You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@flex.apache.org by olegkon <ol...@gmail.com> on 2016/11/21 15:50:37 UTC
Security vulnerabilities in BlazeDS 4.7.2
Hi,
We are in the process of upgrading BlazeDS in Flex+Java web app,
because when we run OWASP Dependency Check 1.4.3, it showed a High
Vulnerabilities in 1 file:
Dependency CPE GAV Highest Severity CVE Count CPE Confidence Evidence
Count
cre.war: blazeds-core-4.0.0.14931.jar cpe:/a:adobe:blazeds:4.0.0.14931
High 2 LOW 7
However, when we tried to do the same with Apache BlazeDS 4.7.2, we got even
more of those:
cre.war: flex-messaging-core-4.7.2.jar cpe:/a:apache:flex:4.7.2
org.apache.flex.blazeds:flex-messaging-core:4.7.2 Medium 1 LOW 16
cre.war: flex-messaging-opt-tomcat7-4.7.2.jar cpe:/a:apache:flex:4.7.2
cpe:/a:apache:tomcat:7.0.0
org.apache.flex.blazeds:flex-messaging-opt-tomcat7:4.7.2 High 59 MEDIUM 16
More details (on 4.7.2 - I only put High Severity, there is lots and lots of
Mediums):
cre.war: flex-messaging-opt-tomcat7-4.7.2.jar
File Path:
C:\web\cre\dist\cre.war\WEB-INF\lib\flex-messaging-opt-tomcat7-4.7.2.jar
MD5: 8e188c61285fa087116df2a350571c1c
SHA1: e34b3ab4b6d72384a44e15b992801bc4849b5412
Evidence
Identifiers
•cpe: cpe:/a:apache:flex:4.7.2 Confidence:LOW suppress
•cpe: cpe:/a:apache:tomcat:7.0.0 Confidence:MEDIUM suppress
•maven: org.apache.flex.blazeds:flex-messaging-opt-tomcat7:4.7.2
Confidence:HIGHEST
Published Vulnerabilities
CVE-2016-6325 suppress
Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web
Server 3.0, and JBoss EWS 2 uses weak permissions for (1)
/etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local
users to gain privileges by leveraging membership in the tomcat group.
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
•CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1367447
•REDHAT - RHSA-2016:2045
•REDHAT - RHSA-2016:2046
Vulnerable Software & Versions:
•cpe:/a:apache:tomcat:-
CVE-2016-5425 suppress
Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS,
Oracle Linux, and possibly other Linux distributions uses weak permissions
for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root
privileges by leveraging membership in the tomcat group.
•BID - 93472
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
•MISC -
http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
•MISC -
http://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-Escalation.html
•MLIST - [oss-security] 20161010 CVE-2016-5425 - Apache Tomcat packaging on
RedHat-based distros - Root Privilege Escalation (affecting CentOS, Fedora,
OracleLinux, RedHat etc.)
•REDHAT - RHSA-2016:2046
Vulnerable Software & Versions:
•cpe:/a:apache:tomcat
CVE-2016-3092 suppress
Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used
in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3,
and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause
a denial of service (CPU consumption) via a long boundary string.
•BID - 91453
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743480
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743722
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743738
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743742
•CONFIRM - http://tomcat.apache.org/security-7.html
•CONFIRM - http://tomcat.apache.org/security-8.html
•CONFIRM - http://tomcat.apache.org/security-9.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
•CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1349468
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
•DEBIAN - DSA-3609
•DEBIAN - DSA-3611
•DEBIAN - DSA-3614
•JVN - JVN#89379547
•JVNDB - JVNDB-2016-000121
•MLIST - [dev] 20160621 CVE-2016-3092: Apache Commons Fileupload information
disclosure vulnerability
•UBUNTU - USN-3024-1
•UBUNTU - USN-3027-1
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0.0:beta
•...
CVE-2016-1240 suppress
Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and
tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and
libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the
tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu
14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2
on Ubuntu 16.04 LTS allows local users with access to the tomcat account to
gain root privileges via a symlink attack on the Catalina log file, as
demonstrated by /var/log/tomcat7/catalina.out.
•BUGTRAQ - 20161001 CVE-2016-1240 - Tomcat packaging on Debian-based distros
- Local Root Privilege Escalation
•DEBIAN - DSA-3669
•DEBIAN - DSA-3670
•MISC -
http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
•SECTRACK - 1036845
•UBUNTU - USN-3081-1
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0
•...
CVE-2016-0763 suppress
Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x
before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider
whether ResourceLinkFactory.setGlobalContext callers are authorized, which
allows remote authenticated users to bypass intended SecurityManager
restrictions and read or write to arbitrary application data, or cause a
denial of service (application disruption), via a web application that sets
a crafted global context.
•BUGTRAQ - 20160222 [SECURITY] CVE-2016-0763 Apache Tomcat Security Manager
Bypass
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725926
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725929
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725931
•CONFIRM - http://tomcat.apache.org/security-7.html
•CONFIRM - http://tomcat.apache.org/security-8.html
•CONFIRM - http://tomcat.apache.org/security-9.html
•CONFIRM -
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
•DEBIAN - DSA-3530
•DEBIAN - DSA-3552
•DEBIAN - DSA-3609
•UBUNTU - USN-3024-1
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0.0:beta
•...
CVE-2014-0230 suppress
Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9
does not properly handle cases where an HTTP response occurs before
finishing the reading of an entire request body, which allows remote
attackers to cause a denial of service (thread consumption) via a series of
aborted upload attempts.
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603770
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603775
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603779
•CONFIRM - http://tomcat.apache.org/security-6.html
•CONFIRM - http://tomcat.apache.org/security-7.html
•CONFIRM - http://tomcat.apache.org/security-8.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964
•DEBIAN - DSA-3530
•HP - HPSBOV03503
•HP - HPSBUX03561
•MLIST - [oss-security] 20150409 Apache Tomcat partial file upload DoS
CVE-2014-0230
•MLIST - [tomcat-announce] 20150505 [SECURITY] CVE-2014-0230: Apache Tomcat
DoS
•REDHAT - RHSA-2016:0595
•REDHAT - RHSA-2016:0596
•REDHAT - RHSA-2016:0597
•REDHAT - RHSA-2016:0598
•REDHAT - RHSA-2016:0599
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0.0:beta
•...
CVE-2014-0050 suppress
Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in
Apache Tomcat, JBoss Web, and other products, allows remote attackers to
cause a denial of service (infinite loop and CPU consumption) via a crafted
Content-Type header that bypasses a loop's intended exit conditions.
•BID - 65400
•BUGTRAQ - 20140625 NEW VMSA-2014-0007 - VMware product updates address
security vulnerabilities in Apache Struts library
•BUGTRAQ - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates
address security vulnerabilities
•CONFIRM - http://advisories.mageia.org/MGASA-2014-0110.html
•CONFIRM - http://svn.apache.org/r1565143
•CONFIRM - http://tomcat.apache.org/security-7.html
•CONFIRM - http://tomcat.apache.org/security-8.html
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21669554
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675432
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676091
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676092
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676401
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676403
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676405
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676410
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676656
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676853
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677691
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677724
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21681214
•CONFIRM -
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html
•CONFIRM -
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html
•CONFIRM -
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html
•CONFIRM -
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm
•CONFIRM -
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
•CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0007.html
•CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0012.html
•CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1062337
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
•FULLDISC - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates
address security vulnerabilities
•HP - HPSBGN03329
•JVN - JVN#14876762
•JVNDB - JVNDB-2014-000017
•MANDRIVA - MDVSA-2015:084
•MISC -
http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html
•MISC -
http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html
•MLIST - [commons-dev] 20140206 [SECURITY] CVE-2014-0050 Apache Commons
FileUpload and Apache Tomcat DoS
•REDHAT - RHSA-2014:0400
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0.0:beta
•...
CVE-2013-2185 suppress
Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache
Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application
Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to
write to arbitrary files via a NULL byte in a file name in a serialized
instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly
disputed by the Apache Tomcat team, although Red Hat considers it a
vulnerability. The dispute appears to regard whether it is the
responsibility of applications to avoid providing untrusted data to be
deserialized, or whether this class should inherently protect against this
issue.
•MLIST - [oss-security] 20130905 Re: CVE-2013-2185 / Tomcat
•MLIST - [oss-security] 20141024 Re: Duplicate Request: CVE-2013-4444 as a
duplicate of CVE-2013-2185
•REDHAT - RHSA-2013:1193
•REDHAT - RHSA-2013:1194
•REDHAT - RHSA-2013:1265
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0.39 and all previous versions
Can anyone look into that?
What would you recommend?
Thank you,
Oleg.
--
View this message in context: http://apache-flex-users.2333346.n4.nabble.com/Security-vulnerabilities-in-BlazeDS-4-7-2-tp14175.html
Sent from the Apache Flex Users mailing list archive at Nabble.com.
Re: Security vulnerabilities in BlazeDS 4.7.2
Posted by olegkon <ol...@gmail.com>.
Actually, with BlazeDS 4.01 blazeds-core-4.0.0.14931.jar
there was only 1 vulnerable file and 1 High and 1 medium vulnerability.
CVE-2011-2092 suppress
Severity: High
CVSS Score: 10.0 (AV:N/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation
Adobe LiveCycle Data Services 3.1 and earlier, LiveCycle 9.0.0.2 and
earlier, and BlazeDS 4.0.1 and earlier do not properly restrict creation of
classes during deserialization of (1) AMF and (2) AMFX data, which allows
attackers to have an unspecified impact via unknown vectors, related to a
"deserialization vulnerability."
•CONFIRM - http://www.adobe.com/support/security/bulletins/apsb11-15.html
•SECTRACK - 1025656
•SECTRACK - 1025657
Vulnerable Software & Versions: (show all)
•cpe:/a:adobe:blazeds:4.0.1 and all previous versions
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2011-2092
CVE-2011-2093 suppress
Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation
Adobe LiveCycle Data Services 3.1 and earlier, LiveCycle 9.0.0.2 and
earlier, and BlazeDS 4.0.1 and earlier do not properly handle object graphs,
which allows attackers to cause a denial of service via unspecified vectors,
related to a "complex object graph vulnerability."
•BID - 48267
•CONFIRM - http://www.adobe.com/support/security/bulletins/apsb11-15.html
•SECTRACK - 1025656
•SECTRACK - 1025657
•XF - livecycle-graph-object-dos(68026)
Vulnerable Software & Versions: (show all)
•cpe:/a:adobe:blazeds:4.0.1 and all previous versions
•...
Could you please comment on it?
Looks like we might remain on that one if it not that severe.
Please advise.
TIA,
Oleg.
--
View this message in context: http://apache-flex-users.2333346.n4.nabble.com/Security-vulnerabilities-in-BlazeDS-4-7-2-tp14175p14177.html
Sent from the Apache Flex Users mailing list archive at Nabble.com.
Re: Security vulnerabilities in BlazeDS 4.7.2
Posted by Christofer Dutz <ch...@c-ware.de>.
Hi Oleg,
it seems these issues are not related to BlazeDS ... the flex-messaging-opt-tomcat7-4.7.2.jar for example contains only one class.
The CVEs reported by that tool seem to all be related to tomcat. We can’t do much about that. Also as far ar I know there aren’t any CVEs in any of the public lists, which we haven’t adressed.
I would suggest to update tomcat and not blazeds.
Chris
Am 21.11.16, 16:50 schrieb "olegkon" <ol...@gmail.com>:
Hi,
We are in the process of upgrading BlazeDS in Flex+Java web app,
because when we run OWASP Dependency Check 1.4.3, it showed a High
Vulnerabilities in 1 file:
Dependency CPE GAV Highest Severity CVE Count CPE Confidence Evidence
Count
cre.war: blazeds-core-4.0.0.14931.jar cpe:/a:adobe:blazeds:4.0.0.14931
High 2 LOW 7
However, when we tried to do the same with Apache BlazeDS 4.7.2, we got even
more of those:
cre.war: flex-messaging-core-4.7.2.jar cpe:/a:apache:flex:4.7.2
org.apache.flex.blazeds:flex-messaging-core:4.7.2 Medium 1 LOW 16
cre.war: flex-messaging-opt-tomcat7-4.7.2.jar cpe:/a:apache:flex:4.7.2
cpe:/a:apache:tomcat:7.0.0
org.apache.flex.blazeds:flex-messaging-opt-tomcat7:4.7.2 High 59 MEDIUM 16
More details (on 4.7.2 - I only put High Severity, there is lots and lots of
Mediums):
cre.war: flex-messaging-opt-tomcat7-4.7.2.jar
File Path:
C:\web\cre\dist\cre.war\WEB-INF\lib\flex-messaging-opt-tomcat7-4.7.2.jar
MD5: 8e188c61285fa087116df2a350571c1c
SHA1: e34b3ab4b6d72384a44e15b992801bc4849b5412
Evidence
Identifiers
•cpe: cpe:/a:apache:flex:4.7.2 Confidence:LOW suppress
•cpe: cpe:/a:apache:tomcat:7.0.0 Confidence:MEDIUM suppress
•maven: org.apache.flex.blazeds:flex-messaging-opt-tomcat7:4.7.2
Confidence:HIGHEST
Published Vulnerabilities
CVE-2016-6325 suppress
Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web
Server 3.0, and JBoss EWS 2 uses weak permissions for (1)
/etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local
users to gain privileges by leveraging membership in the tomcat group.
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
•CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1367447
•REDHAT - RHSA-2016:2045
•REDHAT - RHSA-2016:2046
Vulnerable Software & Versions:
•cpe:/a:apache:tomcat:-
CVE-2016-5425 suppress
Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS,
Oracle Linux, and possibly other Linux distributions uses weak permissions
for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root
privileges by leveraging membership in the tomcat group.
•BID - 93472
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
•MISC -
http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
•MISC -
http://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-Escalation.html
•MLIST - [oss-security] 20161010 CVE-2016-5425 - Apache Tomcat packaging on
RedHat-based distros - Root Privilege Escalation (affecting CentOS, Fedora,
OracleLinux, RedHat etc.)
•REDHAT - RHSA-2016:2046
Vulnerable Software & Versions:
•cpe:/a:apache:tomcat
CVE-2016-3092 suppress
Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used
in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3,
and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause
a denial of service (CPU consumption) via a long boundary string.
•BID - 91453
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743480
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743722
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743738
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743742
•CONFIRM - http://tomcat.apache.org/security-7.html
•CONFIRM - http://tomcat.apache.org/security-8.html
•CONFIRM - http://tomcat.apache.org/security-9.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
•CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1349468
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
•DEBIAN - DSA-3609
•DEBIAN - DSA-3611
•DEBIAN - DSA-3614
•JVN - JVN#89379547
•JVNDB - JVNDB-2016-000121
•MLIST - [dev] 20160621 CVE-2016-3092: Apache Commons Fileupload information
disclosure vulnerability
•UBUNTU - USN-3024-1
•UBUNTU - USN-3027-1
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0.0:beta
•...
CVE-2016-1240 suppress
Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and
tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and
libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the
tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu
14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2
on Ubuntu 16.04 LTS allows local users with access to the tomcat account to
gain root privileges via a symlink attack on the Catalina log file, as
demonstrated by /var/log/tomcat7/catalina.out.
•BUGTRAQ - 20161001 CVE-2016-1240 - Tomcat packaging on Debian-based distros
- Local Root Privilege Escalation
•DEBIAN - DSA-3669
•DEBIAN - DSA-3670
•MISC -
http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
•SECTRACK - 1036845
•UBUNTU - USN-3081-1
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0
•...
CVE-2016-0763 suppress
Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x
before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider
whether ResourceLinkFactory.setGlobalContext callers are authorized, which
allows remote authenticated users to bypass intended SecurityManager
restrictions and read or write to arbitrary application data, or cause a
denial of service (application disruption), via a web application that sets
a crafted global context.
•BUGTRAQ - 20160222 [SECURITY] CVE-2016-0763 Apache Tomcat Security Manager
Bypass
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725926
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725929
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725931
•CONFIRM - http://tomcat.apache.org/security-7.html
•CONFIRM - http://tomcat.apache.org/security-8.html
•CONFIRM - http://tomcat.apache.org/security-9.html
•CONFIRM -
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
•DEBIAN - DSA-3530
•DEBIAN - DSA-3552
•DEBIAN - DSA-3609
•UBUNTU - USN-3024-1
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0.0:beta
•...
CVE-2014-0230 suppress
Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9
does not properly handle cases where an HTTP response occurs before
finishing the reading of an entire request body, which allows remote
attackers to cause a denial of service (thread consumption) via a series of
aborted upload attempts.
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603770
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603775
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603779
•CONFIRM - http://tomcat.apache.org/security-6.html
•CONFIRM - http://tomcat.apache.org/security-7.html
•CONFIRM - http://tomcat.apache.org/security-8.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964
•DEBIAN - DSA-3530
•HP - HPSBOV03503
•HP - HPSBUX03561
•MLIST - [oss-security] 20150409 Apache Tomcat partial file upload DoS
CVE-2014-0230
•MLIST - [tomcat-announce] 20150505 [SECURITY] CVE-2014-0230: Apache Tomcat
DoS
•REDHAT - RHSA-2016:0595
•REDHAT - RHSA-2016:0596
•REDHAT - RHSA-2016:0597
•REDHAT - RHSA-2016:0598
•REDHAT - RHSA-2016:0599
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0.0:beta
•...
CVE-2014-0050 suppress
Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in
Apache Tomcat, JBoss Web, and other products, allows remote attackers to
cause a denial of service (infinite loop and CPU consumption) via a crafted
Content-Type header that bypasses a loop's intended exit conditions.
•BID - 65400
•BUGTRAQ - 20140625 NEW VMSA-2014-0007 - VMware product updates address
security vulnerabilities in Apache Struts library
•BUGTRAQ - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates
address security vulnerabilities
•CONFIRM - http://advisories.mageia.org/MGASA-2014-0110.html
•CONFIRM - http://svn.apache.org/r1565143
•CONFIRM - http://tomcat.apache.org/security-7.html
•CONFIRM - http://tomcat.apache.org/security-8.html
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21669554
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675432
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676091
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676092
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676401
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676403
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676405
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676410
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676656
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676853
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677691
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677724
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21681214
•CONFIRM -
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html
•CONFIRM -
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html
•CONFIRM -
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html
•CONFIRM -
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm
•CONFIRM -
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
•CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0007.html
•CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0012.html
•CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1062337
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
•FULLDISC - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates
address security vulnerabilities
•HP - HPSBGN03329
•JVN - JVN#14876762
•JVNDB - JVNDB-2014-000017
•MANDRIVA - MDVSA-2015:084
•MISC -
http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html
•MISC -
http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html
•MLIST - [commons-dev] 20140206 [SECURITY] CVE-2014-0050 Apache Commons
FileUpload and Apache Tomcat DoS
•REDHAT - RHSA-2014:0400
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0.0:beta
•...
CVE-2013-2185 suppress
Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache
Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application
Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to
write to arbitrary files via a NULL byte in a file name in a serialized
instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly
disputed by the Apache Tomcat team, although Red Hat considers it a
vulnerability. The dispute appears to regard whether it is the
responsibility of applications to avoid providing untrusted data to be
deserialized, or whether this class should inherently protect against this
issue.
•MLIST - [oss-security] 20130905 Re: CVE-2013-2185 / Tomcat
•MLIST - [oss-security] 20141024 Re: Duplicate Request: CVE-2013-4444 as a
duplicate of CVE-2013-2185
•REDHAT - RHSA-2013:1193
•REDHAT - RHSA-2013:1194
•REDHAT - RHSA-2013:1265
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0.39 and all previous versions
Can anyone look into that?
What would you recommend?
Thank you,
Oleg.
--
View this message in context: http://apache-flex-users.2333346.n4.nabble.com/Security-vulnerabilities-in-BlazeDS-4-7-2-tp14175.html
Sent from the Apache Flex Users mailing list archive at Nabble.com.
Re: Security vulnerabilities in BlazeDS 4.7.2
Posted by Gary Yang <fl...@gmail.com>.
As a user I would expect something like:
<bean class="????.amf.io.RegexAMF3DeserializerSecurizer">
<property name="pattern"
value="#{'(^com\.usercom1\..+|^com\.usercom2\..+|^flex\.messaging\.io\..+)'}"/>
</bean>
and force users to understand and provide this pattern explicitly in
production deployment
On Mon, Nov 21, 2016 at 10:50 AM, olegkon <ol...@gmail.com> wrote:
> Hi,
>
> We are in the process of upgrading BlazeDS in Flex+Java web app,
> because when we run OWASP Dependency Check 1.4.3, it showed a High
> Vulnerabilities in 1 file:
>
> Dependency CPE GAV Highest Severity CVE Count CPE Confidence Evidence
> Count
>
> cre.war: blazeds-core-4.0.0.14931.jar cpe:/a:adobe:blazeds:4.0.0.14931
> High 2 LOW 7
>
> However, when we tried to do the same with Apache BlazeDS 4.7.2, we got
> even
> more of those:
>
> cre.war: flex-messaging-core-4.7.2.jar cpe:/a:apache:flex:4.7.2
> org.apache.flex.blazeds:flex-messaging-core:4.7.2 Medium 1 LOW 16
> cre.war: flex-messaging-opt-tomcat7-4.7.2.jar cpe:/a:apache:flex:4.7.2
> cpe:/a:apache:tomcat:7.0.0
> org.apache.flex.blazeds:flex-messaging-opt-tomcat7:4.7.2 High 59 MEDIUM
> 16
>
> More details (on 4.7.2 - I only put High Severity, there is lots and lots
> of
> Mediums):
> cre.war: flex-messaging-opt-tomcat7-4.7.2.jar
>
>
> File Path:
> C:\web\cre\dist\cre.war\WEB-INF\lib\flex-messaging-opt-tomcat7-4.7.2.jar
> MD5: 8e188c61285fa087116df2a350571c1c
> SHA1: e34b3ab4b6d72384a44e15b992801bc4849b5412
>
> Evidence
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Identifiers
>
> •cpe: cpe:/a:apache:flex:4.7.2 Confidence:LOW suppress
> •cpe: cpe:/a:apache:tomcat:7.0.0 Confidence:MEDIUM suppress
> •maven: org.apache.flex.blazeds:flex-messaging-opt-tomcat7:4.7.2
> Confidence:HIGHEST
>
> Published Vulnerabilities
>
>
> CVE-2016-6325 suppress
>
> Severity: High
> CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
> CWE: CWE-264 Permissions, Privileges, and Access Controls
>
> The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss
> Web
> Server 3.0, and JBoss EWS 2 uses weak permissions for (1)
> /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local
> users to gain privileges by leveraging membership in the tomcat group.
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/
> linuxbulletinoct2016-3090545.html
> •CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1367447
> •REDHAT - RHSA-2016:2045
> •REDHAT - RHSA-2016:2046
>
>
> Vulnerable Software & Versions:
> •cpe:/a:apache:tomcat:-
>
>
> CVE-2016-5425 suppress
>
> Severity: High
> CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
> CWE: CWE-264 Permissions, Privileges, and Access Controls
>
> The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS,
> Oracle Linux, and possibly other Linux distributions uses weak permissions
> for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root
> privileges by leveraging membership in the tomcat group.
> •BID - 93472
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/
> linuxbulletinoct2016-3090545.html
> •MISC -
> http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-
> Root-PrivEsc-Exploit-CVE-2016-5425.html
> •MISC -
> http://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-
> Escalation.html
> •MLIST - [oss-security] 20161010 CVE-2016-5425 - Apache Tomcat packaging on
> RedHat-based distros - Root Privilege Escalation (affecting CentOS, Fedora,
> OracleLinux, RedHat etc.)
> •REDHAT - RHSA-2016:2046
>
>
> Vulnerable Software & Versions:
> •cpe:/a:apache:tomcat
>
> CVE-2016-3092 suppress
>
> Severity: High
> CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
> CWE: CWE-20 Improper Input Validation
>
> The MultipartStream class in Apache Commons Fileupload before 1.3.2, as
> used
> in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3,
> and 9.x before 9.0.0.M7 and other products, allows remote attackers to
> cause
> a denial of service (CPU consumption) via a long boundary string.
> •BID - 91453
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743480
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743722
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743738
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743742
> •CONFIRM - http://tomcat.apache.org/security-7.html
> •CONFIRM - http://tomcat.apache.org/security-8.html
> •CONFIRM - http://tomcat.apache.org/security-9.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/
> bulletinjul2016-3090568.html
> •CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1349468
> •CONFIRM -
> https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/
> docDisplay?docId=emr_na-c05204371
> •CONFIRM -
> https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/
> docDisplay?docId=emr_na-c05289840
> •CONFIRM -
> https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/
> docDisplay?docId=emr_na-c05324759
> •DEBIAN - DSA-3609
> •DEBIAN - DSA-3611
> •DEBIAN - DSA-3614
> •JVN - JVN#89379547
> •JVNDB - JVNDB-2016-000121
> •MLIST - [dev] 20160621 CVE-2016-3092: Apache Commons Fileupload
> information
> disclosure vulnerability
> •UBUNTU - USN-3024-1
> •UBUNTU - USN-3027-1
>
>
> Vulnerable Software & Versions: (show all)
> •cpe:/a:apache:tomcat:7.0.0:beta
> •...
>
>
> CVE-2016-1240 suppress
>
> Severity: High
> CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
> CWE: CWE-20 Improper Input Validation
>
> The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and
> tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and
> libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the
> tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu
> 14.04 LTS, and tomcat8 and libtomcat8-java packages before
> 8.0.32-1ubuntu1.2
> on Ubuntu 16.04 LTS allows local users with access to the tomcat account to
> gain root privileges via a symlink attack on the Catalina log file, as
> demonstrated by /var/log/tomcat7/catalina.out.
> •BUGTRAQ - 20161001 CVE-2016-1240 - Tomcat packaging on Debian-based
> distros
> - Local Root Privilege Escalation
> •DEBIAN - DSA-3669
> •DEBIAN - DSA-3670
> •MISC -
> http://legalhackers.com/advisories/Tomcat-DebPkgs-
> Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
> •SECTRACK - 1036845
> •UBUNTU - USN-3081-1
>
>
> Vulnerable Software & Versions: (show all)
> •cpe:/a:apache:tomcat:7.0
> •...
>
>
>
>
>
> CVE-2016-0763 suppress
>
> Severity: Medium
> CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
> CWE: CWE-264 Permissions, Privileges, and Access Controls
>
> The setGlobalContext method in
> org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x
> before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider
> whether ResourceLinkFactory.setGlobalContext callers are authorized, which
> allows remote authenticated users to bypass intended SecurityManager
> restrictions and read or write to arbitrary application data, or cause a
> denial of service (application disruption), via a web application that sets
> a crafted global context.
> •BUGTRAQ - 20160222 [SECURITY] CVE-2016-0763 Apache Tomcat Security Manager
> Bypass
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725926
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725929
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725931
> •CONFIRM - http://tomcat.apache.org/security-7.html
> •CONFIRM - http://tomcat.apache.org/security-8.html
> •CONFIRM - http://tomcat.apache.org/security-9.html
> •CONFIRM -
> http://www.oracle.com/technetwork/security-advisory/
> cpuoct2016-2881722.html
> •CONFIRM -
> https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/
> docDisplay?docId=emr_na-c05150442
> •CONFIRM -
> https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/
> docDisplay?docId=emr_na-c05158626
> •CONFIRM -
> https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/
> docDisplay?docId=emr_na-c05324755
> •DEBIAN - DSA-3530
> •DEBIAN - DSA-3552
> •DEBIAN - DSA-3609
> •UBUNTU - USN-3024-1
>
>
> Vulnerable Software & Versions: (show all)
> •cpe:/a:apache:tomcat:7.0.0:beta
> •...
>
>
> CVE-2014-0230 suppress
>
> Severity: High
> CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
> CWE: CWE-399 Resource Management Errors
>
> Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9
> does not properly handle cases where an HTTP response occurs before
> finishing the reading of an entire request body, which allows remote
> attackers to cause a denial of service (thread consumption) via a series of
> aborted upload attempts.
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603770
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603775
> •CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603779
> •CONFIRM - http://tomcat.apache.org/security-6.html
> •CONFIRM - http://tomcat.apache.org/security-7.html
> •CONFIRM - http://tomcat.apache.org/security-8.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/
> bulletinoct2015-2511968.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
> •CONFIRM -
> https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/
> docDisplay?docId=emr_na-c05054964
> •DEBIAN - DSA-3530
> •HP - HPSBOV03503
> •HP - HPSBUX03561
> •MLIST - [oss-security] 20150409 Apache Tomcat partial file upload DoS
> CVE-2014-0230
> •MLIST - [tomcat-announce] 20150505 [SECURITY] CVE-2014-0230: Apache Tomcat
> DoS
> •REDHAT - RHSA-2016:0595
> •REDHAT - RHSA-2016:0596
> •REDHAT - RHSA-2016:0597
> •REDHAT - RHSA-2016:0598
> •REDHAT - RHSA-2016:0599
>
>
> Vulnerable Software & Versions: (show all)
> •cpe:/a:apache:tomcat:7.0.0:beta
> •...
>
> CVE-2014-0050 suppress
>
> Severity: High
> CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-264 Permissions, Privileges, and Access Controls
>
> MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in
> Apache Tomcat, JBoss Web, and other products, allows remote attackers to
> cause a denial of service (infinite loop and CPU consumption) via a crafted
> Content-Type header that bypasses a loop's intended exit conditions.
> •BID - 65400
> •BUGTRAQ - 20140625 NEW VMSA-2014-0007 - VMware product updates address
> security vulnerabilities in Apache Struts library
> •BUGTRAQ - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates
> address security vulnerabilities
> •CONFIRM - http://advisories.mageia.org/MGASA-2014-0110.html
> •CONFIRM - http://svn.apache.org/r1565143
> •CONFIRM - http://tomcat.apache.org/security-7.html
> •CONFIRM - http://tomcat.apache.org/security-8.html
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21669554
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675432
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676091
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676092
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676401
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676403
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676405
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676410
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676656
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676853
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677691
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677724
> •CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21681214
> •CONFIRM -
> http://www.hitachi.co.jp/Prod/comp/soft1/global/security/
> info/vuls/HS14-015/index.html
> •CONFIRM -
> http://www.hitachi.co.jp/Prod/comp/soft1/global/security/
> info/vuls/HS14-016/index.html
> •CONFIRM -
> http://www.hitachi.co.jp/Prod/comp/soft1/global/security/
> info/vuls/HS14-017/index.html
> •CONFIRM -
> http://www.huawei.com/en/security/psirt/security-
> bulletins/security-advisories/hw-350733.htm
> •CONFIRM -
> http://www.oracle.com/technetwork/security-advisory/
> cpuoct2016-2881722.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
> •CONFIRM -
> http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
> •CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0007.html
> •CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0012.html
> •CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1062337
> •CONFIRM -
> https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/
> docDisplay?docId=emr_na-c05324755
> •FULLDISC - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates
> address security vulnerabilities
> •HP - HPSBGN03329
> •JVN - JVN#14876762
> •JVNDB - JVNDB-2014-000017
> •MANDRIVA - MDVSA-2015:084
> •MISC -
> http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-
> with-boundaries-loops-without-boundaries.html
> •MISC -
> http://packetstormsecurity.com/files/127215/VMware-
> Security-Advisory-2014-0007.html
> •MLIST - [commons-dev] 20140206 [SECURITY] CVE-2014-0050 Apache Commons
> FileUpload and Apache Tomcat DoS
> •REDHAT - RHSA-2014:0400
>
>
> Vulnerable Software & Versions: (show all)
> •cpe:/a:apache:tomcat:7.0.0:beta
> •...
>
> CVE-2013-2185 suppress
>
> Severity: High
> CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
> CWE: CWE-20 Improper Input Validation
>
> ** DISPUTED ** The readObject method in the DiskFileItem class in Apache
> Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application
> Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to
> write to arbitrary files via a NULL byte in a file name in a serialized
> instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly
> disputed by the Apache Tomcat team, although Red Hat considers it a
> vulnerability. The dispute appears to regard whether it is the
> responsibility of applications to avoid providing untrusted data to be
> deserialized, or whether this class should inherently protect against this
> issue.
> •MLIST - [oss-security] 20130905 Re: CVE-2013-2185 / Tomcat
> •MLIST - [oss-security] 20141024 Re: Duplicate Request: CVE-2013-4444 as a
> duplicate of CVE-2013-2185
> •REDHAT - RHSA-2013:1193
> •REDHAT - RHSA-2013:1194
> •REDHAT - RHSA-2013:1265
>
>
> Vulnerable Software & Versions: (show all)
> •cpe:/a:apache:tomcat:7.0.39 and all previous versions
>
>
> Can anyone look into that?
> What would you recommend?
>
> Thank you,
> Oleg.
>
>
>
>
>
>
> --
> View this message in context: http://apache-flex-users.
> 2333346.n4.nabble.com/Security-vulnerabilities-in-
> BlazeDS-4-7-2-tp14175.html
> Sent from the Apache Flex Users mailing list archive at Nabble.com.
>