SA156: Apache Tomcat Vulnerabilities Apr-Oct 2017
SUMMARY
Symantec Network Protection products using affected versions of Apache Tomcat are susceptible to multiple security vulnerabilities. A remote attacker, with access to the management interface, can obtain sensitive information from the server, modify information associated with a different web application, execute arbitrary code, modify server behavior, perform HTTP cache poisoning, or cause denial of service.
AFFECTED PRODUCTS
| Advanced Secure Gateway (ASG) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-5647 CVE-2017-5664 |
7.2 | Upgrade to 7.2.1.1 |
| 7.1 | Upgrade to later release with fixes. | |
| 6.7 | Upgrade to 6.7.5.3 | |
| 6.6 | Upgrade to later release with fixes. | |
| Content Analysis (CA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-5647 CVE-2017-5664 |
2.4 and later | Not vulnerable, fixed in 2.4.1.1 |
| 2.3 | Upgrade to 2.3.5.1. | |
| 1.3, 2.1, 2.2 | Upgrade to later version with fixes. | |
| Director | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-7674 CVE-2017-12615 CVE-2017-12616 CVE-2017-12617 |
6.1 | Upgrade to 6.1.23.3. |
| IntelligenceCenter (IC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs | 3.3 | Upgrade to a version of NetDialog NetX with fixes. |
| IntelligenceCenter Data Collector (DC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs | 3.3 | Upgrade to a version of NetDialog NetX with fixes. |
| Mail Threat Defense (MTD) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-5647 CVE-2017-5664 |
1.1 | Not available at this time |
| Management Center (MC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-5647, CVE-2017-5650 CVE-2017-5651, CVE-2017-5664 |
2.0 and later | Not vulnerable, fixed in 2.0.1.1. |
| 1.11 | Upgrade to later version with fixes. | |
| CVE-2017-5648, CVE-2017-7674, CVE-2017-7675 |
2.0 and later | Not vulnerable, fixed in 2.0.1.1. |
| 1.11 (not vulnerable to known vectors of attack) | Upgrade to later version with fixes. | |
| CVE-2017-12617 | 2.3 (not vulnerable to known vectors of attack) | Not vulnerable, fixed in 2.3.1.1. |
| 2.2 (not vulnerable to known vectors of attack) | Upgrade to 2.2.2.1. | |
| 1.11 - 2.1 (not vulnerable to known vectors of attack) | Upgrade to later version with fixes. | |
| X-Series XOS | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-5664 CVE-2017-12615 CVE-2017-12617 |
11.0 | Not available at this time |
| 10.0 | Not available at this time | |
| 9.7 | Upgrade to later version with fixes. | |
| CVE-2017-5647 CVE-2017-12616 |
11.0 | Not available at this time |
ADDITIONAL PRODUCT INFORMATION
Some Symantec Network Protection products do not enable or use all functionality within Apache Tomcat. The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them. However, fixes for these CVEs will be included in the patches that are provided.
- ASG: CVE-2017-7674, CVE-2017-12615, CVE-2017-12616, and CVE-2017-12617
- CA: CVE-2017-5648 (2.2 only), CVE-2017-7674, CVE-2017-12615, CVE-2017-12616, and CVE-2017-12617
- MTD: CVE-2017-7674, CVE-2017-12615, CVE-2017-12616, and CVE-2017-12617
- MC: CVE-2017-5648, CVE-2017-7674, CVE-2017-7675, and CVE-2017-12617
The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
General Auth Connector Login Application
K9
Malware Analysis
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics
SSL Visibility
Unified Agent
Web Isolation
ISSUES
| CVE-2017-5647 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) |
| References | NVD: CVE-2017-5647 |
| Impact | Information disclosure, unauthorized modification |
| Description | A flaw in pipelined request handling allows a remote attacker to send crafted pipelined HTTP requests and obtain sensitive information or cause the target to return incorrect responses to other pipelined requests. |
| CVE-2017-5648 | |
|---|---|
| Severity / CVSSv2 | Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) |
| References | SecurityFocus: BID 97530 / NVD: CVE-2017-5648 |
| Impact | Information disclosure, unauthorized modification |
| Description | A flaw in servlet restrictions allows an untrusted web application under a SecurityManager to view and modify information associated with another web application. An attacker must be able to deploy a malicious web application to exploit this vulnerability. |
| CVE-2017-5650 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 97531 / NVD: CVE-2017-5650 |
| Impact | Denial of service |
| Description | A flaw in resource deallocation allows a remote attacker to send crafted HTTP/2 requests and cause denial of service through resource exhaustion. |
| CVE-2017-5651 | |
|---|---|
| Severity / CVSSv2 | High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 97544 / NVD: CVE-2017-5651 |
| Impact | Information disclosure, unauthorized modification |
| Description | A flaw in request handling allows a remote attacker to send HTTP requests and obtain sensitive information or cause the target to return incorrect resonses to other HTTP requests. |
| CVE-2017-5664 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) |
| References | SecurityFocus: BID 98888 / NVD: CVE-2017-5664 |
| Impact | Unauthorized modification |
| Description | A flaw in HTTP error processing allows a remote attacker to send crafted HTTP requests and modify server behavior. |
| CVE-2017-7674 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) |
| References | SecurityFocus: BID 100280 / NVD: CVE-2017-7674 |
| Impact | HTTP cache poisoning |
| Description | A flaw in the CORS filter allows remote attackers to perform client and server side HTTP response cache poisoning. |
| CVE-2017-7675 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) |
| References | SecurityFocus: BID 100256 / NVD: CVE-2017-7675 |
| Impact | Directory traversal |
| Description | A flaw in the HTTP/2 implementation allows remote attackers to bypass security constraints and perform directory traversal. |
| CVE-2017-12615 | |
|---|---|
| Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 100901 / NVD: CVE-2017-12615 |
| Impact | Code execution |
| Description | A flaw allows remote attackers to send crafted requests to upload and execute arbitrary JSP code on the server. This is a different vulnerability from CVE-2017-12617. |
| CVE-2017-12616 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) |
| References | SecurityFocus: BID 100897 / NVD: CVE-2017-12616 |
| Impact | Information disclosure |
| Description | A flaw allows remote attackers to send crafted requests to bypass security constraints and view JSP source code. |
| CVE-2017-12617 | |
|---|---|
| Severity / CVSSv2 | Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
| References | SecurityFocus: BID 100954 / NVD: CVE-2017-12617 |
| Impact | Code execution |
| Description | A flaw allows remote attackers to send crafted requests to upload and execute arbitrary JSP code on the server. This is a different vulnerability from CVE-2017-12615. |
MITIGATION
These vulnerabilities can be exploited only through the management interfaces for all vulnerable products. Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.
REFERENCES
Apache Tomcat 7 vulnerabilities - https://tomcat.apache.org/security-7.html
Apache Tomcat 8 vulnerabilities - https://tomcat.apache.org/security-8.html
Apache Tomcat 9 vulnerabilities - https://tomcat.apache.org/security-9.html
REVISION
2020-06-01 A fix for Advanced Secure Gateway (ASG) 7.2 is available in 7.2.1.1. Advisory Status changed to Closed.
2020-04-17 Content Analysis (CA) 2.4 is not vulnerable because a fix is available in 2.4.1.1.
2020-04-16 A fix for Advanced Secure Gateway (ASG) 6.7 is available in 6.7.5.3. ASG 7.1 and 7.2 are vulnerable to CVE-2017-5647 and CVE-2017-5664. A fix for ASG 7.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-10-03 Web Isolation is not vulnerable.
2019-09-05 A fix for MC 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-22 A fix for IntelligenceCenter (IC) 3.3 and IntelligenceCenter Data Collector (DC) 3.3 will not be provided. NetDialog NetX is a replacement product for IntelligenceCenter. Please switch to a version of NetX with the vulnerability fixes.
2019-08-07 A fix for MC 2.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for CVE-2017-12617 in MC 2.2 is available in 2.2.2.1. MC 2.3 is not vulnerable because a fix is available in 2.3.1.1.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-02-04 A fix for CA 1.3 and CA 2.2 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-14 MC 2.1 has vulnerable code for CVE-2017-12617, but is not vulnerable to known vectors of attack. A fix for MC 1.11 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-01-11 A fix for CA 2.3 is available in 2.3.5.1. A fix for CA 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-07-26 MC 2.0 is not vulnerable to all CVEs except CVE-2017-12617 because a fix is available in 2.0.1.1.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-04-22 CA 2.3 is vulnerable to CVE-2017-5647 and CVE-2017-5664.
2017-12-06 A fix for Director 6.1 is available in 6.1.23.3.
2017-11-07 initial public release