SA100 : Apache Tomcat Vulnerabilities

IntelligenceCenter

1 more products

1329

13 July 2021

23 July 2015

CLOSED

High

CVSS v2: 7.8

SUMMARY

Blue Coat products using affected versions of Tomcat 8.x, 7.x, and 6.x are susceptible to multiple vulnerabilities. A remote attacker may exploit these vulnerabilities to gain unauthorized read access or escalated privileges, or to conduct denial of service, HTTP request smuggling, or session fixation attacks.

AFFECTED PRODUCTS

The following products are vulnerable:

Content Analysis System
CVE Affected Version(s) Remediation
CVE-2014-0227, CVE-2014-0119,
CVE-2014-0099, CVE-2014-0096,
CVE-2014-0075, CVE-2014-0050
1.3 and later Not vulnerable, fixed in 1.3.1.1
1.2 Upgrade to 1.2.4.5.
1.1 Upgrade to later release with fixes.
CVE-2014-0230 1.3 and later Not vulnerable, fixed in 1.3.1.1
1.2 (not vulnerable to known vectors of attack) Upgrade to 1.2.4.5.
1.1 Upgrade to later release with fixes.
CVE-2014-7810 2.1 and later Not vulnerable, fixed in 2.1.1.1
1.3 (not vulnerable to known vectors of attack) Upgrade to 1.3.7.1.
1.1, 1.2 Upgrade to later release with fixes.

 

Director
CVE Affected Version(s) Remediation
CVE-2014-7810, CVE-2014-0230,
CVE-2014-0227
6.1 Upgrade to 6.1.20.1.

 

IntelligenceCenter
CVE Affected Version(s) Remediation
All CVEs except CVE-2014-0095,
CVE-2014-0050
3.3 Upgrade to 3.3.3.1.
3.2 Upgrade to later release with fixes.

 

Management Center
CVE Affected Version(s) Remediation
CVE-2014-0230, CVE-2014-0227 1.5 and later Not vulnerable, fixed in 1.5.1.1.
1.4 Upgrade to 1.4.2.1.

 

X-Series XOS
CVE Affected Version(s) Remediation
All CVEs except CVE-2014-0095,
CVE-2014-0050
11.0 Not available at this time

 

The following products have a vulnerable version of Apache Tomcat, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway
CVE Affected Version(s) Remediation
CVE-2014-0227, CVE-2014-7810 6.7 and later Not vulnerable, fixed in 6.7.2.1.
CVE-2014-0227 6.6 Upgrade to 6.6.3.1.
CVE-2014-7810 6.6 Upgrade to 6.6.5.1.

 

Mail Threat Defense
CVE Affected Version(s) Remediation
CVE-2014-7810 1.1 Not available at this time

 

ADDITIONAL PRODUCT INFORMATION

The Blue Coat HSM Agent for the SafeNet Luna SP is not vulnerable, but the agent does use the Apache Tomcat instance installed on the SafeNet Luna SP. Customers using the agent are advised to contact SafeNet for more information about these vulnerabilities.

These vulnerabilities can be exploited only through the management interfaces for CAS, Director, Management Center, and X-Series XOS.  Limiting the machines and IP address that able to connect to the management interface reduces the threat significantly, and thereby reduces the CVSS v2 base scores for each of the CVEs. The adjusted CVSS v2 base scores and severity are:

  • CVE-2014-7810 – 3.3 (LOW) (AV:A/AC:L/Au:N/C:N/I:P/A:N)
  • CVE-2014-0230 – 6.1 (MEDIUM)) (AV:A/AC:L/Au:N/C:N/I:N/A:C)
  • CVE-2014-0227 – 4.8 (MEDIUM) (AV:A/AC:L/Au:N/C:N/I:P/A:P)
  • CVE-2014-0119 – 2.9 (LOW) (AV:A/AC:M/Au:N/C:P/I:N/A:N)
  • CVE-2014-0099 – 2.9 (LOW) (AV:A/AC:M/Au:N/C:N/I:P/A:N)
  • CVE-2014-0096 – 2.9 (LOW) (AV:A/AC:M/Au:N/C:P/I:N/A:N)
  • CVE-2014-0095 – 3.3 (LOW) (AV:A/AC:L/Au:N/C:N/I:N/A:P)
  • CVE-2014-0075 – 3.3 (LOW) (AV:A/AC:L/Au:N/C:N/I:N/A:P)
  • CVE-2014-0050 – 3.3 (LOW) (AV:A/AC:L/Au:N/C:N/I:N/A:P)
  • CVE-2014-0033 – 2.9 (LOW) (AV:A/AC:M/Au:N/C:P/I:N/A:N)

Blue Coat products do not enable or use all functionality within Apache Tomcat. Products that do not utilize or enable the functionality described in a CVE are not vulnerable to that CVE. However, fixes for those CVEs will be included in the patches that are provided. The following products include vulnerable versions of Apache Tomcat, but do not use the functionality described in the CVEs and are not known to be vulnerable.

  • ASG: CVE-2014-0227, CVE-2014-7810
  • CAS: CVE-2014-7810 (1.1, 1.2, and 1.3), CVE-2014-0230 (1.1 and 1.2 only)
  • MTD: CVE-2014-7810
  • Management Center:  CVE-2014-7810, CVE-2014-0119 (user supplied web applications are not supported)

The following products are not vulnerable:
Android Mobile Agent
Auth Connector
BCAAA
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
IntelligenceCenter Data Collector
K9
Malware Analysis Appliance
Malware Analyzer G2
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
OPIC
PacketShaper
PacketShaper S-Series
PolicyCenter

PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics Platform
SSL Visibility
Unified Agent
Web Isolation

The following products are under investigation:
X-Series XOS 10.0.5, 9.7.8, and 9.6.11

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

ISSUES

CVE-2014-7810
Severity / CVSSv2 Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N)
References SecurityFocus: BID 74665 / NVD: CVE-2014-7810
Impact Security control bypass
Description A flaw allows an attacker to bypass the SecurityManager protection using a malicious web application. This vulnerability affects Blue Coat products that accept input from untrusted sources.

 

CVE-2014-0230
Severity / CVSSv2 High / 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
References SecurityFocus: BID 74475 / NVD: CVE-2014-0230
Impact Denial of service
Description A flaw in the handling of HTTP responses allows an attacker to send a series of aborted uploads resulting in memory exhaustion that could lead to a crash or degraded operation

 

CVE-2014-0227
Severity / CVSSv2 Medium / 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)
References SecurityFocus: BID 72717 / NVD: CVE-2014-0227
Impact Security control bypass, denial of service
Description There exists a flaw in the handling of attempts to read data after an error has already occurred. An attacker can exploit this flaw to conduct HTTP request smuggling attacks or to cause a denial of service by streaming crafted data to the vulnerable host.

 

CVE-2014-0119
Severity / CVSSv2 Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
References SecurityFocus: BID 67669 / NVD: CVE-2014-0119
Impact Information disclosure
Description A flaw allows an attacker to gain read access to unauthorized files using a crafted web application.

 

CVE-2014-0099
Severity / CVSSv2 Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
References SecurityFocus: BID 67668 / NVD: CVE-2014-0099
Impact Security control bypass
Description A flaw allows an attacker to conduct HTTP request smuggling attacks using a crafted header when the Tomcat installation is behind a reverse proxy such as ProxySG.

 

CVE-2014-0096
Severity / CVSSv2 Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
References SecurityFocus: BID 67667 / NVD: CVE-2014-0096
Impact Information disclosure
Description A flaw allows an attacker to bypass the SecurityManager protection using a crafted web application to read arbitrary files.

 

CVE-2014-0095
Severity / CVSSv2 Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
References SecurityFocus: BID 67673 / NVD: CVE-2014-0095
Impact Denial of service
Description An input validation flaw allows an attacker to cause a denial of service.

 

CVE-2014-0075
Severity / CVSSv2 Medium / 7.5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
References SecurityFocus: BID 67671 / NVD: CVE-2014-0075
Impact Denial of service
Description A flaw allows an attacker to cause a denial of service due to resource consumption.

 

CVE-2014-0050
Severity / CVSSv2 Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
References SecurityFocus: BID 65400 / NVD: CVE-2014-0050
Impact Denial of service
Description A flaw allows an attacker to cause a denial of service.

 

CVE-2014-0033
Severity / CVSSv2 Medium / 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
References SecurityFocus: BID 65769 / NVD: CVE-2014-0033
Impact Session hijacking
Description A flaw in handling of session IDs in a URL allows an attacker to conduct session fixation attacks.

 

MITIGATION

Limit access to management consoles to only the machines, IP addresses, or subnets that require access.

REFERENCES

Apache Tomcat 8.x vulnerabilities - https://tomcat.apache.org/security-8.html
Apache Tomcat 7.x vulnerabilities - https://tomcat.apache.org/security-7.html
Apache Tomcat 6.x vulnerabilities - https://tomcat.apache.org/security-6.html

REVISION

2020-04-18 Advisory status moved to Closed.
2019-10-02 Web Isolation is not vulnerable.
2017-11-06 ASG 6.7 is not vulnerable because a fix is available in 6.7.2.1.
2017-07-20 MC 1.10 is not vulnerable.
2017-05-29 A fix for ASG is available in 6.6.5.1.
2017-05-17 CAS 2.1 is not vulnerable.
2017-03-30 MC 1.9 is not vulnerable.
2017-02-15 MC 1.8 is not vulnerable.  Vulnerability inquiries for DLP should be addressed to Digital Guardian technical support.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.
2016-11-15 MC 1.6 and 1.7 are not vulnerable.
2016-09-15 ASG 6.6 has a vulnerable version of Apache Tomcat, but is not vulnerable to known vectors of attack.
2016-08-12 A fix for all CVEs in CAS 1.3 is available in 1.3.7.1.
2016-06-11 PolicyCenter S-Series is not vulnerable.
2016-05-24 MC 1.5 is not vulnerable.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-05-06 A fix for MC 1.4 is available in 1.4.2.1.
2016-05-02 A fix for IC 3.3 is available in 3.3.3.1.
2016-04-25 MTD 1.1 and CAS 1.3 have vulnerable code for CVE-2014-7810, but are not vulnerable to known vectors of attack.  Previously it was reported that a fix for CVE-2014-7810 in CAS is provided in 1.2.4.5.  New information indicates that all CAS 1.2.x versions contain the vulnerable code for this CVE, but are not vulnerable to known vectors of attack.  A patch will be provided in CAS 1.3.
2015-10-01 CAS is vulnerable and a fix is available; CAS is not vulnerable to CVE-2014-0230 and CAS fix addresses all vulnerabilities
2015-07-23 initial public release