Vulnerability   
Search   
    Search 219043 CVE descriptions
and 99761 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.64283
Category:Mandrake Local Security Checks
Title:Mandrake Security Advisory MDVSA-2009:136 (tomcat5)
Summary:NOSUMMARY
Description:Description:
The remote host is missing an update to tomcat5
announced via advisory MDVSA-2009:136.

Multiple security vulnerabilities has been identified and fixed
in tomcat5:

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through
6.0.18, and possibly earlier versions normalizes the target pathname
before filtering the query string when using the RequestDispatcher
method, which allows remote attackers to bypass intended access
restrictions and conduct directory traversal attacks via .. (dot dot)
sequences and the WEB-INF directory in a Request (CVE-2008-5515).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
through 6.0.18, when the Java AJP connector and mod_jk load balancing
are used, allows remote attackers to cause a denial of service
(application outage) via a crafted request with invalid headers,
related to temporary blocking of connectors that have encountered
errors, as demonstrated by an error involving a malformed HTTP Host
header (CVE-2009-0033).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and
6.0.0 through 6.0.18, when FORM authentication is used, allows
remote attackers to enumerate valid usernames via requests to
/j_security_check with malformed URL encoding of passwords, related to
improper error checking in the (1) MemoryRealm, (2) DataSourceRealm,
and (3) JDBCRealm authentication realms, as demonstrated by a %
(percent) value for the j_password parameter (CVE-2009-0580).

The calendar application in the examples web application contains an
XSS flaw due to invalid HTML which renders the XSS filtering protection
ineffective (CVE-2009-0781).

Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, and 6.0.0
through 6.0.18 permits web applications to replace an XML parser used
for other web applications, which allows local users to read or modify
the (1) web.xml, (2) context.xml, or (3) tld files of arbitrary web
applications via a crafted application that is loaded earlier than
the target application (CVE-2009-0783).

The updated packages have been patched to prevent this. Additionally
Apache Tomcat has been upgraded to the latest 5.5.27 version for
2009.0.

Affected: 2009.0, 2009.1

Solution:
To upgrade automatically use MandrakeUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.

https://secure1.securityspace.com/smysecure/catid.html?in=MDVSA-2009:136
http://tomcat.apache.org/security-5.html

CVSS Score:
5.0

CVSS Vector:
AV:N/AC:L/Au:N/C:P/I:N/A:N

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2008-5515
http://lists.apple.com/archives/security-announce/2010//Mar/msg00001.html
BugTraq ID: 35263
http://www.securityfocus.com/bid/35263
Bugtraq: 20090608 [SECURITY] CVE-2008-5515 RequestDispatcher directory traversal vulnerability (Google Search)
http://www.securityfocus.com/archive/1/504170/100/0/threaded
Bugtraq: 20090610 [SECURITY] UPDATED CVE-2008-5515 RequestDispatcher directory traversal vulnerability (Google Search)
http://www.securityfocus.com/archive/1/504202/100/0/threaded
Bugtraq: 20091120 VMSA-2009-0016 VMware vCenter and ESX update release and vMA patch release address multiple security issue in third party components (Google Search)
http://www.securityfocus.com/archive/1/507985/100/0/threaded
Debian Security Information: DSA-2207 (Google Search)
http://www.debian.org/security/2011/dsa-2207
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01216.html
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01246.html
https://www.redhat.com/archives/fedora-package-announce/2009-November/msg01156.html
HPdes Security Advisory: HPSBMA02535
http://marc.info/?l=bugtraq&m=127420533226623&w=2
HPdes Security Advisory: HPSBUX02579
http://marc.info/?l=bugtraq&m=129070310906557&w=2
HPdes Security Advisory: HPSBUX02860
http://marc.info/?l=bugtraq&m=136485229118404&w=2
HPdes Security Advisory: SSRT100029
HPdes Security Advisory: SSRT100203
HPdes Security Advisory: SSRT101146
http://jvn.jp/en/jp/JVN63832775/index.html
http://www.mandriva.com/security/advisories?name=MDVSA-2009:136
http://www.mandriva.com/security/advisories?name=MDVSA-2009:138
http://www.mandriva.com/security/advisories?name=MDVSA-2010:176
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/06cfb634bc7bf37af7d8f760f118018746ad8efbd519c4b789ac9c2e@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/8dcaf7c3894d66cb717646ea1504ea6e300021c85bb4e677dc16b1aa@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r584a714f141eff7b1c358d4679288177bd4ca4558e9999d15867d4b5@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r3aacc40356defc3f248aa504b1e48e819dd0471a0a83349080c6bcbf@%3Cdev.tomcat.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10422
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19452
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6445
http://secunia.com/advisories/35393
http://secunia.com/advisories/35685
http://secunia.com/advisories/35788
http://secunia.com/advisories/37460
http://secunia.com/advisories/39317
http://secunia.com/advisories/42368
http://secunia.com/advisories/44183
http://sunsolve.sun.com/search/document.do?assetkey=1-26-263529-1
SuSE Security Announcement: SUSE-SR:2009:012 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2009-07/msg00002.html
SuSE Security Announcement: SUSE-SR:2010:008 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00001.html
http://www.vupen.com/english/advisories/2009/1520
http://www.vupen.com/english/advisories/2009/1535
http://www.vupen.com/english/advisories/2009/1856
http://www.vupen.com/english/advisories/2009/3316
http://www.vupen.com/english/advisories/2010/3056
Common Vulnerability Exposure (CVE) ID: CVE-2009-0033
BugTraq ID: 35193
http://www.securityfocus.com/bid/35193
Bugtraq: 20090603 [SECURITY] CVE-2009-0033 Apache Tomcat DoS when using Java AJP connector (Google Search)
http://www.securityfocus.com/archive/1/504044/100/0/threaded
HPdes Security Advisory: HPSBOV02762
http://marc.info/?l=bugtraq&m=133469267822771&w=2
HPdes Security Advisory: SSRT100825
http://jvn.jp/en/jp/JVN87272440/index.html
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10231
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19110
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5739
http://securitytracker.com/id?1022331
http://secunia.com/advisories/35326
http://secunia.com/advisories/35344
http://www.vupen.com/english/advisories/2009/1496
XForce ISS Database: tomcat-ajp-dos(50928)
https://exchange.xforce.ibmcloud.com/vulnerabilities/50928
Common Vulnerability Exposure (CVE) ID: CVE-2009-0580
BugTraq ID: 35196
http://www.securityfocus.com/bid/35196
Bugtraq: 20090603 [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication (Google Search)
http://www.securityfocus.com/archive/1/504045/100/0/threaded
Bugtraq: 20090604 Re: [SECURITY] CVE-2009-0580 Apache Tomcat User enumeration vulnerability with FORM authentication (Google Search)
http://www.securityfocus.com/archive/1/504108/100/0/threaded
Bugtraq: 20090605 [SECURITY] CVE-2009-0580 UPDATED Apache Tomcat User enumeration vulnerability with FORM authentication (Google Search)
http://www.securityfocus.com/archive/1/504125/100/0/threaded
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18915
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6628
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9101
http://securitytracker.com/id?1022332
XForce ISS Database: tomcat-jsecuritycheck-info-disclosure(50930)
https://exchange.xforce.ibmcloud.com/vulnerabilities/50930
Common Vulnerability Exposure (CVE) ID: CVE-2009-0781
Bugtraq: 20090306 [SECURITY] CVE-2009-0781 XSS in Apache Tomcat examples web application (Google Search)
http://www.securityfocus.com/archive/1/501538/100/0/threaded
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11041
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19345
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6564
XForce ISS Database: tomcat-cal2-xss(49213)
https://exchange.xforce.ibmcloud.com/vulnerabilities/49213
Common Vulnerability Exposure (CVE) ID: CVE-2009-0783
BugTraq ID: 35416
http://www.securityfocus.com/bid/35416
Bugtraq: 20090604 [SECURITY] CVE-2009-0783 Apache Tomcat Information disclosure (Google Search)
http://www.securityfocus.com/archive/1/504090/100/0/threaded
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10716
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18913
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6450
http://www.securitytracker.com/id?1022336
XForce ISS Database: tomcat-xml-information-disclosure(51195)
https://exchange.xforce.ibmcloud.com/vulnerabilities/51195
CopyrightCopyright (c) 2009 E-Soft Inc. http://www.securityspace.com

This is only one of 99761 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2024 E-Soft Inc. All rights reserved.