Test ID:	1.3.6.1.4.1.25623.1.0.841274
Category:	Ubuntu Local Security Checks
Title:	Ubuntu: Security Advisory (USN-1685-1)
Summary:	The remote host is missing an update for the 'tomcat6, tomcat7' package(s) announced via the USN-1685-1 advisory.
Description:	Summary: The remote host is missing an update for the 'tomcat6, tomcat7' package(s) announced via the USN-1685-1 advisory. Vulnerability Insight: It was discovered that Tomcat incorrectly performed certain security constraint checks in the FORM authenticator. A remote attacker could possibly use this flaw with a specially-crafted URI to bypass security constraint checks. This issue only affected Ubuntu 10.04 LTS, Ubuntu 11.10 and Ubuntu 12.04 LTS. (CVE-2012-3546) It was discovered that Tomcat incorrectly handled requests that lack a session identifier. A remote attacker could possibly use this flaw to bypass the cross-site request forgery protection. (CVE-2012-4431) It was discovered that Tomcat incorrectly handled sendfile and HTTPS when the NIO connector is used. A remote attacker could use this flaw to cause Tomcat to stop responding, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS, Ubuntu 11.10 and Ubuntu 12.04 LTS. (CVE-2012-4534) Affected Software/OS: 'tomcat6, tomcat7' package(s) on Ubuntu 10.04, Ubuntu 11.10, Ubuntu 12.04, Ubuntu 12.10. Solution: Please install the updated package(s). CVSS Score: 4.3 CVSS Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Cross-Ref:	Common Vulnerability Exposure (CVE) ID: CVE-2012-3546 1027833 http://www.securitytracker.com/id?1027833 20121204 CVE-2012-3546 Apache Tomcat Bypass of security constraints http://archives.neohapsis.com/archives/bugtraq/2012-12/0044.html 51984 http://secunia.com/advisories/51984 52054 http://secunia.com/advisories/52054 56812 http://www.securityfocus.com/bid/56812 57126 http://secunia.com/advisories/57126 HPSBMU02873 https://h20566.www2.hp.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c03748878 HPSBST02955 http://marc.info/?l=bugtraq&m=139344343412337&w=2 HPSBUX02866 http://marc.info/?l=bugtraq&m=136612293908376&w=2 RHSA-2013:0004 http://rhn.redhat.com/errata/RHSA-2013-0004.html RHSA-2013:0005 http://rhn.redhat.com/errata/RHSA-2013-0005.html RHSA-2013:0146 http://rhn.redhat.com/errata/RHSA-2013-0146.html RHSA-2013:0147 http://rhn.redhat.com/errata/RHSA-2013-0147.html RHSA-2013:0151 http://rhn.redhat.com/errata/RHSA-2013-0151.html RHSA-2013:0157 http://rhn.redhat.com/errata/RHSA-2013-0157.html RHSA-2013:0158 http://rhn.redhat.com/errata/RHSA-2013-0158.html RHSA-2013:0162 http://rhn.redhat.com/errata/RHSA-2013-0162.html RHSA-2013:0163 http://rhn.redhat.com/errata/RHSA-2013-0163.html RHSA-2013:0164 http://rhn.redhat.com/errata/RHSA-2013-0164.html RHSA-2013:0191 http://rhn.redhat.com/errata/RHSA-2013-0191.html RHSA-2013:0192 http://rhn.redhat.com/errata/RHSA-2013-0192.html RHSA-2013:0193 http://rhn.redhat.com/errata/RHSA-2013-0193.html RHSA-2013:0194 http://rhn.redhat.com/errata/RHSA-2013-0194.html RHSA-2013:0195 http://rhn.redhat.com/errata/RHSA-2013-0195.html RHSA-2013:0196 http://rhn.redhat.com/errata/RHSA-2013-0196.html RHSA-2013:0197 http://rhn.redhat.com/errata/RHSA-2013-0197.html RHSA-2013:0198 http://rhn.redhat.com/errata/RHSA-2013-0198.html RHSA-2013:0221 http://rhn.redhat.com/errata/RHSA-2013-0221.html RHSA-2013:0235 http://rhn.redhat.com/errata/RHSA-2013-0235.html RHSA-2013:0623 http://rhn.redhat.com/errata/RHSA-2013-0623.html RHSA-2013:0640 http://rhn.redhat.com/errata/RHSA-2013-0640.html RHSA-2013:0641 http://rhn.redhat.com/errata/RHSA-2013-0641.html RHSA-2013:0642 http://rhn.redhat.com/errata/RHSA-2013-0642.html SSRT101139 SSRT101182 USN-1685-1 http://www.ubuntu.com/usn/USN-1685-1 http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/catalina/realm/RealmBase.java?r1=1377892&r2=1377891&pathrev=1377892 http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?r1=1377892&r2=1377891&pathrev=1377892 http://svn.apache.org/viewvc?view=revision&revision=1377892 http://tomcat.apache.org/security-6.html http://tomcat.apache.org/security-7.html openSUSE-SU-2012:1700 http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html openSUSE-SU-2012:1701 http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html openSUSE-SU-2013:0147 http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html oval:org.mitre.oval:def:19305 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19305 Common Vulnerability Exposure (CVE) ID: CVE-2012-4431 BugTraq ID: 56814 http://www.securityfocus.com/bid/56814 Bugtraq: 20121204 CVE-2012-4431 Apache Tomcat Bypass of CSRF prevention filter (Google Search) http://archives.neohapsis.com/archives/bugtraq/2012-12/0045.html HPdes Security Advisory: HPSBMU02873 HPdes Security Advisory: HPSBST02955 HPdes Security Advisory: HPSBUX02866 HPdes Security Advisory: SSRT101139 HPdes Security Advisory: SSRT101182 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18541 RedHat Security Advisories: RHSA-2013:0267 http://rhn.redhat.com/errata/RHSA-2013-0267.html RedHat Security Advisories: RHSA-2013:0268 http://rhn.redhat.com/errata/RHSA-2013-0268.html RedHat Security Advisories: RHSA-2013:0647 http://rhn.redhat.com/errata/RHSA-2013-0647.html RedHat Security Advisories: RHSA-2013:0648 http://rhn.redhat.com/errata/RHSA-2013-0648.html RedHat Security Advisories: RHSA-2013:1437 http://rhn.redhat.com/errata/RHSA-2013-1437.html RedHat Security Advisories: RHSA-2013:1853 http://rhn.redhat.com/errata/RHSA-2013-1853.html http://www.securitytracker.com/id?1027834 SuSE Security Announcement: openSUSE-SU-2012:1700 (Google Search) SuSE Security Announcement: openSUSE-SU-2012:1701 (Google Search) SuSE Security Announcement: openSUSE-SU-2013:0147 (Google Search) SuSE Security Announcement: openSUSE-SU-2013:0161 (Google Search) http://lists.opensuse.org/opensuse-updates/2013-01/msg00051.html SuSE Security Announcement: openSUSE-SU-2013:0192 (Google Search) http://lists.opensuse.org/opensuse-updates/2013-01/msg00080.html Common Vulnerability Exposure (CVE) ID: CVE-2012-4534 1027836 http://www.securitytracker.com/id?1027836 20121204 CVE-2012-4534 Apache Tomcat denial of service http://archives.neohapsis.com/archives/bugtraq/2012-12/0043.html 56813 http://www.securityfocus.com/bid/56813 http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/tomcat/util/net/NioEndpoint.java?r1=1340218&r2=1340217&pathrev=1340218 http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?r1=1340218&r2=1340217&pathrev=1340218 http://svn.apache.org/viewvc?view=revision&revision=1340218 https://issues.apache.org/bugzilla/show_bug.cgi?id=52858 openSUSE-SU-2013:0161 openSUSE-SU-2013:0170 http://lists.opensuse.org/opensuse-updates/2013-01/msg00061.html openSUSE-SU-2013:0192 oval:org.mitre.oval:def:19398 https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A19398
Copyright	Copyright (C) 2013 Greenbone AG

This is only one of 146377 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below.