SA100 : Apache Tomcat Vulnerabilities
SUMMARY
Blue Coat products using affected versions of Tomcat 8.x, 7.x, and 6.x are susceptible to multiple vulnerabilities. A remote attacker may exploit these vulnerabilities to gain unauthorized read access or escalated privileges, or to conduct denial of service, HTTP request smuggling, or session fixation attacks.
AFFECTED PRODUCTS
The following products are vulnerable:
| Content Analysis System | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2014-0227, CVE-2014-0119, CVE-2014-0099, CVE-2014-0096, CVE-2014-0075, CVE-2014-0050 |
1.3 and later | Not vulnerable, fixed in 1.3.1.1 |
| 1.2 | Upgrade to 1.2.4.5. | |
| 1.1 | Upgrade to later release with fixes. | |
| CVE-2014-0230 | 1.3 and later | Not vulnerable, fixed in 1.3.1.1 |
| 1.2 (not vulnerable to known vectors of attack) | Upgrade to 1.2.4.5. | |
| 1.1 | Upgrade to later release with fixes. | |
| CVE-2014-7810 | 2.1 and later | Not vulnerable, fixed in 2.1.1.1 |
| 1.3 (not vulnerable to known vectors of attack) | Upgrade to 1.3.7.1. | |
| 1.1, 1.2 | Upgrade to later release with fixes. | |
| Director | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2014-7810, CVE-2014-0230, CVE-2014-0227 |
6.1 | Upgrade to 6.1.20.1. |
| IntelligenceCenter | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs except CVE-2014-0095, CVE-2014-0050 |
3.3 | Upgrade to 3.3.3.1. |
| 3.2 | Upgrade to later release with fixes. | |
| Management Center | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2014-0230, CVE-2014-0227 | 1.5 and later | Not vulnerable, fixed in 1.5.1.1. |
| 1.4 | Upgrade to 1.4.2.1. | |
| X-Series XOS | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| All CVEs except CVE-2014-0095, CVE-2014-0050 |
11.0 | Not available at this time |
The following products have a vulnerable version of Apache Tomcat, but are not vulnerable to known vectors of attack:
| Advanced Secure Gateway | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2014-0227, CVE-2014-7810 | 6.7 and later | Not vulnerable, fixed in 6.7.2.1. |
| CVE-2014-0227 | 6.6 | Upgrade to 6.6.3.1. |
| CVE-2014-7810 | 6.6 | Upgrade to 6.6.5.1. |
| Mail Threat Defense | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2014-7810 | 1.1 | Not available at this time |
ADDITIONAL PRODUCT INFORMATION
The Blue Coat HSM Agent for the SafeNet Luna SP is not vulnerable, but the agent does use the Apache Tomcat instance installed on the SafeNet Luna SP. Customers using the agent are advised to contact SafeNet for more information about these vulnerabilities.
These vulnerabilities can be exploited only through the management interfaces for CAS, Director, Management Center, and X-Series XOS. Limiting the machines and IP address that able to connect to the management interface reduces the threat significantly, and thereby reduces the CVSS v2 base scores for each of the CVEs. The adjusted CVSS v2 base scores and severity are:
- CVE-2014-7810 – 3.3 (LOW) (AV:A/AC:L/Au:N/C:N/I:P/A:N)
- CVE-2014-0230 – 6.1 (MEDIUM)) (AV:A/AC:L/Au:N/C:N/I:N/A:C)
- CVE-2014-0227 – 4.8 (MEDIUM) (AV:A/AC:L/Au:N/C:N/I:P/A:P)
- CVE-2014-0119 – 2.9 (LOW) (AV:A/AC:M/Au:N/C:P/I:N/A:N)
- CVE-2014-0099 – 2.9 (LOW) (AV:A/AC:M/Au:N/C:N/I:P/A:N)
- CVE-2014-0096 – 2.9 (LOW) (AV:A/AC:M/Au:N/C:P/I:N/A:N)
- CVE-2014-0095 – 3.3 (LOW) (AV:A/AC:L/Au:N/C:N/I:N/A:P)
- CVE-2014-0075 – 3.3 (LOW) (AV:A/AC:L/Au:N/C:N/I:N/A:P)
- CVE-2014-0050 – 3.3 (LOW) (AV:A/AC:L/Au:N/C:N/I:N/A:P)
- CVE-2014-0033 – 2.9 (LOW) (AV:A/AC:M/Au:N/C:P/I:N/A:N)
Blue Coat products do not enable or use all functionality within Apache Tomcat. Products that do not utilize or enable the functionality described in a CVE are not vulnerable to that CVE. However, fixes for those CVEs will be included in the patches that are provided. The following products include vulnerable versions of Apache Tomcat, but do not use the functionality described in the CVEs and are not known to be vulnerable.
- ASG: CVE-2014-0227, CVE-2014-7810
- CAS: CVE-2014-7810 (1.1, 1.2, and 1.3), CVE-2014-0230 (1.1 and 1.2 only)
- MTD: CVE-2014-7810
- Management Center: CVE-2014-7810, CVE-2014-0119 (user supplied web applications are not supported)
The following products are not vulnerable:
Android Mobile Agent
Auth Connector
BCAAA
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter Data Collector
K9
Malware Analysis Appliance
Malware Analyzer G2
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
OPIC
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics Platform
SSL Visibility
Unified Agent
Web Isolation
The following products are under investigation:
X-Series XOS 10.0.5, 9.7.8, and 9.6.11
Blue Coat no longer provides vulnerability information for the following products:
DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.
ISSUES
| CVE-2014-7810 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) |
| References | SecurityFocus: BID 74665 / NVD: CVE-2014-7810 |
| Impact | Security control bypass |
| Description | A flaw allows an attacker to bypass the SecurityManager protection using a malicious web application. This vulnerability affects Blue Coat products that accept input from untrusted sources. |
| CVE-2014-0230 | |
|---|---|
| Severity / CVSSv2 | High / 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C) |
| References | SecurityFocus: BID 74475 / NVD: CVE-2014-0230 |
| Impact | Denial of service |
| Description | A flaw in the handling of HTTP responses allows an attacker to send a series of aborted uploads resulting in memory exhaustion that could lead to a crash or degraded operation |
| CVE-2014-0227 | |
|---|---|
| Severity / CVSSv2 | Medium / 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P) |
| References | SecurityFocus: BID 72717 / NVD: CVE-2014-0227 |
| Impact | Security control bypass, denial of service |
| Description | There exists a flaw in the handling of attempts to read data after an error has already occurred. An attacker can exploit this flaw to conduct HTTP request smuggling attacks or to cause a denial of service by streaming crafted data to the vulnerable host. |
| CVE-2014-0119 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) |
| References | SecurityFocus: BID 67669 / NVD: CVE-2014-0119 |
| Impact | Information disclosure |
| Description | A flaw allows an attacker to gain read access to unauthorized files using a crafted web application. |
| CVE-2014-0099 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) |
| References | SecurityFocus: BID 67668 / NVD: CVE-2014-0099 |
| Impact | Security control bypass |
| Description | A flaw allows an attacker to conduct HTTP request smuggling attacks using a crafted header when the Tomcat installation is behind a reverse proxy such as ProxySG. |
| CVE-2014-0096 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) |
| References | SecurityFocus: BID 67667 / NVD: CVE-2014-0096 |
| Impact | Information disclosure |
| Description | A flaw allows an attacker to bypass the SecurityManager protection using a crafted web application to read arbitrary files. |
| CVE-2014-0095 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 67673 / NVD: CVE-2014-0095 |
| Impact | Denial of service |
| Description | An input validation flaw allows an attacker to cause a denial of service. |
| CVE-2014-0075 | |
|---|---|
| Severity / CVSSv2 | Medium / 7.5 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 67671 / NVD: CVE-2014-0075 |
| Impact | Denial of service |
| Description | A flaw allows an attacker to cause a denial of service due to resource consumption. |
| CVE-2014-0050 | |
|---|---|
| Severity / CVSSv2 | Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |
| References | SecurityFocus: BID 65400 / NVD: CVE-2014-0050 |
| Impact | Denial of service |
| Description | A flaw allows an attacker to cause a denial of service. |
| CVE-2014-0033 | |
|---|---|
| Severity / CVSSv2 | Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N) |
| References | SecurityFocus: BID 65769 / NVD: CVE-2014-0033 |
| Impact | Session hijacking |
| Description | A flaw in handling of session IDs in a URL allows an attacker to conduct session fixation attacks. |
MITIGATION
Limit access to management consoles to only the machines, IP addresses, or subnets that require access.
REFERENCES
Apache Tomcat 8.x vulnerabilities - https://tomcat.apache.org/security-8.html
Apache Tomcat 7.x vulnerabilities - https://tomcat.apache.org/security-7.html
Apache Tomcat 6.x vulnerabilities - https://tomcat.apache.org/security-6.html
REVISION
2020-04-18 Advisory status moved to Closed.
2019-10-02 Web Isolation is not vulnerable.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-07-20 MC 1.10 is not vulnerable.
2017-05-29 A fix for ASG is available in 6.6.5.1.
2017-05-17 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-02-15 MC 1.8 is not vulnerable. Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-15 MC 1.6 and 1.7 are not vulnerable.
2016-09-15 ASG 6.6 has a vulnerable version of Apache Tomcat, but is not vulnerable to known vectors of attack.
2016-08-12 A fix for all CVEs in CAS 1.3 is available in 1.3.7.1.
2016-06-11 PolicyCenter S-Series is not vulnerable.
2016-05-24 MC 1.5 is not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-05-06 A fix for MC 1.4 is available in 1.4.2.1.
2016-05-02 A fix for IC 3.3 is available in 3.3.3.1.
2016-04-25 MTD 1.1 and CAS 1.3 have vulnerable code for CVE-2014-7810, but are not vulnerable to known vectors of attack. Previously it was reported that a fix for CVE-2014-7810 in CAS is provided in 1.2.4.5. New information indicates that all CAS 1.2.x versions contain the vulnerable code for this CVE, but are not vulnerable to known vectors of attack. A patch will be provided in CAS 1.3.
2015-10-01 CAS is vulnerable and a fix is available; CAS is not vulnerable to CVE-2014-0230 and CAS fix addresses all vulnerabilities
2015-07-23 initial public release