-8034 | 2.2 | Upgrade to later version with fixes.
2.3 | Upgrade to 2.3.5.1.
2.4 and later | Not vulnerable, fixed

Director

CVE |Affected Version(s)|Remediation
CVE-2017-15706, CVE-2018-1304,
CVE-2018-1305, CVE-2018-1336,
CVE-2018-8014, CVE-2018-8034 | 6.1 | Not available at this time

Management Center (MC)

CVE |Affected Version(s)|Remediation
CVE-2018-1336 | 1.11, 2.1 | Upgrade to later version with fixes.
2.2 | Upgrade to 2.2.2.1.
2.3 and later | Not vulnerable, fixed in 2.3.1.1

ADDITIONAL PRODUCT INFORMATION

The following products are not vulnerable:
AuthConnector
BCAAA
CacheFlow
Client Connector
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
General Auth Connector Login Application
HSM Agent for the Luna SP
Mail Threat Defense
Malware Analysis
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics
SSL Visibility
Unified Agent
Web Isolation WSS Mobile Agent X-Series XOS 11.0

Information about the following products is not available. NetDialog NetX is a replacement product for IntelligenceCenter.
IntelligenceCenter
IntelligenceCenter Data Collector

The following products are under investigation:
X-Series XOS 10.0

ISSUES

CVE-2017-15698

Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) References| SecurityFocus: BID 105851 / NVD: CVE-2017-15698 Impact| Security control bypass Description | A certificate validation flaw in the Native Connector allows a remote SSL/TLS client to authenticate with a revoked certificate.

CVE-2017-15706

Severity / CVSSv3 | Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) References| SecurityFocus: BID 103069 / NVD: CVE-2017-15706 Impact| Unspecified Description | A flaw in the CGI servlet documentation might cause the incorrect CGI script to be executed when an HTTP client invokes a CGI servlet, resulting in unspecified impact.

CVE-2018-1304

Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:) References| SecurityFocus: BID 103170 / NVD: CVE-2018-1304 Impact| Security control bypass Description | A flaw in the handling of URL patterns in security constraints allows a remote attacker to gain unauthorized access to a web application resource.

CVE-2018-1305

Severity / CVSSv3 | Medium / 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) References| SecurityFocus: BID 103144 / NVD: CVE-2018-1305 Impact| Security control bypass Description | A flaw in security constraint enforcement that allows a remote attacker to gain unauthorized access to a web application resource.

CVE-2018-1336

Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References| SecurityFocus: BID 104898 / NVD: CVE-2018-1336 Impact| Denial of service Description | A flaw in the UTF-8 decoder allows a remote attacker to trigger an infinite loop in the decoder, resulting in denial of service.

CVE-2018-8014

Severity / CVSSv3 | Critical / 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) References| SecurityFocus: BID 104203 / NVD: CVE-2018-8014 Impact| Security control bypass Description | A flaw in the CORS filter default configuration allows a remote attacker to trick an authenticated web application user to open a malicious website, which can then make cross-origin requests to the Tomcat server.

CVE-2018-8019

Severity / CVSSv3 | High / 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) References| SecurityFocus: BID 104936 / NVD: CVE-2018-8019 Impact| Security control bypass Description | A OCSP response handling flaw in the Native Connector that allows a remote SSL/TLS client to authenticate with a revoked certificate.

CVE-2018-8020

Severity / CVSSv3 | High / 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) References| SecurityFocus: BID 104934 / NVD: CVE-2018-8020 Impact| Security control bypass Description | A OCSP response handling flaw in the Native Connector allows a remote SSL/TLS client to authenticate with a revoked certificate.

CVE-2018-8034

Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) References| SecurityFocus: BID 104895 / NVD: CVE-2018-8034 Impact| Impersonation of a trusted entity Description | A hostname verification flaw in the WebSocket TLS client allows a remote malicious TLS server to impersonate a trusted TLS server.

CVE-2018-8037

Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) References| SecurityFocus: BID 104894 / NVD: CVE-2018-8037 Impact| Information disclosure Description | A flaw in asynchronous request handling allows a Tomcat user to see responses for HTTP requests associated with other Tomcat users.

REFERENCES

Apache Tomcat 7 vulnerabilities - <https://tomcat.apache.org/security-7.html&gt;
Apache Tomcat 8 vulnerabilities - <https://tomcat.apache.org/security-8.html&gt;
Apache Tomcat 9 vulnerabilities - <https://tomcat.apache.org/security-9.html&gt;

REVISION

2020-06-01 A fix for Advanced Secure Gateway (ASG) 7.2 is available in 7.2.1.1. Advisory Status changed to Closed.
2020-04-16 A fix for Advanced Secure Gateway (ASG) 6.7 is available in 6.7.5.3. ASG 7.1 and 7.2 are vulnerable to CVE-2018-1336. A fix will not be provided for ASG 7.1. Please upgrade to a later version with the vulnerability fixes.
2020-04-05 CA 2.4 is not vulnerable because a fix is available in 2.4.1.1. Information about IntelligenceCenter is not available. NetDialog NetX is a replacement product for Intelligence Center.
2019-10-03 Web Isolation is not vulnerable.
2019-09-05 A fix for MC 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-07 A fix for MC 2.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for CVE-2018-1336 in MC 2.2 is available in 2.2.2.1. MC 2.3 is not vulnerable because a fix is available in 2.3.1.1.
2019-02-04 A fix for CA 2.2 will not be provided. Please upgrade to later version with the vulnerability fixes.
2019-01-14 A fix for CA 2.3 is available in 2.3.5.1. Added remaining Security Focus BID numbers and NVD CVSS base scores. MC 2.1 is vulnerable to CVE-2018-1336. A fix for MC 1.11 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-10-11 initial public release