Lucene search

K
symantecSymantec Security ResponseSMNTC-1765
HistoryMay 12, 2020 - 7:02 p.m.

Apache Tomcat Vulnerabilities Oct 2018 – Feb 2020

2020-05-1219:02:01
Symantec Security Response
73

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%

Summary

Symantec SWG products using affected versions of Apache Tomcat may be susceptible to multiple vulnerabilities. A remote attacker can execute arbitrary code on the target host, hijack an authenticated Tomcat user’s session, redirect a Tomcat user to an arbitrary URL, execute arbitrary JavaScript code in a Tomcat user’s web browser, bypass a web proxy in front of the Tomcat server, or cause denial of service. A local user can escalate their privileges on the system.

Affected Product(s)

The following products and product versions are vulnerable to the CVEs listed for each product.

Advanced Secure Gateway (ASG)

CVE |Supported Version(s)|Remediation
CVE-2018-11784, CVE-2020-1935 | 6.7 | Upgrade to 6.7.5.3.
7.1 | Remediation will not be provided.
7.2 | Upgrade to 7.2.1.1.

Content Analysis (CA)

CVE |Supported Version(s)|Remediation
CVE-2018-11784 | 2.3 | Upgrade to 2.3.5.1.
2.4 and later | Not vulnerable, fixed in 2.4.1.1
CVE-2020-1935 | 2.3 | Upgrade to a later version with fixes.
2.4, 3.0 | Remediation is not available at this time.
3.1 | Not vulnerable, fixed in 3.1.0.0

Management Center (MC)

CVE |Supported Version(s)|Remediation
CVE-2019-17563, CVE-2020-1935 | 2.3, 2.4 | Upgrade to a later version with fixes.
3.0 | Not vulnerable, fixed in 3.0.1.1

Symantec Messaging Gateway (SMG)

CVE |Supported Version(s)|Remediation
CVE-2020-1935 | 10.7 | Remediation is not available at this time.

Additional Product Information

CVE-2020-1935 is exploitable in ASG, CA, and MC only when the products are deployed behind a reverse proxy.

CVE-2020-1935 is exploitable in SMG only when the SMG Control Center is deployed behind a reverse proxy. SMG Scanners are not vulnerable to CVE-2020-1935 even when deployed behind a reverse proxy.

The following products are not vulnerable:
**AuthConnector
BCAAA
CacheFlow (CF)
General Auth Connector Login Application
HSM Agent for the Luna SP
****PacketShaper (PS) S-Series
PolicyCenter (PC) S-Series
ProxySG
Reporter
Security Analytics (SA)
SSL Visibility (SSLV)
Unified Agent
Web Isolation (WI)
WSS Agent
WSS Mobile Agent

**

Issue Details

CVE-2018-11784

Severity / CVSS v3.0: | Medium / 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) References:| NVD: CVE-2018-11784 Impact:| Open redirection Description: | An open redirection flaw in the default servlet allows a remote attacker to cause a user to follow a crafted URL and redirect the user to an arbitrary URL of the attacker’s choice.

CVE-2019-0199

Severity / CVSS v3.0: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2019-0199 Impact:| Denial of service Description: | A flaw in the HTTP/2 implementation allows a remote attacker to generate crafted streams to the web server and cause denial of service through thread exhaustion.

CVE-2019-0221

Severity / CVSS v3.0: | Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) References:| NVD: CVE-2019-0221 Impact:| Cross-site scripting (XSS) Description: | A reflected XSS flaw in the SSI printenv command allows a remote attacker to cause a user to follow a crafted URL and execute injected JavaScript code in the user’s browser.

CVE-2019-0232

Severity / CVSS v3.0: | High / 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) References:| NVD: CVE-2019-0232 Impact:| Remote code execution Description: | A flaw in the CGI servlet on Windows platforms allows a remote attacker to execute arbitrary code on the target host.

CVE-2019-10072

Severity / CVSS v3.0: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2019-10072 Impact:| Denial of service Description: | A flaw in the HTTP/2 implementation allows a remote attacker to generate crafted streams to the web server and cause denial of service through thread exhaustion. This is caused by an incomplete fix for CVE-2019-0199.

CVE-2019-12418

Severity / CVSS v3.0: | High / 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) References:| NVD: CVE-2019-12418 Impact:| Privilege escalation Description: | A flaw in the JMX Remote Lifecycle Listener allows a local attacker to manipulate the local RMI registry and escalate their privileges on the system by capturing credentials for the JMX interface and gaining control of the Tomcat server.

CVE-2019-17563

Severity / CVSS v3.0: | High / 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) References:| NVD: CVE-2019-17563 Impact:| Session hijacking Description: | A flaw in FORM authentication allows a remote attacker to perform a session fixation attack and take over a user’s authentication session.

CVE-2019-17569

Severity / CVSS v3.0: | Medium / 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) References:| NVD: CVE-2019-17569 Impact:| Security control bypass Description: | A flaw in HTTP Transfer-Encoding header processing allows a remote attacker to perform an HTTP request smuggling attack and bypass a reverse proxy in front of the Tomcat server. The reverse proxy must handle the Transfer-Encoding header incorrectly in a particular way.

CVE-2020-1935

Severity / CVSS v3.0: | Medium / 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) References:| NVD: CVE-2020-1935 Impact:| Security control bypass Description: | A flaw in HTTP header processing allows a remote attacker to perform an HTTP request smuggling attack and bypass a reverse proxy in front of the Tomcat server. The reverse proxy must handle the Transfer-Encoding header incorrectly in a particular way.

CVE-2020-1938

Severity / CVSS v3.0: | Critical / 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) References:| NVD: CVE-2020-1938 Impact:| Information disclosure, remote code execution Description: | A flaw in the AJP connector allows a remote attacker to read arbitrary files from the target server. If the server allows file uploads and JSP processing, the remote attacker can also execute arbitrary code on the target server.

**
Revisions**

2021-04-26 PacketShaper (PS) S-Series and PolicyCenter (PC) S-Series are not vulnerable.
2021-02-18 A fix for CA 2.3 and MC 2.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 is not vulnerable because a fix is available in 3.1.0.0.
2020-08-19 MC 3.0 is not vulnerable because a fix is available in 3.0.1.1. A fix for MC 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-06-01 A fix for Advanced Secure Gateway (ASG) 7.2 is available in 7.2.1.1.
2020-05-12 initial public release

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

9.3 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:N/C:C/I:C/A:C

0.974 High

EPSS

Percentile

99.9%