Apache Tomcat Vulnerabilities Jan-Aug 2018
SUMMARY
Symantec Network Protection products using affected versions of Apache Tomcat are susceptible to multiple security vulnerabilities. A remote attacker, with access to the management interface, can gain unauthorized access to a web application resource or cause denial of service in the Tomcat server. A remote SSL/TLS client can authenticate with a revoked client certificate. A malicious TLS WebSocket server can impersonate a trusted server. A Tomcat user can obtain sensitive information associated with other Tomcat users.
AFFECTED PRODUCTS
| Advanced Secure Gateway (ASG) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-1336 | 6.7 starting with 6.7.3.1 | Upgrade to 6.7.5.3. |
| 7.1 | Upgrade to later version with fixes. | |
| 7.2 | Upgrade to 7.2.1.1. | |
| Content Analysis (CA) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-1336, CVE-2018-8019 CVE-2018-8020, CVE-2018-8034 |
2.2 | Upgrade to later version with fixes. |
| 2.3 | Upgrade to 2.3.5.1. | |
| 2.4 and later | Not vulnerable, fixed | |
| Director | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2017-15706, CVE-2018-1304, CVE-2018-1305, CVE-2018-1336, CVE-2018-8014, CVE-2018-8034 |
6.1 | Not available at this time |
| Management Center (MC) | ||
|---|---|---|
| CVE | Affected Version(s) | Remediation |
| CVE-2018-1336 | 1.11, 2.1 | Upgrade to later version with fixes. |
| 2.2 | Upgrade to 2.2.2.1. | |
| 2.3 and later | Not vulnerable, fixed in 2.3.1.1 | |
ADDITIONAL PRODUCT INFORMATION
The following products are not vulnerable:
AuthConnector
BCAAA
CacheFlow
Client Connector
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
General Auth Connector Login Application
HSM Agent for the Luna SP
Mail Threat Defense
Malware Analysis
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics
SSL Visibility
Unified Agent
Web Isolation
WSS Mobile Agent
X-Series XOS 11.0
Information about the following products is not available. NetDialog NetX is a replacement product for IntelligenceCenter.
IntelligenceCenter
IntelligenceCenter Data Collector
The following products are under investigation:
X-Series XOS 10.0
ISSUES
| CVE-2017-15698 | |
|---|---|
| Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N) |
| References | SecurityFocus: BID 105851 / NVD: CVE-2017-15698 |
| Impact | Security control bypass |
| Description | A certificate validation flaw in the Native Connector allows a remote SSL/TLS client to authenticate with a revoked certificate. |
| CVE-2017-15706 | |
|---|---|
| Severity / CVSSv3 | Medium / 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) |
| References | SecurityFocus: BID 103069 / NVD: CVE-2017-15706 |
| Impact | Unspecified |
| Description | A flaw in the CGI servlet documentation might cause the incorrect CGI script to be executed when an HTTP client invokes a CGI servlet, resulting in unspecified impact. |
| CVE-2018-1304 | |
|---|---|
| Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:) |
| References | SecurityFocus: BID 103170 / NVD: CVE-2018-1304 |
| Impact | Security control bypass |
| Description | A flaw in the handling of URL patterns in security constraints allows a remote attacker to gain unauthorized access to a web application resource. |
| CVE-2018-1305 | |
|---|---|
| Severity / CVSSv3 | Medium / 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) |
| References | SecurityFocus: BID 103144 / NVD: CVE-2018-1305 |
| Impact | Security control bypass |
| Description | A flaw in security constraint enforcement that allows a remote attacker to gain unauthorized access to a web application resource. |
| CVE-2018-1336 | |
|---|---|
| Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References | SecurityFocus: BID 104898 / NVD: CVE-2018-1336 |
| Impact | Denial of service |
| Description | A flaw in the UTF-8 decoder allows a remote attacker to trigger an infinite loop in the decoder, resulting in denial of service. |
| CVE-2018-8014 | |
|---|---|
| Severity / CVSSv3 | Critical / 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| References | SecurityFocus: BID 104203 / NVD: CVE-2018-8014 |
| Impact | Security control bypass |
| Description | A flaw in the CORS filter default configuration allows a remote attacker to trick an authenticated web application user to open a malicious website, which can then make cross-origin requests to the Tomcat server. |
| CVE-2018-8019 | |
|---|---|
| Severity / CVSSv3 | High / 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) |
| References | SecurityFocus: BID 104936 / NVD: CVE-2018-8019 |
| Impact | Security control bypass |
| Description | A OCSP response handling flaw in the Native Connector that allows a remote SSL/TLS client to authenticate with a revoked certificate. |
| CVE-2018-8020 | |
|---|---|
| Severity / CVSSv3 | High / 7.4 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N) |
| References | SecurityFocus: BID 104934 / NVD: CVE-2018-8020 |
| Impact | Security control bypass |
| Description | A OCSP response handling flaw in the Native Connector allows a remote SSL/TLS client to authenticate with a revoked certificate. |
| CVE-2018-8034 | |
|---|---|
| Severity / CVSSv3 | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) |
| References | SecurityFocus: BID 104895 / NVD: CVE-2018-8034 |
| Impact | Impersonation of a trusted entity |
| Description | A hostname verification flaw in the WebSocket TLS client allows a remote malicious TLS server to impersonate a trusted TLS server. |
| CVE-2018-8037 | |
|---|---|
| Severity / CVSSv3 | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) |
| References | SecurityFocus: BID 104894 / NVD: CVE-2018-8037 |
| Impact | Information disclosure |
| Description | A flaw in asynchronous request handling allows a Tomcat user to see responses for HTTP requests associated with other Tomcat users. |
REFERENCES
Apache Tomcat 7 vulnerabilities - https://tomcat.apache.org/security-7.html
Apache Tomcat 8 vulnerabilities - https://tomcat.apache.org/security-8.html
Apache Tomcat 9 vulnerabilities - https://tomcat.apache.org/security-9.html
REVISION
2020-06-01 A fix for Advanced Secure Gateway (ASG) 7.2 is available in 7.2.1.1. Advisory Status changed to Closed.
2020-04-16 A fix for Advanced Secure Gateway (ASG) 6.7 is available in 6.7.5.3. ASG 7.1 and 7.2 are vulnerable to CVE-2018-1336. A fix will not be provided for ASG 7.1. Please upgrade to a later version with the vulnerability fixes.
2020-04-05 CA 2.4 is not vulnerable because a fix is available in 2.4.1.1. Information about IntelligenceCenter is not available. NetDialog NetX is a replacement product for Intelligence Center.
2019-10-03 Web Isolation is not vulnerable.
2019-09-05 A fix for MC 2.1 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2019-08-07 A fix for MC 2.0 will not be provided. Please upgrade to a later version with the vulnerability fixes. A fix for CVE-2018-1336 in MC 2.2 is available in 2.2.2.1. MC 2.3 is not vulnerable because a fix is available in 2.3.1.1.
2019-02-04 A fix for CA 2.2 will not be provided. Please upgrade to later version with the vulnerability fixes.
2019-01-14 A fix for CA 2.3 is available in 2.3.5.1. Added remaining Security Focus BID numbers and NVD CVSS base scores. MC 2.1 is vulnerable to CVE-2018-1336. A fix for MC 1.11 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2018-10-11 initial public release