Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3216.2
SA156: Apache Tomcat Vulnerabilities Apr-Oct 2017
23 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Symantec Network Protection products
Publisher: Symantec
Operating System: Network Appliance
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2017-12617 CVE-2017-12616 CVE-2017-12615
CVE-2017-7675 CVE-2017-7674 CVE-2017-5664
CVE-2017-5651 CVE-2017-5650 CVE-2017-5648
CVE-2017-5647
Reference: ESB-2019.1276
ESB-2018.3866
ESB-2018.3165
ESB-2018.1791
ESB-2018.1630
ESB-2018.1403
Original Bulletin:
http://support.symantec.com/us/en/article.SYMSA1419.html
Revision History: August 23 2019: Included publisher
August 23 2019: Initial Release
- --------------------------BEGIN INCLUDED TEXT--------------------
SA156: Apache Tomcat Vulnerabilities Apr-Oct 2017
SYMSA1419
Last Updated August 13, 2019
Initial Publication Date November 07, 2017
Copy Article Title/URL
Summary
Affected Products
+----------------------------------------------------------------------+
| Advanced Secure Gateway (ASG) |
+-------------+-------------------+------------------------------------+
| CVE |Affected Version(s)|Remediation |
+-------------+-------------------+------------------------------------+
|CVE-2017-5647|6.7 |Not available at this time |
|CVE-2017-5664+-------------------+------------------------------------+
| |6.6 |Upgrade to later release with fixes.|
+-------------+-------------------+------------------------------------+
+----------------------------------------------------------------------+
| Content Analysis (CA) |
+-------------+-------------------+------------------------------------+
| CVE |Affected Version(s)|Remediation |
+-------------+-------------------+------------------------------------+
|CVE-2017-5647|2.3 |Upgrade to 2.3.5.1. |
|CVE-2017-5664+-------------------+------------------------------------+
| |1.3, 2.1, 2.2 |Upgrade to later version with fixes.|
+-------------+-------------------+------------------------------------+
+-------------------------------------------------------+
| Director |
+--------------+-------------------+--------------------+
| CVE |Affected Version(s)|Remediation |
+--------------+-------------------+--------------------+
|CVE-2017-7674 | | |
|CVE-2017-12615|6.1 |Upgrade to 6.1.23.3.|
|CVE-2017-12616| | |
|CVE-2017-12617| | |
+--------------+-------------------+--------------------+
+-------------------------------------------------------+
| IntelligenceCenter (IC) |
+--------+-------------------+--------------------------+
| CVE |Affected Version(s)|Remediation |
+--------+-------------------+--------------------------+
|All CVEs|3.3 |Not available at this time|
+--------+-------------------+--------------------------+
+-------------------------------------------------------+
| IntelligenceCenter Data Collector (DC) |
+--------+-------------------+--------------------------+
| CVE |Affected Version(s)|Remediation |
+--------+-------------------+--------------------------+
|All CVEs|3.3 |Not available at this time|
+--------+-------------------+--------------------------+
+------------------------------------------------------------+
| Mail Threat Defense (MTD) |
+-------------+-------------------+--------------------------+
| CVE |Affected Version(s)|Remediation |
+-------------+-------------------+--------------------------+
|CVE-2017-5647|1.1 |Not available at this time|
|CVE-2017-5664| | |
+-------------+-------------------+--------------------------+
+-----------------------------------------------------------------------------+
| Mail Threat Defense (MTD) |
+------------------+----------------------------------+-----------------------+
| CVE |Affected Version(s) |Remediation |
+------------------+----------------------------------+-----------------------+
| CVE-2017-5647, |2.0 and later |Not vulnerable, fixed |
| CVE-2017-5650 | |in 2.0.1.1. |
| CVE-2017-5651, +----------------------------------+-----------------------+
| CVE-2017-5664 |1.11 |Upgrade to later |
| | |version with fixes. |
+------------------+----------------------------------+-----------------------+
| |2.0 and later |Not vulnerable, fixed |
| CVE-2017-5648, | |in 2.0.1.1. |
| CVE-2017-7674, +----------------------------------+-----------------------+
| CVE-2017-7675 |1.11 (not vulnerable to known |Upgrade to later |
| |vectors of attack) |version with fixes. |
+------------------+----------------------------------+-----------------------+
| |2.3 (not vulnerable to known |Not vulnerable, fixed |
| |vectors of attack) |in 2.3.1.1. |
| +----------------------------------+-----------------------+
| |2.2 (not vulnerable to known |Upgrade to 2.2.2.1. |
| |vectors of attack) | |
| CVE-2017-12617 +----------------------------------+-----------------------+
| |2.1 (not vulnerable to known |Not available at this |
| |vectors of attack) |time |
| +----------------------------------+-----------------------+
| |1.11 - 2.0 (not vulnerable to |Upgrade to later |
| |known vectors of attack) |version with fixes. |
+------------------+----------------------------------+-----------------------+
+-----------------------------------------------------------------------+
| X-Series XOS |
+--------------+-------------------+------------------------------------+
| CVE |Affected Version(s)|Remediation |
+--------------+-------------------+------------------------------------+
| |11.0 |Not available at this time |
|CVE-2017-5664 +-------------------+------------------------------------+
|CVE-2017-12615|10.0 |Not available at this time |
|CVE-2017-12617+-------------------+------------------------------------+
| |9.7 |Upgrade to later version with fixes.|
+--------------+-------------------+------------------------------------+
|CVE-2017-5647 |11.0 |Not available at this time |
|CVE-2017-12616| | |
+--------------+-------------------+------------------------------------+
Additional Product Information
Some Symantec Network Protection products do not enable or use all
functionality within Apache Tomcat. The products listed below do not utilize
the functionality described in the CVEs below and are thus not known to be
vulnerable to them. However, fixes for these CVEs will be included in the
patches that are provided.
o ASG: CVE-2017-7674, CVE-2017-12615, CVE-2017-12616, and CVE-2017-12617
o CA: CVE-2017-5648 (2.2 only), CVE-2017-7674, CVE-2017-12615,
CVE-2017-12616, and CVE-2017-12617
o MTD: CVE-2017-7674, CVE-2017-12615, CVE-2017-12616, and CVE-2017-12617
o MC: CVE-2017-5648, CVE-2017-7674, CVE-2017-7675, and CVE-2017-12617
The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
General Auth Connector Login Application
K9
Malware Analysis
Norman Shark Industrial Control System Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics
SSL Visibility
Unified Agent
Issues
+-----------------------------------------------------------------------------+
| CVE-2017-5647 |
+-----------+-----------------------------------------------------------------+
|Severity / |Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) |
| CVSSv2 | |
+-----------+-----------------------------------------------------------------+
|References |NVD: CVE-2017-5647 |
+-----------+-----------------------------------------------------------------+
| Impact |Information disclosure, unauthorized modification |
+-----------+-----------------------------------------------------------------+
| |A flaw in pipelined request handling allows a remote attacker to |
|Description|send crafted pipelined HTTP requests and obtain sensitive |
| |information or cause the target to return incorrect responses to |
| |other pipelined requests. |
+-----------+-----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
| CVE-2017-5648 |
+-----------+-----------------------------------------------------------------+
|Severity / |Medium / 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N) |
| CVSSv2 | |
+-----------+-----------------------------------------------------------------+
|References |SecurityFocus: BID 97530 / NVD: CVE-2017-5648 |
+-----------+-----------------------------------------------------------------+
| Impact |Information disclosure, unauthorized modification |
+-----------+-----------------------------------------------------------------+
| |A flaw in servlet restrictions allows an untrusted web |
| |application under a SecurityManager to view and modify |
|Description|information associated with another web application. An attacker |
| |must be able to deploy a malicious web application to exploit |
| |this vulnerability. |
+-----------+-----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
| CVE-2017-5650 |
+-----------+-----------------------------------------------------------------+
|Severity / |Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) |
| CVSSv2 | |
+-----------+-----------------------------------------------------------------+
|References |SecurityFocus: BID 97531 / NVD: CVE-2017-5650 |
+-----------+-----------------------------------------------------------------+
| Impact |Denial of service |
+-----------+-----------------------------------------------------------------+
| |A flaw in resource deallocation allows a remote attacker to send |
|Description|crafted HTTP/2 requests and cause denial of service through |
| |resource exhaustion. |
+-----------+-----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
| CVE-2017-5651 |
+-----------+-----------------------------------------------------------------+
|Severity / |High / 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P) |
| CVSSv2 | |
+-----------+-----------------------------------------------------------------+
|References |SecurityFocus: BID 97544 / NVD: CVE-2017-5651 |
+-----------+-----------------------------------------------------------------+
| Impact |Information disclosure, unauthorized modification |
+-----------+-----------------------------------------------------------------+
| |A flaw in request handling allows a remote attacker to send HTTP |
|Description|requests and obtain sensitive information or cause the target to |
| |return incorrect resonses to other HTTP requests. |
+-----------+-----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
| CVE-2017-5664 |
+-----------+-----------------------------------------------------------------+
|Severity / |Medium / 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) |
| CVSSv2 | |
+-----------+-----------------------------------------------------------------+
|References |SecurityFocus: BID 98888 / NVD: CVE-2017-5664 |
+-----------+-----------------------------------------------------------------+
| Impact |Unauthorized modification |
+-----------+-----------------------------------------------------------------+
|Description|A flaw in HTTP error processing allows a remote attacker to send |
| |crafted HTTP requests and modify server behavior. |
+-----------+-----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
| CVE-2017-7674 |
+-----------+-----------------------------------------------------------------+
|Severity / |Medium / 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N) |
| CVSSv2 | |
+-----------+-----------------------------------------------------------------+
|References |SecurityFocus: BID 100280 / NVD: CVE-2017-7674 |
+-----------+-----------------------------------------------------------------+
| Impact |HTTP cache poisoning |
+-----------+-----------------------------------------------------------------+
|Description|A flaw in the CORS filter allows remote attackers to perform |
| |client and server side HTTP response cache poisoning. |
+-----------+-----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
| CVE-2017-7675 |
+-----------+-----------------------------------------------------------------+
|Severity / |Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) |
| CVSSv2 | |
+-----------+-----------------------------------------------------------------+
|References |SecurityFocus: BID 100256 / NVD: CVE-2017-7675 |
+-----------+-----------------------------------------------------------------+
| Impact |Directory traversal |
+-----------+-----------------------------------------------------------------+
|Description|A flaw in the HTTP/2 implementation allows remote attackers to |
| |bypass security constraints and perform directory traversal. |
+-----------+-----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
| CVE-2017-12615 |
+-----------+-----------------------------------------------------------------+
|Severity / |Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
| CVSSv2 | |
+-----------+-----------------------------------------------------------------+
|References |SecurityFocus: BID 100901 / NVD: CVE-2017-12615 |
+-----------+-----------------------------------------------------------------+
| Impact |Code execution |
+-----------+-----------------------------------------------------------------+
| |A flaw allows remote attackers to send crafted requests to upload|
|Description|and execute arbitrary JSP code on the server. This is a different|
| |vulnerability from CVE-2017-12617. |
+-----------+-----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
| CVE-2017-12616 |
+-----------+-----------------------------------------------------------------+
|Severity / |Medium / 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) |
| CVSSv2 | |
+-----------+-----------------------------------------------------------------+
|References |SecurityFocus: BID 100897 / NVD: CVE-2017-12616 |
+-----------+-----------------------------------------------------------------+
| Impact |Information disclosure |
+-----------+-----------------------------------------------------------------+
|Description|A flaw allows remote attackers to send crafted requests to bypass|
| |security constraints and view JSP source code. |
+-----------+-----------------------------------------------------------------+
+-----------------------------------------------------------------------------+
| CVE-2017-12617 |
+-----------+-----------------------------------------------------------------+
|Severity / |Medium / 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P) |
| CVSSv2 | |
+-----------+-----------------------------------------------------------------+
|References |SecurityFocus: BID 100954 / NVD: CVE-2017-12617 |
+-----------+-----------------------------------------------------------------+
| Impact |Code execution |
+-----------+-----------------------------------------------------------------+
| |A flaw allows remote attackers to send crafted requests to upload|
|Description|and execute arbitrary JSP code on the server. This is a different|
| |vulnerability from CVE-2017-12615. |
+-----------+-----------------------------------------------------------------+
Mitigation
These vulnerabilities can be exploited only through the management interfaces
for all vulnerable products. Allowing only machines, IP addresses and subnets
from a trusted network to access the management interface reduces the threat of
exploiting the vulnerabilities.
References
Apache Tomcat 7 vulnerabilities - https://tomcat.apache.org/security-7.html
Apache Tomcat 8 vulnerabilities - https://tomcat.apache.org/security-8.html
Apache Tomcat 9 vulnerabilities - https://tomcat.apache.org/security-9.html
Revisions
2019-08-07 A fix for MC 2.0 will not be provided. Please upgrade to a later
version with the vulnerability fixes. A fix for CVE-2017-12617 in MC 2.2 is
available in 2.2.2.1. MC 2.3 is not vulnerable because a fix is available in
2.3.1.1.
2019-08-07 A fix for ASG 6.6 will not be provided. Please upgrade to a later
version with the vulnerability fixes.
2019-02-04 A fix for CA 1.3 and CA 2.2 will not be provided. Please upgrade to
a later version with the vulnerability fixes.
2019-01-14 MC 2.1 has vulnerable code for CVE-2017-12617, but is not vulnerable
to known vectors of attack.A fix for MC 1.11 will not be provided. Please
upgrade to a later version with the vulnerability fixes.
2019-01-11 A fix for CA 2.3 is available in 2.3.5.1. A fix for CA 2.1 will not
be provided. Please upgrade to a later version with the vulnerability fixes.
2018-07-26 MC 2.0 is not vulnerable to all CVEs except CVE-2017-12617 because a
fix is available in 2.0.1.1.
2018-04-25 A fix for XOS 9.7 will not be provided. Please upgrade to a later
version with the vulnerability fixes.
2018-04-22 CA 2.3 is vulnerable to CVE-2017-5647 and CVE-2017-5664.
2017-12-06 A fix for Director 6.1 is available in 6.1.23.3.
2017-11-07 initial public release
Legacy ID: SA156
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXV8xrWaOgq3Tt24GAQjLIA/+JYzKQRHU7aFUuDeJg4lunSd1YQEl1lyZ
txwPCsp0omkIml+RwXk6w5I+z6kpvBUNJl5uDgEebE0s35xO+cFjOAv7UnFbrV6x
BqiF0iv8QHh3Pq4Mls8VBnF2aKRlC8kbwoQ+M7TlCeGlVInNUVTQMcVH6xDQtDta
Wd0sv3UZN/873JutFOURmBJfdgPO/YOW26goJXDhnIqE9MY2ioLF3uqhIIOjagLa
40YIr8xu3nGCFYNmU5XQDIO93WGjAKySrqddPaewpMzcvxNa4xK5P3BXglPvkrWT
n7r85pZQGgPbaGoqWwPEXNLm8nuabiG2KSdkxBuRF0nwH8DWwKCAfGUQq67oH8LN
IEQBjZ6NRYVNmpcsvzvpttM9bFDhkLL12IheSfwtUdkfy6Butkld6qIA89a6AMGG
1rkbsqCx/UitRX6rqo6QOZ9Tt7B1irboqFvBieN7F+iGdL7I0Wuqx2xBiwtzM2GR
syyO9fimaK4ejTxZXZfy2Bt8zX+KewvRGsLFbEf0jdiDnd9AFAoe08dtxz8UQoS+
TlDfEe+hoYQowIfM1msL4l2+G0qLT51juYCiP1N55PRedzyoC8sK6gl+XvHHK4TC
wyObTVg3usI0GRWhEUMTYrOV5+I4kF+hKyWPo5V0DbGVFatOvj8+MatUzt1R2lPS
LuWyYdxzAUg=
=yUJB
-----END PGP SIGNATURE-----