English | Deutsch | Español
 
Home ▼
Home About Us Contact Us Privacy Partner Programs Testimonials In Press Mailing Lists Abuse Developer APIs
Bookkeeping
Online ▼
Home Free Trial FAQ
Open/Create Company File Accept an Invite Order/Renew
Security
Audits ▼
Home Dedicated audits Advanced audits Standard audits Recurring audits No Risk audits Desktop audits Basic audit Security Seal FAQ Price/Feature Summary Order New Tests All Tests Confidentiality Vulnerability search Run Audit Scheduler IP Permissions Audit Configuration Editor Scan Queue Reminder Notification Schedule Seal Reports Reports Style Editor
Managed
DNS ▼
About Order FAQ Acceptable Use Policy Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password
Network
Monitor ▼
Enterprise Package Advanced Package Standard Package Free Trial FAQ Price/Feature Summary Order/Renew Examples
Configure/Status Alert Profiles
Research
Reports ▼
Home FAQ Glossary Archive
 Login/Register 
 
 Vulnerability   
Search   		     Search 324607 CVE descriptions
and 145615 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.58266
Category:Red Hat Local Security Checks
Title:RedHat Security Advisory RHSA-2007:0326
Summary:NOSUMMARY
Description:Description:

The remote host is missing updates announced in
advisory RHSA-2007:0326.

Tomcat is a servlet container for Java Servlet and JavaServer Pages
technologies.

Tomcat was found to accept multiple content-length headers in a
request. This could allow attackers to poison a web-cache, bypass web
application firewall protection, or conduct cross-site scripting attacks.
(CVE-2005-2090)

Tomcat permitted various characters as path delimiters. If Tomcat was used
behind certain proxies and configured to only proxy some contexts, an
attacker could construct an HTTP request to work around the context
restriction and potentially access non-proxied content. (CVE-2007-0450)

Several applications distributed in the JSP examples displayed unfiltered
values. If the JSP examples are accessible, these flaws could allow a
remote attacker to perform cross-site scripting attacks. (CVE-2006-7195,
CVE-2006-7196)

The default Tomcat configuration permitted the use of insecure
SSL cipher suites including the anonymous cipher suite. (CVE-2007-1858)

Directory listings were enabled by default in Tomcat. Information stored
unprotected under the document root was visible to anyone if the
administrator did not disable directory listings. (CVE-2006-3835)

Users should upgrade to these erratum packages which contain Tomcat version
5.5.23 that resolves these issues. Updated jakarta-commons-modeler
packages are also included which correct a bug when used with Tomcat 5.5.23.

Solution:
Please note that this update is available via
Red Hat Network. To use Red Hat Network, launch the Red
Hat Update Agent with the following command: up2date

http://rhn.redhat.com/errata/RHSA-2007-0326.html
http://tomcat.apache.org/security-5.html
http://www.redhat.com/security/updates/classification/#important

Risk factor : Medium

CVSS Score:
5.0

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2005-2090
http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html
BugTraq ID: 13873
http://www.securityfocus.com/bid/13873
BugTraq ID: 25159
http://www.securityfocus.com/bid/25159
Bugtraq: 20050606 A new whitepaper by Watchfire - HTTP Request Smuggling (Google Search)
http://seclists.org/lists/bugtraq/2005/Jun/0025.html
Bugtraq: 20080108 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1 (Google Search)
http://www.securityfocus.com/archive/1/485938/100/0/threaded
Bugtraq: 20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Google Search)
http://www.securityfocus.com/archive/1/500396/100/0/threaded
Bugtraq: 20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1) (Google Search)
http://www.securityfocus.com/archive/1/500412/100/0/threaded
HPdes Security Advisory: HPSBUX02262
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795
HPdes Security Advisory: SSRT071447
http://www.securiteam.com/securityreviews/5GP0220G0U.html
http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf
http://lists.vmware.com/pipermail/security-announce/2008/000003.html
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10499
http://www.redhat.com/support/errata/RHSA-2007-0327.html
http://www.redhat.com/support/errata/RHSA-2007-0360.html
http://www.redhat.com/support/errata/RHSA-2008-0261.html
http://securitytracker.com/id?1014365
http://secunia.com/advisories/26235
http://secunia.com/advisories/26660
http://secunia.com/advisories/27037
http://secunia.com/advisories/28365
http://secunia.com/advisories/29242
http://secunia.com/advisories/30899
http://secunia.com/advisories/30908
http://secunia.com/advisories/33668
http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1
SuSE Security Announcement: SUSE-SR:2008:005 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html
http://www.vupen.com/english/advisories/2007/2732
http://www.vupen.com/english/advisories/2007/3087
http://www.vupen.com/english/advisories/2007/3386
http://www.vupen.com/english/advisories/2008/0065
http://www.vupen.com/english/advisories/2008/1979/references
http://www.vupen.com/english/advisories/2009/0233
Common Vulnerability Exposure (CVE) ID: CVE-2006-3835
BugTraq ID: 19106
http://www.securityfocus.com/bid/19106
Bugtraq: 20070509 SEC Consult SA-20070509-0 :: Multiple vulnerabilites in Nokia Intellisync Mobile Suite & Wireless Email Express (Google Search)
http://www.securityfocus.com/archive/1/468048/100/0/threaded
Bugtraq: 20091107 ToutVirtual VirtualIQ Multiple Vulnerabilities (Google Search)
http://www.securityfocus.com/archive/1/507729/100/0/threaded
http://archives.neohapsis.com/archives/fulldisclosure/2006-07/0467.html
http://www.sec-consult.com/289.html
http://www.securenetwork.it/ricerca/advisory/download/SN-2009-02.txt
http://securitytracker.com/id?1016576
http://secunia.com/advisories/25212
http://secunia.com/advisories/37297
SuSE Security Announcement: SUSE-SR:2009:004 (Google Search)
http://lists.opensuse.org/opensuse-security-announce/2009-02/msg00002.html
http://www.vupen.com/english/advisories/2007/1727
XForce ISS Database: apache-tomcat-url-information-disclosure(27902)
https://exchange.xforce.ibmcloud.com/vulnerabilities/27902
XForce ISS Database: nokia-tomcat-source-code-disclosure(34183)
https://exchange.xforce.ibmcloud.com/vulnerabilities/34183
Common Vulnerability Exposure (CVE) ID: CVE-2006-7195
20080108 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1
20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities
20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1)
28365
28481
http://www.securityfocus.com/bid/28481
33668
ADV-2007-1729
http://www.vupen.com/english/advisories/2007/1729
ADV-2008-0065
ADV-2009-0233
RHSA-2007:0327
RHSA-2008:0261
[Security-announce] 20080107 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1
http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx
http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm
http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540
http://tomcat.apache.org/security-5.html
oval:org.mitre.oval:def:10514
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10514
Common Vulnerability Exposure (CVE) ID: CVE-2006-7196
20070904 Apache tomcat calendar example cross site scripting and cross site request forgery vulnerability
http://www.securityfocus.com/archive/1/478491/100/0/threaded
20070905 Re: Apache tomcat calendar example cross site scripting and cross site request forgery vulnerability
http://www.securityfocus.com/archive/1/478609/100/0/threaded
25531
http://www.securityfocus.com/bid/25531
29242
34888
http://osvdb.org/34888
SUSE-SR:2008:005
[tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E
[tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E
[tomcat-dev] 20200213 svn commit: r1873980 [24/34] - /tomcat/site/trunk/docs/
https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E
http://tomcat.apache.org/security-4.html
Common Vulnerability Exposure (CVE) ID: CVE-2007-0450
20070314 SEC Consult SA-20070314-0 :: Apache HTTP Server / Tomcat directory traversal
http://www.securityfocus.com/archive/1/462791/100/0/threaded
22960
http://www.securityfocus.com/bid/22960
239312
2446
http://securityreason.com/securityalert/2446
24732
http://secunia.com/advisories/24732
25106
http://secunia.com/advisories/25106
25159
25280
http://secunia.com/advisories/25280
26235
26660
27037
30899
30908
ADV-2007-0975
http://www.vupen.com/english/advisories/2007/0975
ADV-2007-2732
ADV-2007-3087
ADV-2007-3386
ADV-2008-1979
APPLE-SA-2007-07-31
GLSA-200705-03
http://security.gentoo.org/glsa/glsa-200705-03.xml
HPSBUX02262
MDKSA-2007:241
http://www.mandriva.com/security/advisories?name=MDKSA-2007:241
RHSA-2007:0360
SSRT071447
SUSE-SR:2007:005
http://www.novell.com/linux/security/advisories/2007_5_sr.html
SUSE-SR:2007:015
http://www.novell.com/linux/security/advisories/2007_15_sr.html
[tomcat-dev] 20190319 svn commit: r1855831 [26/30] - in /tomcat/site/trunk: ./ docs/ xdocs/
https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E
[tomcat-dev] 20190325 svn commit: r1856174 [25/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/
https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E
[tomcat-dev] 20190413 svn commit: r1857494 [18/20] - in /tomcat/site/trunk: ./ docs/ xdocs/
https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E
[tomcat-dev] 20190415 svn commit: r1857582 [20/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/
https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E
[tomcat-dev] 20200203 svn commit: r1873527 [26/30] - /tomcat/site/trunk/docs/
https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E
[tomcat-dev] 20200213 svn commit: r1873980 [30/34] - /tomcat/site/trunk/docs/
https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E
http://docs.info.apple.com/article.html?artnum=306172
http://tomcat.apache.org/security-6.html
http://www.fujitsu.com/global/support/software/security/products-f/interstage-200702e.html
http://www.sec-consult.com/287.html
http://www.sec-consult.com/fileadmin/Advisories/20070314-0-apache_tomcat_directory_traversal.txt
oval:org.mitre.oval:def:10643
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10643
tomcat-proxy-directory-traversal(32988)
https://exchange.xforce.ibmcloud.com/vulnerabilities/32988
Common Vulnerability Exposure (CVE) ID: CVE-2007-1858
28482
http://www.securityfocus.com/bid/28482
29392
http://secunia.com/advisories/29392
34882
http://osvdb.org/34882
44183
http://secunia.com/advisories/44183
64758
http://www.securityfocus.com/bid/64758
HPSBMU02744
http://marc.info/?l=bugtraq&m=133114899904925&w=2
SSRT100776
SUSE-SR:2008:007
http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00008.html
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
tomcat-ssl-security-bypass(34212)
https://exchange.xforce.ibmcloud.com/vulnerabilities/34212
CopyrightCopyright (c) 2007 E-Soft Inc. http://www.securityspace.com

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.



© 1998-2025 E-Soft Inc. All rights reserved.