Lucene search

K
symantecSymantec Security ResponseSMNTC-17650
HistoryMar 16, 2021 - 7:59 p.m.

Apache Tomcat Vulnerabilities May 2020 - Mar 2021

2021-03-1619:59:07
Symantec Security Response
66

EPSS

0.922

Percentile

99.0%

Summary

Symantec Network and Information Security (NIS) products using affected versions of Apache Tomcat may be susceptible to multiple vulnerabilities. A remote attacker may be able to execute arbitrary code on the target server, observe HTTP responses for other users’ requests, obtain JSP source code, or cause denial of service.

Affected Product(s)

The following products and product versions are vulnerable to the CVEs listed. If a CVE is not listed, the product or version is not known to be vulnerable to it.

Management Center (MC)

CVE |Supported Version(s)|Remediation
CVE-2020-13935 | 3.0 | Upgrade to later release with fixes.
3.1, 3.2 | Remediation is not available at this time.

**
Additional Product Information**

The following products are not vulnerable:
**Advanced Secure Gateway (ASG)
AuthConnector
BCAAA
Content Analysis (CA)
General Auth Connector Login Application
PacketShaper S-Series
PolicyCenter S-Series
ProxySG
Reporter
Security Analytics
SSL Visibility (SSLV)
**Symantec Messaging Gateway (SMG)
Unified Agent
Web Isolation
WSS Agent
WSS Mobile Agent

The following products are under investigation:**
HSM Agent**

Issue Details

CVE-2020-9484

Severity / CVSS v3.1: | High / 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) References:| NVD: CVE-2020-9484 Impact:| Remote code execution Description: | A deserialization flaw allows a remote attacker to send crafted requests and execute arbitrary code on the target system. The attacker must have control over a file stored on the target system.

CVE-2020-11996

Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2020-11996 Impact:| Denial of service Description: | A flaw in HTTP/2 request handling allows a remote attacker to send crafted requests on concurrent HTTP/2 connections and cause denial of service through excessive CPU utilization.

CVE-2020-13934

Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2020-13934 Impact:| Denial of service Description: | A flaw in HTTP/1.1 to HTTP/2 protocol upgrade handling in direct h2c connections allows a remote attacker to cause denial of service through excessive memory utilization.

CVE-2020-13935

Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2020-13935 Impact:| Denial of service Description: | A flaw in WebSocket frame handling allows a remote attacker to cause denial of service through infinite CPU loops.

CVE-2020-13943

Severity / CVSS v3.1: | Medium / 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) References:| NVD: CVE-2020-13943 Impact:| Information disclosure Description: | A flaw in HTTP/2 concurrent stream handling can cause a remote attacker to cause users to see responses for other users’ requests. This is a different vulnerability from CVE-2020-17527.

CVE-2020-17527

Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) References:| NVD: CVE-2020-17527 Impact:| Information disclosure Description: | A flaw in HTTP/2 concurrent stream handling can cause a remote attacker to cause users to see responses for other users’ requests. This is a different vulnerability from CVE-2020-13943.

CVE-2021-24122

Severity / CVSS v3.1: | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) References:| NVD: CVE-2021-24122 Impact:| Information disclosure Description: | A flaw in server-side source code handling allows a remote attacker to obtain JSP source code from a Windows-based server.

CVE-2021-25122

Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) References:| NVD: CVE-2021-25122 Impact:| Information disclosure Description: | A flaw in new HTTP/2 h2c request handling can cause a remote attacker to cause users to see responses for other users’ requests.

CVE-2021-25329

Severity / CVSS v3.1: | High / 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) References:| NVD: CVE-2021-25329 Impact:| Remote code execution Description: | A deserialization flaw allows a remote attacker to send crafted requests and execute arbitrary code on the target system. The attacker must have control over a file stored on the target system. This is caused by an incomplete fix to CVE-2020-9484.

Mitigation

CVE-2020-13935 is exploitable in MC only when authenticated MC users send invalid WebSocket frames to the web management console.

References

Apache Tomcat 7 vulnerabilities - <http://tomcat.apache.org/security-7.html&gt;
Apache Tomcat 8 vulnerabilities - <http://tomcat.apache.org/security-8.html&gt;
Apache Tomcat 9 vulnerabilities - <http://tomcat.apache.org/security-9.html&gt;
Apache Tomcat 7 vulnerabilities - <http://tomcat.apache.org/security-10.html&gt;

Revisions

2021-08-12 MC 3.2 is vulnerable to CVE-2020-13935.
2021-06-01 A fix for MC 3.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-03-16 initial public release