Test ID:	1.3.6.1.4.1.25623.1.0.58900
Category:	Red Hat Local Security Checks
Title:	RedHat Security Advisory RHSA-2007:0327
Summary:	NOSUMMARY
Description:	Description: The remote host is missing updates announced in advisory RHSA-2007:0327. Tomcat is a servlet container for Java Servlet and JavaServer Pages technologies. Tomcat was found to accept multiple content-length headers in a request. This could allow attackers to poison a web-cache, bypass web application firewall protection, or conduct cross-site scripting attacks. (CVE-2005-2090) Tomcat permitted various characters as path delimiters. If Tomcat was used behind certain proxies and configured to only proxy some contexts, an attacker could construct an HTTP request to work around the context restriction and potentially access non-proxied content. (CVE-2007-0450) The implict-objects.jsp file distributed in the examples webapp displayed a number of unfiltered header values. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks. (CVE-2006-7195) Users should upgrade to these erratum packages which contain an update to Tomcat that resolves these issues. Updated jakarta-commons-modeler packages are also included which correct a bug when used with Tomcat 5.5.23. Solution: Please note that this update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command: up2date http://rhn.redhat.com/errata/RHSA-2007-0327.html http://tomcat.apache.org/security-5.html http://www.redhat.com/security/updates/classification/#important Risk factor : Medium CVSS Score: 5.0
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2005-2090 http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html BugTraq ID: 13873 http://www.securityfocus.com/bid/13873 BugTraq ID: 25159 http://www.securityfocus.com/bid/25159 Bugtraq: 20050606 A new whitepaper by Watchfire - HTTP Request Smuggling (Google Search) http://seclists.org/lists/bugtraq/2005/Jun/0025.html Bugtraq: 20080108 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1 (Google Search) http://www.securityfocus.com/archive/1/485938/100/0/threaded Bugtraq: 20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Google Search) http://www.securityfocus.com/archive/1/500396/100/0/threaded Bugtraq: 20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1) (Google Search) http://www.securityfocus.com/archive/1/500412/100/0/threaded HPdes Security Advisory: HPSBUX02262 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c01178795 HPdes Security Advisory: SSRT071447 http://www.securiteam.com/securityreviews/5GP0220G0U.html http://www.watchfire.com/resources/HTTP-Request-Smuggling.pdf http://lists.vmware.com/pipermail/security-announce/2008/000003.html https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3@%3Cdev.tomcat.apache.org%3E https://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3E https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10499 http://www.redhat.com/support/errata/RHSA-2007-0327.html http://www.redhat.com/support/errata/RHSA-2007-0360.html http://www.redhat.com/support/errata/RHSA-2008-0261.html http://securitytracker.com/id?1014365 http://secunia.com/advisories/26235 http://secunia.com/advisories/26660 http://secunia.com/advisories/27037 http://secunia.com/advisories/28365 http://secunia.com/advisories/29242 http://secunia.com/advisories/30899 http://secunia.com/advisories/30908 http://secunia.com/advisories/33668 http://sunsolve.sun.com/search/document.do?assetkey=1-26-239312-1 SuSE Security Announcement: SUSE-SR:2008:005 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2008-03/msg00001.html http://www.vupen.com/english/advisories/2007/2732 http://www.vupen.com/english/advisories/2007/3087 http://www.vupen.com/english/advisories/2007/3386 http://www.vupen.com/english/advisories/2008/0065 http://www.vupen.com/english/advisories/2008/1979/references http://www.vupen.com/english/advisories/2009/0233 Common Vulnerability Exposure (CVE) ID: CVE-2006-7195 20080108 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1 20090124 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities 20090127 CA20090123-01: Cohesion Tomcat Multiple Vulnerabilities (Updated - v1.1) 28365 28481 http://www.securityfocus.com/bid/28481 33668 ADV-2007-1729 http://www.vupen.com/english/advisories/2007/1729 ADV-2008-0065 ADV-2009-0233 RHSA-2007:0327 RHSA-2008:0261 [Security-announce] 20080107 VMSA-2008-0002 Low severity security update for VirtualCenter and ESX Server 3.0.2, and ESX 3.0.1 http://community.ca.com/blogs/casecurityresponseblog/archive/2009/01/23.aspx http://support.avaya.com/elmodocs2/security/ASA-2007-206.htm http://support.ca.com/irj/portal/anonymous/phpsupcontent?contentID=197540 http://tomcat.apache.org/security-5.html oval:org.mitre.oval:def:10514 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10514 Common Vulnerability Exposure (CVE) ID: CVE-2007-0450 20070314 SEC Consult SA-20070314-0 :: Apache HTTP Server / Tomcat directory traversal http://www.securityfocus.com/archive/1/462791/100/0/threaded 22960 http://www.securityfocus.com/bid/22960 239312 2446 http://securityreason.com/securityalert/2446 24732 http://secunia.com/advisories/24732 25106 http://secunia.com/advisories/25106 25159 25280 http://secunia.com/advisories/25280 26235 26660 27037 30899 30908 ADV-2007-0975 http://www.vupen.com/english/advisories/2007/0975 ADV-2007-2732 ADV-2007-3087 ADV-2007-3386 ADV-2008-1979 APPLE-SA-2007-07-31 GLSA-200705-03 http://security.gentoo.org/glsa/glsa-200705-03.xml HPSBUX02262 MDKSA-2007:241 http://www.mandriva.com/security/advisories?name=MDKSA-2007:241 RHSA-2007:0360 SSRT071447 SUSE-SR:2007:005 http://www.novell.com/linux/security/advisories/2007_5_sr.html SUSE-SR:2007:015 http://www.novell.com/linux/security/advisories/2007_15_sr.html [tomcat-dev] 20190319 svn commit: r1855831 [21/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ https://lists.apache.org/thread.html/29dc6c2b625789e70a9c4756b5a327e6547273ff8bde7e0327af48c5%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20190319 svn commit: r1855831 [26/30] - in /tomcat/site/trunk: ./ docs/ xdocs/ https://lists.apache.org/thread.html/ba661b0edd913b39ff129a32d855620dd861883ade05fd88a8ce517d%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20190325 svn commit: r1856174 [19/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ https://lists.apache.org/thread.html/c62b0e3a7bf23342352a5810c640a94b6db69957c5c19db507004d74%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20190325 svn commit: r1856174 [25/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/ https://lists.apache.org/thread.html/8d2a579bbd977c225c70cb23b0ec54865fb0dab5da3eff1e060c9935%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20190413 svn commit: r1857494 [18/20] - in /tomcat/site/trunk: ./ docs/ xdocs/ https://lists.apache.org/thread.html/277d42b48b6e9aef50949c0dcc79ce21693091d73da246b3c1981925%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20190415 svn commit: r1857582 [20/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/ https://lists.apache.org/thread.html/5b7a23e245c93235c503900da854a143596d901bf1a1f67e851a5de4%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20200203 svn commit: r1873527 [26/30] - /tomcat/site/trunk/docs/ https://lists.apache.org/thread.html/rf8e8c091182b45daa50d3557cad9b10bb4198e3f08cf8f1c66a1b08d%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20200213 svn commit: r1873980 [24/34] - /tomcat/site/trunk/docs/ https://lists.apache.org/thread.html/rb71997f506c6cc8b530dd845c084995a9878098846c7b4eacfae8db3%40%3Cdev.tomcat.apache.org%3E [tomcat-dev] 20200213 svn commit: r1873980 [30/34] - /tomcat/site/trunk/docs/ https://lists.apache.org/thread.html/r5c616dfc49156e4b06ffab842800c80f4425924d0f20c452c127a53c%40%3Cdev.tomcat.apache.org%3E http://docs.info.apple.com/article.html?artnum=306172 http://tomcat.apache.org/security-4.html http://tomcat.apache.org/security-6.html http://www.fujitsu.com/global/support/software/security/products-f/interstage-200702e.html http://www.sec-consult.com/287.html http://www.sec-consult.com/fileadmin/Advisories/20070314-0-apache_tomcat_directory_traversal.txt oval:org.mitre.oval:def:10643 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10643 tomcat-proxy-directory-traversal(32988) https://exchange.xforce.ibmcloud.com/vulnerabilities/32988
Copyright	Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com

This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.