Critical System Protection

 View Only

  • 1.  Nessus scan SCSP Tomcat version high risk

    Posted Feb 07, 2012 08:58 PM

    hi,

    Use Nessus scan SCSP admin port 8081 found that the tomcat version should be 5.5.34 or later, but even SCSP 5.2.8 MP2, the tomcat version still on 5.5.33.

    May I ask any patch of SCSP for that?

     

     

    Synopsis

    :

    The remote web server is affected by multiple vulnerabilities.

    Description

    :

    According to its self-reported version number, the instance of Apache Tomcat 5.5.x listening on the remote host is earlier than 5.5.34 and is affected by multiple vulnerabilities:  - Several weaknesses were found in the HTTP Digest authentication implementation. The issues are as follows: replay attacks are possible, server nonces are not checked, client nonce counts are not checked, 'quality of protection' (qop) values are not checked,  realm values are not checked and the server secret is  a hard-coded, known string. The effect of these issues  is that Digest authentication is no stronger than Basic  authentication. (CVE-2011-1184, CVE-2011-5062,  CVE-2011-5063, CVE-2011-5064)  - An error handling issue exists related to the MemoryUserDatabase that allows user passwords to be disclosed through log files. (CVE-2011-2204)  - An input validation error exists that allows a local attacker to either bypass security or carry out denial of service attacks when the APR or NIO connectors are enabled. (CVE-2011-2526)  - A component that Apache Tomcat relies on called 'jsvc'  contains an error in that it does not drop capabilities after starting and can allow access to sensitive files  owned by the super user. Note this vulnerability only  affects Linux operating systems and only when 'jsvc' is compiled with libpcap and the '-user' parameter is  used. (CVE-2011-2729)  - Specially crafted requests are incorrectly processed by Tomcat and can cause the server to allow injection of  arbitrary AJP messages. This can lead to authentication  bypass and disclosure of sensitive information. Note  this vulnerability only occurs when the org.apache.jk.server.JkCoyoteHandler AJP connector is  not used, POST requests are accepted, and the request body is not processed.(CVE-2011-3190)  Note that Nessus did not actually test for the flaws but instead has relied on the version in Tomcat's banner or error page.

    Risk Level

    :

    Medium

    CVSS Base Score

    :

    CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

    Solution

    :

    Upgrade to Apache Tomcat version 5.5.34 or later.

    Plugin output

    :

    Source : <title>Apache Tomcat/5.5.33 Installed version : 5.5.33 Fixed version : 5.5.34

    Plugin ID

    :

    56301


  • 2.  RE: Nessus scan SCSP Tomcat version high risk

    Broadcom Employee
    Posted Feb 07, 2012 10:49 PM

    I would suggest you to open a support case. From the above CVE s as I know few of the CVE's does not hold good for SCSP as it does not uses those functionalities.



  • 3.  RE: Nessus scan SCSP Tomcat version high risk

    Posted Feb 08, 2012 10:47 AM

    hi,

    I have no right to open a support case in Symantec, do you have other suggestion?

    Thanks/KEN



  • 4.  RE: Nessus scan SCSP Tomcat version high risk

    Posted Feb 16, 2012 10:34 AM

    I suggest talking to the person in your company that has the information to open a case. The Connect forums are here to help you, but in some cases, opening a support ticket is your best option.



  • 5.  RE: Nessus scan SCSP Tomcat version high risk

    Posted Feb 25, 2012 05:37 AM

    SCSP relies on third-party technologies, such as Tomcat. Any new release of SCSP may integrate newer version of these third-party components.

    As any Symantec product, SCSP follow strict QA processes to ensure the product is working as expected. Indeed, SCSP is tested with the version of Tomcat it contains, and Symantec would not design a new SCSP build for every single third-party component update.

    Symantec would not support Tomcat upgrade or provide any article explaining how to do so (reminder: SCSP uses embedded Tomcat version, then installing standalone Tomcat 5.5.34/5.5.35 would not help).

     

    You can open a case as previously mentioned to receive official feedback from Symantec support on that topic and see with them if next release of SCSP would integrate Tomcat 5.5.34/5.5.35.

     

    REMARK: I recommand you to alway use latest version of Nessus and its plugins. I already saw a case where an older version of Nessus was detecting Tomcat 3.x vulnerabilities on SCSP 5.2.8 MP2.