Symantec Security ResponseSMNTC-1765Apache Tomcat Vulnerabilities Oct 2018 – Feb 2020
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Summary
Symantec SWG products using affected versions of Apache Tomcat may be susceptible to multiple vulnerabilities. A remote attacker can execute arbitrary code on the target host, hijack an authenticated Tomcat user’s session, redirect a Tomcat user to an arbitrary URL, execute arbitrary JavaScript code in a Tomcat user’s web browser, bypass a web proxy in front of the Tomcat server, or cause denial of service. A local user can escalate their privileges on the system.
Affected Product(s)
The following products and product versions are vulnerable to the CVEs listed for each product.
Advanced Secure Gateway (ASG)
CVE |Supported Version(s)|Remediation
CVE-2018-11784, CVE-2020-1935 | 6.7 | Upgrade to 6.7.5.3.
7.1 | Remediation will not be provided.
7.2 | Upgrade to 7.2.1.1.
Content Analysis (CA)
CVE |Supported Version(s)|Remediation
CVE-2018-11784 | 2.3 | Upgrade to 2.3.5.1.
2.4 and later | Not vulnerable, fixed in 2.4.1.1
CVE-2020-1935 | 2.3 | Upgrade to a later version with fixes.
2.4, 3.0 | Remediation is not available at this time.
3.1 | Not vulnerable, fixed in 3.1.0.0
Management Center (MC)
CVE |Supported Version(s)|Remediation
CVE-2019-17563, CVE-2020-1935 | 2.3, 2.4 | Upgrade to a later version with fixes.
3.0 | Not vulnerable, fixed in 3.0.1.1
Symantec Messaging Gateway (SMG)
CVE |Supported Version(s)|Remediation
CVE-2020-1935 | 10.7 | Remediation is not available at this time.
Additional Product Information
CVE-2020-1935 is exploitable in ASG, CA, and MC only when the products are deployed behind a reverse proxy.
CVE-2020-1935 is exploitable in SMG only when the SMG Control Center is deployed behind a reverse proxy. SMG Scanners are not vulnerable to CVE-2020-1935 even when deployed behind a reverse proxy.
The following products are not vulnerable:
**AuthConnector
BCAAA
CacheFlow (CF)
General Auth Connector Login Application
HSM Agent for the Luna SP
****PacketShaper (PS) S-Series
PolicyCenter (PC) S-Series
ProxySG
Reporter
Security Analytics (SA)
SSL Visibility (SSLV)
Unified Agent
Web Isolation (WI)
WSS Agent
WSS Mobile Agent
**
Issue Details
CVE-2018-11784
Severity / CVSS v3.0: | Medium / 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) References:| NVD: CVE-2018-11784 Impact:| Open redirection Description: | An open redirection flaw in the default servlet allows a remote attacker to cause a user to follow a crafted URL and redirect the user to an arbitrary URL of the attacker’s choice.
CVE-2019-0199
Severity / CVSS v3.0: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2019-0199 Impact:| Denial of service Description: | A flaw in the HTTP/2 implementation allows a remote attacker to generate crafted streams to the web server and cause denial of service through thread exhaustion.
CVE-2019-0221
Severity / CVSS v3.0: | Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) References:| NVD: CVE-2019-0221 Impact:| Cross-site scripting (XSS) Description: | A reflected XSS flaw in the SSI printenv command allows a remote attacker to cause a user to follow a crafted URL and execute injected JavaScript code in the user’s browser.
CVE-2019-0232
Severity / CVSS v3.0: | High / 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) References:| NVD: CVE-2019-0232 Impact:| Remote code execution Description: | A flaw in the CGI servlet on Windows platforms allows a remote attacker to execute arbitrary code on the target host.
CVE-2019-10072
Severity / CVSS v3.0: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2019-10072 Impact:| Denial of service Description: | A flaw in the HTTP/2 implementation allows a remote attacker to generate crafted streams to the web server and cause denial of service through thread exhaustion. This is caused by an incomplete fix for CVE-2019-0199.
CVE-2019-12418
Severity / CVSS v3.0: | High / 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) References:| NVD: CVE-2019-12418 Impact:| Privilege escalation Description: | A flaw in the JMX Remote Lifecycle Listener allows a local attacker to manipulate the local RMI registry and escalate their privileges on the system by capturing credentials for the JMX interface and gaining control of the Tomcat server.
CVE-2019-17563
Severity / CVSS v3.0: | High / 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) References:| NVD: CVE-2019-17563 Impact:| Session hijacking Description: | A flaw in FORM authentication allows a remote attacker to perform a session fixation attack and take over a user’s authentication session.
CVE-2019-17569
Severity / CVSS v3.0: | Medium / 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) References:| NVD: CVE-2019-17569 Impact:| Security control bypass Description: | A flaw in HTTP Transfer-Encoding header processing allows a remote attacker to perform an HTTP request smuggling attack and bypass a reverse proxy in front of the Tomcat server. The reverse proxy must handle the Transfer-Encoding header incorrectly in a particular way.
CVE-2020-1935
Severity / CVSS v3.0: | Medium / 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) References:| NVD: CVE-2020-1935 Impact:| Security control bypass Description: | A flaw in HTTP header processing allows a remote attacker to perform an HTTP request smuggling attack and bypass a reverse proxy in front of the Tomcat server. The reverse proxy must handle the Transfer-Encoding header incorrectly in a particular way.
CVE-2020-1938
Severity / CVSS v3.0: | Critical / 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) References:| NVD: CVE-2020-1938 Impact:| Information disclosure, remote code execution Description: | A flaw in the AJP connector allows a remote attacker to read arbitrary files from the target server. If the server allows file uploads and JSP processing, the remote attacker can also execute arbitrary code on the target server.
**
Revisions**
2021-04-26 PacketShaper (PS) S-Series and PolicyCenter (PC) S-Series are not vulnerable.
2021-02-18 A fix for CA 2.3 and MC 2.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 is not vulnerable because a fix is available in 3.1.0.0.
2020-08-19 MC 3.0 is not vulnerable because a fix is available in 3.0.1.1. A fix for MC 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-06-01 A fix for Advanced Secure Gateway (ASG) 7.2 is available in 7.2.1.1.
2020-05-12 initial public release
Related
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C