Apache Tomcat Vulnerabilities Oct 2018 – Feb 2020
Summary
Symantec SWG products using affected versions of Apache Tomcat may be susceptible to multiple vulnerabilities. A remote attacker can execute arbitrary code on the target host, hijack an authenticated Tomcat user's session, redirect a Tomcat user to an arbitrary URL, execute arbitrary JavaScript code in a Tomcat user's web browser, bypass a web proxy in front of the Tomcat server, or cause denial of service. A local user can escalate their privileges on the system.
Affected Product(s)
The following products and product versions are vulnerable to the CVEs listed for each product.
| Advanced Secure Gateway (ASG) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2018-11784, CVE-2020-1935 | 6.7 | Upgrade to 6.7.5.3. |
| 7.1 | Remediation will not be provided. | |
| 7.2 | Upgrade to 7.2.1.1. | |
| Content Analysis (CA) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2018-11784 | 2.3 | Upgrade to 2.3.5.1. |
| 2.4 and later | Not vulnerable, fixed in 2.4.1.1 | |
| CVE-2020-1935 | 2.3 | Upgrade to a later version with fixes. |
| 2.4, 3.0 | Remediation is not available at this time. | |
| 3.1 | Not vulnerable, fixed in 3.1.0.0 | |
| Management Center (MC) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2019-17563, CVE-2020-1935 | 2.3, 2.4 | Upgrade to a later version with fixes. |
| 3.0 | Not vulnerable, fixed in 3.0.1.1 | |
| Symantec Messaging Gateway (SMG) | ||
| CVE | Supported Version(s) | Remediation |
| CVE-2020-1935 | 10.7 | Remediation is not available at this time. |
Additional Product Information
CVE-2020-1935 is exploitable in ASG, CA, and MC only when the products are deployed behind a reverse proxy.
CVE-2020-1935 is exploitable in SMG only when the SMG Control Center is deployed behind a reverse proxy. SMG Scanners are not vulnerable to CVE-2020-1935 even when deployed behind a reverse proxy.
The following products are not vulnerable:
AuthConnector
BCAAA
CacheFlow (CF)
General Auth Connector Login Application
HSM Agent for the Luna SP
Integrated Secure Gateway (ISG)
PacketShaper (PS) S-Series
PolicyCenter (PC) S-Series
ProxySG
Reporter
Security Analytics (SA)
SSL Visibility (SSLV)
Unified Agent
Web Isolation (WI)
WSS Agent
WSS Mobile Agent
Issue Details
| CVE-2018-11784 | |
| Severity / CVSS v3.0: | Medium / 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N) |
| References: | NVD: CVE-2018-11784 |
| Impact: | Open redirection |
| Description: | An open redirection flaw in the default servlet allows a remote attacker to cause a user to follow a crafted URL and redirect the user to an arbitrary URL of the attacker's choice. |
| CVE-2019-0199 | |
| Severity / CVSS v3.0: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References: | NVD: CVE-2019-0199 |
| Impact: | Denial of service |
| Description: | A flaw in the HTTP/2 implementation allows a remote attacker to generate crafted streams to the web server and cause denial of service through thread exhaustion. |
| CVE-2019-0221 | |
| Severity / CVSS v3.0: | Medium / 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) |
| References: | NVD: CVE-2019-0221 |
| Impact: | Cross-site scripting (XSS) |
| Description: | A reflected XSS flaw in the SSI printenv command allows a remote attacker to cause a user to follow a crafted URL and execute injected JavaScript code in the user's browser. |
| CVE-2019-0232 | |
| Severity / CVSS v3.0: | High / 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| References: | NVD: CVE-2019-0232 |
| Impact: | Remote code execution |
| Description: | A flaw in the CGI servlet on Windows platforms allows a remote attacker to execute arbitrary code on the target host. |
| CVE-2019-10072 | |
| Severity / CVSS v3.0: | High / 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) |
| References: | NVD: CVE-2019-10072 |
| Impact: | Denial of service |
| Description: | A flaw in the HTTP/2 implementation allows a remote attacker to generate crafted streams to the web server and cause denial of service through thread exhaustion. This is caused by an incomplete fix for CVE-2019-0199. |
| CVE-2019-12418 | |
| Severity / CVSS v3.0: | High / 7.0 (AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) |
| References: | NVD: CVE-2019-12418 |
| Impact: | Privilege escalation |
| Description: | A flaw in the JMX Remote Lifecycle Listener allows a local attacker to manipulate the local RMI registry and escalate their privileges on the system by capturing credentials for the JMX interface and gaining control of the Tomcat server. |
| CVE-2019-17563 | |
| Severity / CVSS v3.0: | High / 7.5 (AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H) |
| References: | NVD: CVE-2019-17563 |
| Impact: | Session hijacking |
| Description: | A flaw in FORM authentication allows a remote attacker to perform a session fixation attack and take over a user's authentication session. |
| CVE-2019-17569 | |
| Severity / CVSS v3.0: | Medium / 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) |
| References: | NVD: CVE-2019-17569 |
| Impact: | Security control bypass |
| Description: | A flaw in HTTP Transfer-Encoding header processing allows a remote attacker to perform an HTTP request smuggling attack and bypass a reverse proxy in front of the Tomcat server. The reverse proxy must handle the Transfer-Encoding header incorrectly in a particular way. |
| CVE-2020-1935 | |
| Severity / CVSS v3.0: | Medium / 4.8 (AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N) |
| References: | NVD: CVE-2020-1935 |
| Impact: | Security control bypass |
| Description: | A flaw in HTTP header processing allows a remote attacker to perform an HTTP request smuggling attack and bypass a reverse proxy in front of the Tomcat server. The reverse proxy must handle the Transfer-Encoding header incorrectly in a particular way. |
| CVE-2020-1938 | |
| Severity / CVSS v3.0: | Critical / 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) |
| References: | NVD: CVE-2020-1938 |
| Impact: | Information disclosure, remote code execution |
| Description: | A flaw in the AJP connector allows a remote attacker to read arbitrary files from the target server. If the server allows file uploads and JSP processing, the remote attacker can also execute arbitrary code on the target server. |
Revisions
2022-06-09 Integrated Secure Gateway (ISG) is not vulnerable.
2021-04-26 PacketShaper (PS) S-Series and PolicyCenter (PC) S-Series are not vulnerable.
2021-02-18 A fix for CA 2.3 and MC 2.4 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-11-12 Content Analysis 3.1 is not vulnerable because a fix is available in 3.1.0.0.
2020-08-19 MC 3.0 is not vulnerable because a fix is available in 3.0.1.1. A fix for MC 2.3 will not be provided. Please upgrade to a later version with the vulnerability fixes.
2020-06-01 A fix for Advanced Secure Gateway (ASG) 7.2 is available in 7.2.1.1.
2020-05-12 initial public release