ID de Prueba:	1.3.6.1.4.1.25623.1.0.871196
Categoría:	Red Hat Local Security Checks
Título:	RedHat Update for tomcat RHSA-2014:0827-01
Resumen:	The remote host is missing an update for the 'tomcat'; package(s) announced via the referenced advisory.
Descripción:	Summary: The remote host is missing an update for the 'tomcat' package(s) announced via the referenced advisory. Vulnerability Insight: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was discovered that Apache Tomcat did not limit the length of chunk sizes when using chunked transfer encoding. A remote attacker could use this flaw to perform a denial of service attack against Tomcat by streaming an unlimited quantity of data, leading to excessive consumption of server resources. (CVE-2014-0075) It was found that Apache Tomcat did not check for overflowing values when parsing request content length headers. A remote attacker could use this flaw to perform an HTTP request smuggling attack on a Tomcat server located behind a reverse proxy that processed the content length header correctly. (CVE-2014-0099) It was found that the org.apache.catalina.servlets.DefaultServlet implementation in Apache Tomcat allowed the definition of XML External Entities (XXEs) in provided XSLTs. A malicious application could use this to circumvent intended security restrictions to disclose sensitive information. (CVE-2014-0096) The CVE-2014-0075 issue was discovered by David Jorm of Red Hat Product Security. All Tomcat 7 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect. Affected Software/OS: tomcat on Red Hat Enterprise Linux Server (v. 7) Solution: Please Install the Updated Packages. CVSS Score: 5.0 CVSS Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Referencia Cruzada:	Common Vulnerability Exposure (CVE) ID: CVE-2014-0075 BugTraq ID: 67671 http://www.securityfocus.com/bid/67671 Bugtraq: 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities (Google Search) http://www.securityfocus.com/archive/1/534161/100/0/threaded Debian Security Information: DSA-3447 (Google Search) http://www.debian.org/security/2016/dsa-3447 Debian Security Information: DSA-3530 (Google Search) http://www.debian.org/security/2016/dsa-3530 http://lists.fedoraproject.org/pipermail/package-announce/2015-February/150282.html http://seclists.org/fulldisclosure/2014/Dec/23 HPdes Security Advisory: HPSBOV03503 http://marc.info/?l=bugtraq&m=144498216801440&w=2 HPdes Security Advisory: HPSBUX03102 http://marc.info/?l=bugtraq&m=141017844705317&w=2 HPdes Security Advisory: HPSBUX03150 http://marc.info/?l=bugtraq&m=141390017113542&w=2 HPdes Security Advisory: SSRT101681 http://www.mandriva.com/security/advisories?name=MDVSA-2015:052 http://www.mandriva.com/security/advisories?name=MDVSA-2015:053 http://www.mandriva.com/security/advisories?name=MDVSA-2015:084 https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E RedHat Security Advisories: RHSA-2015:0675 http://rhn.redhat.com/errata/RHSA-2015-0675.html RedHat Security Advisories: RHSA-2015:0720 http://rhn.redhat.com/errata/RHSA-2015-0720.html RedHat Security Advisories: RHSA-2015:0765 http://rhn.redhat.com/errata/RHSA-2015-0765.html http://secunia.com/advisories/59121 http://secunia.com/advisories/59616 http://secunia.com/advisories/59678 http://secunia.com/advisories/59732 http://secunia.com/advisories/59835 http://secunia.com/advisories/59849 http://secunia.com/advisories/59873 http://secunia.com/advisories/60729 http://secunia.com/advisories/60793 Common Vulnerability Exposure (CVE) ID: CVE-2014-0096 BugTraq ID: 67667 http://www.securityfocus.com/bid/67667 Debian Security Information: DSA-3552 (Google Search) http://www.debian.org/security/2016/dsa-3552 http://seclists.org/fulldisclosure/2014/May/135 http://www.securitytracker.com/id/1030301 Common Vulnerability Exposure (CVE) ID: CVE-2014-0099 BugTraq ID: 67668 http://www.securityfocus.com/bid/67668 Bugtraq: 20140527 Re: [SECURITY] CVE-2014-0099 Apache Tomcat information disclosure (Google Search) http://www.securityfocus.com/archive/1/532221/100/0/threaded Bugtraq: 20140527 [SECURITY] CVE-2014-0097 Apache Tomcat information disclosure (Google Search) http://www.securityfocus.com/archive/1/532218/100/0/threaded http://seclists.org/fulldisclosure/2014/May/140 http://seclists.org/fulldisclosure/2014/May/138 http://www.securitytracker.com/id/1030302
Copyright	Copyright (C) 2014 Greenbone Networks GmbH

Esta es sólo una de 145615 pruebas de vulnerabilidad en nuestra serie de pruebas. Encuentre más sobre cómo ejecutar una auditoría de seguridad completa. Para ejecutar una prueba gratuita de esta vulnerabilidad contra su sistema, regístrese ahora.