Apache Tomcat Vulnerabilities May 2020 - Mar 2021
Summary
Symantec Network and Information Security (NIS) products using affected versions of Apache Tomcat may be susceptible to multiple vulnerabilities. A remote attacker may be able to execute arbitrary code on the target server, observe HTTP responses for other users' requests, obtain JSP source code, or cause denial of service.
Affected Product(s)
The following products and product versions are vulnerable to the CVEs listed. If a CVE is not listed, the product or version is not known to be vulnerable to it.
| Management Center (MC) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2020-13935 | 3.0, 3.1 | Upgrade to later release with fixes. |
| 3.2 | Remediation is not available at this time. | |
| 3.3 | Not vulnerable, fixed in 3.3.1.1. | |
Additional Product Information
The following products are not vulnerable:
Advanced Secure Gateway (ASG)
AuthConnector
BCAAA
Content Analysis (CA)
General Auth Connector Login Application
Integrated Secure Gateway (ISG)
PacketShaper S-Series
PolicyCenter S-Series
ProxySG
Reporter
Security Analytics
SSL Visibility (SSLV)
Symantec Messaging Gateway (SMG)
Unified Agent
Web Isolation
WSS Agent
WSS Mobile Agent
The following products are under investigation:
HSM Agent
Issue Details
| CVE-2020-9484 | |
| Severity / CVSS v3.1: | High / 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) |
| References: | NVD: CVE-2020-9484 |
| Impact: | Remote code execution |
| Description: | A deserialization flaw allows a remote attacker to send crafted requests and execute arbitrary code on the target system. The attacker must have control over a file stored on the target system. |
| CVE-2020-11996 | |
| Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References: | NVD: CVE-2020-11996 |
| Impact: | Denial of service |
| Description: | A flaw in HTTP/2 request handling allows a remote attacker to send crafted requests on concurrent HTTP/2 connections and cause denial of service through excessive CPU utilization. |
| CVE-2020-13934 | |
| Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References: | NVD: CVE-2020-13934 |
| Impact: | Denial of service |
| Description: | A flaw in HTTP/1.1 to HTTP/2 protocol upgrade handling in direct h2c connections allows a remote attacker to cause denial of service through excessive memory utilization. |
| CVE-2020-13935 | |
| Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References: | NVD: CVE-2020-13935 |
| Impact: | Denial of service |
| Description: | A flaw in WebSocket frame handling allows a remote attacker to cause denial of service through infinite CPU loops. |
| CVE-2020-13943 | |
| Severity / CVSS v3.1: | Medium / 4.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) |
| References: | NVD: CVE-2020-13943 |
| Impact: | Information disclosure |
| Description: | A flaw in HTTP/2 concurrent stream handling can cause a remote attacker to cause users to see responses for other users' requests. This is a different vulnerability from CVE-2020-17527. |
| CVE-2020-17527 | |
| Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) |
| References: | NVD: CVE-2020-17527 |
| Impact: | Information disclosure |
| Description: | A flaw in HTTP/2 concurrent stream handling can cause a remote attacker to cause users to see responses for other users' requests. This is a different vulnerability from CVE-2020-13943. |
| CVE-2021-24122 | |
| Severity / CVSS v3.1: | Medium / 5.9 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N) |
| References: | NVD: CVE-2021-24122 |
| Impact: | Information disclosure |
| Description: | A flaw in server-side source code handling allows a remote attacker to obtain JSP source code from a Windows-based server. |
| CVE-2021-25122 | |
| Severity / CVSS v3.1: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) |
| References: | NVD: CVE-2021-25122 |
| Impact: | Information disclosure |
| Description: | A flaw in new HTTP/2 h2c request handling can cause a remote attacker to cause users to see responses for other users' requests. |
| CVE-2021-25329 | |
| Severity / CVSS v3.1: | High / 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) |
| References: | NVD: CVE-2021-25329 |
| Impact: | Remote code execution |
| Description: | A deserialization flaw allows a remote attacker to send crafted requests and execute arbitrary code on the target system. The attacker must have control over a file stored on the target system. This is caused by an incomplete fix to CVE-2020-9484. |
Mitigation
CVE-2020-13935 is exploitable in MC only when authenticated MC users send invalid WebSocket frames to the web management console.
References
Apache Tomcat 7 vulnerabilities - http://tomcat.apache.org/security-7.html
Apache Tomcat 8 vulnerabilities - http://tomcat.apache.org/security-8.html
Apache Tomcat 9 vulnerabilities - http://tomcat.apache.org/security-9.html
Apache Tomcat 7 vulnerabilities - http://tomcat.apache.org/security-10.html
Revisions
2022-06-09 A fix for MC 3.1 will not be provided. Please upgrade to a later version with the vulnerability fixes. Integrated Secure Gateway (ISG) is not vulnerable.
2022-02-16 MC 3.3 is not vulnerable because a fix is available in 3.3.1.1.
2021-08-12 MC 3.2 is vulnerable to CVE-2020-13935.
2021-06-01 A fix for MC 3.0 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2021-03-16 initial public release