Symantec Security ResponseSMNTC-17650Apache Tomcat Vulnerabilities May 2020 - Mar 2021
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
Summary
Symantec Network and Information Security (NIS) products using affected versions of Apache Tomcat may be susceptible to multiple vulnerabilities. A remote attacker may be able to execute arbitrary code on the target server, observe HTTP responses for other users’ requests, obtain JSP source code, or cause denial of service.
Affected Product(s)
The following products and product versions are vulnerable to the CVEs listed. If a CVE is not listed, the product or version is not known to be vulnerable to it.
Management Center (MC)
CVE |Supported Version(s)|Remediation
CVE-2020-13935 | 3.0 | Upgrade to later release with fixes.
3.1, 3.2 | Remediation is not available at this time.
**
Additional Product Information**
The following products are not vulnerable:
**Advanced Secure Gateway (ASG)
AuthConnector
BCAAA
Content Analysis (CA)
General Auth Connector Login Application
PacketShaper S-Series
PolicyCenter S-Series
ProxySG
Reporter
Security Analytics
SSL Visibility (SSLV)
**Symantec Messaging Gateway (SMG)
Unified Agent
Web Isolation
WSS Agent WSS Mobile Agent
The following products are under investigation:**
HSM Agent**
Issue Details
CVE-2020-9484
Severity / CVSS v3.1: | High / 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) References:| NVD: CVE-2020-9484 Impact:| Remote code execution Description: | A deserialization flaw allows a remote attacker to send crafted requests and execute arbitrary code on the target system. The attacker must have control over a file stored on the target system.
CVE-2020-11996
Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2020-11996 Impact:| Denial of service Description: | A flaw in HTTP/2 request handling allows a remote attacker to send crafted requests on concurrent HTTP/2 connections and cause denial of service through excessive CPU utilization.
CVE-2020-13934
Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2020-13934 Impact:| Denial of service Description: | A flaw in HTTP/1.1 to HTTP/2 protocol upgrade handling in direct h2c connections allows a remote attacker to cause denial of service through excessive memory utilization.
CVE-2020-13935
Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) References:| NVD: CVE-2020-13935 Impact:| Denial of service Description: | A flaw in WebSocket frame handling allows a remote attacker to cause denial of service through infinite CPU loops.
CVE-2020-13943
Severity / CVSS v3.1: | Medium / 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) References:| NVD: CVE-2020-13943 Impact:| Information disclosure Description: | A flaw in HTTP/2 concurrent stream handling can cause a remote attacker to cause users to see responses for other users’ requests. This is a different vulnerability from CVE-2020-17527.
CVE-2020-17527
Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) References:| NVD: CVE-2020-17527 Impact:| Information disclosure Description: | A flaw in HTTP/2 concurrent stream handling can cause a remote attacker to cause users to see responses for other users’ requests. This is a different vulnerability from CVE-2020-13943.
CVE-2021-24122
Severity / CVSS v3.1: | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) References:| NVD: CVE-2021-24122 Impact:| Information disclosure Description: | A flaw in server-side source code handling allows a remote attacker to obtain JSP source code from a Windows-based server.
CVE-2021-25122
Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) References:| NVD: CVE-2021-25122 Impact:| Information disclosure Description: | A flaw in new HTTP/2 h2c request handling can cause a remote attacker to cause users to see responses for other users’ requests.
CVE-2021-25329
Severity / CVSS v3.1: | High / 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) References:| NVD: CVE-2021-25329 Impact:| Remote code execution Description: | A deserialization flaw allows a remote attacker to send crafted requests and execute arbitrary code on the target system. The attacker must have control over a file stored on the target system. This is caused by an incomplete fix to CVE-2020-9484.
Mitigation
CVE-2020-13935 is exploitable in MC only when authenticated MC users send invalid WebSocket frames to the web management console.
References
Apache Tomcat 7 vulnerabilities - <http://tomcat.apache.org/security-7.html>
Apache Tomcat 8 vulnerabilities - <http://tomcat.apache.org/security-8.html>
Apache Tomcat 9 vulnerabilities - <http://tomcat.apache.org/security-9.html>
Apache Tomcat 7 vulnerabilities - <http://tomcat.apache.org/security-10.html>
Revisions
2021-08-12 MC 3.2 is vulnerable to CVE-2020-13935.
2021-06-01 A fix for MC 3.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-03-16 initial public release
| CPE | Name | Operator | Version |
|---|---|---|---|
| management center (mc) | eq | 3 | |
| management center (mc) | eq | 3 | |
| management center (mc) | eq | 3 |
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P