SA156: Apache Tomcat Vulnerabilities Apr-Oct 2017

Click to Subscribe
Security Advisory ID: 
SA156
Published Date: 
Nov 07, 2017
Advisory Status: 
Interim
Advisory Severity: 
High
CVSS v2 base score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE Number: 
CVE-2017-5647 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2017-5648 - 6.4 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CVE-2017-5650 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CVE-2017-5651 - 7.5 (HIGH) (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CVE-2017-5664 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:N/I:P/A:N)
CVE-2017-7674 - 4.3 (MEDIUM) (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVE-2017-7675 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2017-12615 - 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2017-12616 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2017-12617 - 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P)

Symantec Network Protection products using affected versions of Apache Tomcat are susceptible to multiple security vulnerabilities.  A remote attacker, with access to the management interface, can obtain sensitive information from the server, modify information associated with a different web application, execute arbitrary code, modify server behavior, perform HTTP cache poisoning, or cause denial of service.

Affected Products:

The following products are vulnerable:

Advanced Secure Gateway
ASG 6.6 and 6.7 are vulnerable to CVE-2017-5647 and CVE-2017-5664.

Content Analysis
CA 1.3, 2.1, and 2.2 are vulnerable to CVE-2017-5647 and CVE-2017-5664.

Director
Director 6.1 is vulnerable to CVE-2017-7674, CVE-2017-12615, CVE-2017-12616, and CVE-2017-12617.

IntelligenceCenter
IC 3.3 is vulnerable to all CVEs.

IntelligenceCenter Data Collector
DC 3.3 is vulnerable to all CVEs.

Mail Threat Defense
MTD 1.1 is vulnerable to CVE-2017-5647 and CVE-2017-5664.

Management Center
MC 1.11 is vulnerable to CVE-2017-5647, CVE-2017-5650, CVE-2017-5651, and CVE-2017-5664.

X-Series XOS
XOS 9.7, 10.0, and 11.0 are vulnerable to CVE-2017-5664, CVE-2017-12615, and CVE-2017-12617.  XOS 11.0 is also vulnerable to CVE-2017-5647 and CVE-2017-12616.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
General Auth Connector Login Application
K9
Malware Analysis
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics
SSL Visibility
Unified Agent

Advisory Details: 

This Security Advisory addresses multiple Apache Tomcat security vulnerabilities announced between April and October 2017.  Symantec Network Protection products that include a vulnerable version of Apache Tomcat and make use of the affected functionality are vulnerable.

  • CVE-2017-5647 is a flaw in pipelined request handling that allows a remote attacker to send crafted pipelined HTTP requests and obtain sensitive information or cause the target to return incorrect responses to other pipelined requests.
  • CVE-2017-5648 is a flaw in servlet restrictions that allows an untrusted web application under a SecurityManager to view and modify information associated with another web application. An attacker must be able to deploy a malicious web application to exploit this vulnerability.
  • CVE-2017-5650 is a flaw in resource deallocation that allows a remote attacker to send crafted HTTP/2 requests and cause denial of service through resource exhaustion.
  • CVE-2017-5651 is a flaw in request handling that allows a remote attacker to send HTTP requests and obtain sensitive information or cause the target to return incorrect resonses to other HTTP requests.
  • CVE-2017-5664 is a flaw in HTTP error processing that allows a remote attacker to send crafted HTTP requests and modify server behavior.
  • CVE-2017-7674 is a flaw in the CORS filter that allows remote attackers to perform client and server side HTTP response cache poisoning.
  • CVE-2017-7675 is a flaw in the HTTP/2 implementation that allows remote attackers to bypass security constraints and perform directory traversal.
  • CVE-2017-12615 is a flaw that allows remote attackers to send crafted requests to upload and execute arbitrary JSP code on the server. This is a different vulnerability from CVE-2017-12617.
  • CVE-2017-12616 is a flaw that allows remote attackers to send crafted requests to bypass security constraints and view JSP source code.
  • CVE-2017-12617 is a flaw that allows remote attackers to send crafted requests to upload and execute arbitrary JSP code on the server. This is a different vulnerability from CVE-2017-12615.

Some Symantec Network Protection products do not enable or use all functionality within Apache Tomcat.  The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided.

  • ASG: CVE-2017-7674, CVE-2017-12615, CVE-2017-12616, and CVE-2017-12617
  • CA: CVE-2017-5648 (2.2 only), CVE-2017-7674, CVE-2017-12615, CVE-2017-12616, and CVE-2017-12617
  • MTD: CVE-2017-7674, CVE-2017-12615, CVE-2017-12616, and CVE-2017-12617
  • MC: CVE-2017-5648, CVE-2017-7674, CVE-2017-7675, and CVE-2017-12617
Workarounds: 

These vulnerabilities can be exploited only through the management interfaces for all vulnerable products.  Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

Patches: 

Advanced Secure Gateway
ASG 6.7 - a fix is not available at this time.
ASG 6.6 - a fix is not available at this time.

Content Analysis
CA 2.2 - a fix is not available at this time.
CA 2.1 - a fix is not available at this time.
CA 1.3 - a fix is not available at this time.

Director
Director 6.1 - a fix is not available at this time.

IntelligenceCenter
IC 3.3 - a fix is not available at this time.

IntelligenceCenter Data Collector
DC 3.3 - a fix is not available at this time.

Mail Threat Defense
MTD 1.1 - a fix is not available at this time.

Management Center
MC 1.11 - a fix is not available at this time.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix is not available at this time.

Advisory History: 

2017-11-07 initial public release