Vulnerability   
Search   
    Search 211766 CVE descriptions
and 97459 test descriptions,
access 10,000+ cross references.
Tests   CVE   All  

Test ID:1.3.6.1.4.1.25623.1.0.871000
Category:Red Hat Local Security Checks
Title:RedHat Update for tomcat6 RHSA-2013:0869-01
Summary:The remote host is missing an update for the 'tomcat6'; package(s) announced via the referenced advisory.
Description:Summary:
The remote host is missing an update for the 'tomcat6'
package(s) announced via the referenced advisory.

Vulnerability Insight:
Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.

A flaw was found in the way the tomcat6 init script handled the
tomcat6-initd.log log file. A malicious web application deployed on Tomcat
could use this flaw to perform a symbolic link attack to change the
ownership of an arbitrary system file to that of the tomcat user, allowing
them to escalate their privileges to root. (CVE-2013-1976)

Note: With this update, tomcat6-initd.log has been moved from
/var/log/tomcat6/ to the /var/log/ directory.

It was found that the RHSA-2013:0623 update did not correctly fix
CVE-2012-5887, a weakness in the Tomcat DIGEST authentication
implementation. A remote attacker could use this flaw to perform replay
attacks in some circumstances. Additionally, this problem also prevented
users from being able to authenticate using DIGEST authentication.
(CVE-2013-2051)

Red Hat would like to thank Simon Fayer of Imperial College London for
reporting the CVE-2013-1976 issue.

Users of Tomcat are advised to upgrade to these updated packages, which
correct these issues. Tomcat must be restarted for this update to take
effect.

Affected Software/OS:
tomcat6 on Red Hat Enterprise Linux Server (v. 6),
Red Hat Enterprise Linux Workstation (v. 6)

Solution:
Please Install the Updated Packages.

CVSS Score:
6.9

CVSS Vector:
AV:L/AC:M/Au:N/C:C/I:C/A:C

Cross-Ref: Common Vulnerability Exposure (CVE) ID: CVE-2013-1976
RedHat Security Advisories: RHSA-2013:0869
http://rhn.redhat.com/errata/RHSA-2013-0869.html
RedHat Security Advisories: RHSA-2013:0870
http://rhn.redhat.com/errata/RHSA-2013-0870.html
RedHat Security Advisories: RHSA-2013:0871
http://rhn.redhat.com/errata/RHSA-2013-0871.html
RedHat Security Advisories: RHSA-2013:0872
http://rhn.redhat.com/errata/RHSA-2013-0872.html
SuSE Security Announcement: openSUSE-SU-2013:1306 (Google Search)
http://lists.opensuse.org/opensuse-updates/2013-08/msg00013.html
Common Vulnerability Exposure (CVE) ID: CVE-2013-2051
BugTraq ID: 60187
http://www.securityfocus.com/bid/60187
Common Vulnerability Exposure (CVE) ID: CVE-2012-5887
BugTraq ID: 56403
http://www.securityfocus.com/bid/56403
RedHat Security Advisories: RHSA-2013:0623
http://rhn.redhat.com/errata/RHSA-2013-0623.html
RedHat Security Advisories: RHSA-2013:0629
http://rhn.redhat.com/errata/RHSA-2013-0629.html
RedHat Security Advisories: RHSA-2013:0631
http://rhn.redhat.com/errata/RHSA-2013-0631.html
RedHat Security Advisories: RHSA-2013:0632
http://rhn.redhat.com/errata/RHSA-2013-0632.html
RedHat Security Advisories: RHSA-2013:0633
http://rhn.redhat.com/errata/RHSA-2013-0633.html
RedHat Security Advisories: RHSA-2013:0640
http://rhn.redhat.com/errata/RHSA-2013-0640.html
RedHat Security Advisories: RHSA-2013:0647
http://rhn.redhat.com/errata/RHSA-2013-0647.html
RedHat Security Advisories: RHSA-2013:0648
http://rhn.redhat.com/errata/RHSA-2013-0648.html
RedHat Security Advisories: RHSA-2013:0726
http://rhn.redhat.com/errata/RHSA-2013-0726.html
http://secunia.com/advisories/51371
SuSE Security Announcement: openSUSE-SU-2012:1700 (Google Search)
http://lists.opensuse.org/opensuse-updates/2012-12/msg00089.html
SuSE Security Announcement: openSUSE-SU-2012:1701 (Google Search)
http://lists.opensuse.org/opensuse-updates/2012-12/msg00090.html
SuSE Security Announcement: openSUSE-SU-2013:0147 (Google Search)
http://lists.opensuse.org/opensuse-updates/2013-01/msg00037.html
http://www.ubuntu.com/usn/USN-1637-1
XForce ISS Database: tomcat-digest-security-bypass(79809)
https://exchange.xforce.ibmcloud.com/vulnerabilities/79809
CopyrightCopyright (C) 2013 Greenbone Networks GmbH

This is only one of 97459 vulnerability tests in our test suite. Find out more about running a complete security audit.

To run a free test of this vulnerability against your system, register below.




© 1998-2021 E-Soft Inc. All rights reserved.