Multiple security vulnerabilities have been discovered in the Tomcat servlet and JSP engine, which may result in information disclosure, the bypass of CSRF protections, bypass of the SecurityManager or denial of service.

Tomcat 6, an implementation of the Java Servlet and the JavaServer Pages (JSP) specifications and a pure Java web server environment, was affected by multiple security issues prior version 6.0.45.

CVE-2015-5174 Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /..
(slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.

CVE-2015-5345 The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.

CVE-2015-5351 The Manager and Host Manager applications in Apache Tomcat establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.

CVE-2016-0706 Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache /catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.

CVE-2016-0714 The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.

CVE-2016-0763 The setGlobalContext method in org/apache/naming/factory /ResourceLinkFactory.java in Apache Tomcat does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

For Debian 6 'Squeeze', these problems have been fixed in version 6.0.45-1~deb6u1.

We recommend that you upgrade your tomcat6 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2016:2045 advisory.

    Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

    Security Fix(es):

    * It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat     initialization script as writeable to the tomcat group. A member of the group or a malicious web     application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)

    * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user     to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a     web application that placed a crafted object in a session. (CVE-2016-0714)

    * It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the     HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client     implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use     this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a     malicious HTTP request. (CVE-2016-5388)

    * A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could     use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a     pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as     demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174)

    * It was found that Tomcat could reveal the presence of a directory even when that directory was protected     by a security constraint. A user could make a request to a directory via a URL not ending with a slash     and, depending on whether Tomcat redirected that request, could confirm whether that directory existed.
    (CVE-2015-5345)

    * It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a     security manager was configured. This allowed a web application to list all deployed web applications and     expose sensitive information such as session IDs. (CVE-2016-0706)

    Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was     discovered by Red Hat Product Security.

    Bug Fix(es):

    * Due to a bug in the tomcat6 spec file, the catalina.out file's md5sum, size, and mtime attributes were     compared to the file's attributes at installation time. Because these attributes change after the service     is started, the rpm -V command previously failed. With this update, the attributes mentioned above are     ignored in the RPM verification and the catalina.out file now passes the verification check. (BZ#1357123)

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Updated Red Hat JBoss Web Server 3.0.2 packages are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and prevent further, legitimate connections to the Tomcat server.
(CVE-2014-0230)

A flaw was found in the way httpd handled HTTP Trailer headers when processing requests using chunked encoding. A malicious client could use Trailer headers to set additional HTTP headers after header processing was performed by other modules. This could, for example, lead to a bypass of header restrictions defined with mod_headers.
(CVE-2013-5704)

Multiple flaws were found in the way httpd parsed HTTP requests and responses using chunked transfer encoding. A remote attacker could use these flaws to create a specially crafted request, which httpd would decode differently from an HTTP proxy software in front of it, possibly leading to HTTP request smuggling attacks. (CVE-2015-3183)

* This enhancement update adds the Red Hat JBoss Web Server 3.0.2 packages to Red Hat Enterprise Linux 6. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-228)

Users of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.

The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2016:2599 advisory.

    Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

    The following packages have been upgraded to a newer upstream version: tomcat (7.0.69). (BZ#1287928)

    Security Fix(es):

    * A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These     applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request     to the root of the web application. This token could then be used by an attacker to perform a CSRF attack.
    (CVE-2015-5351)

    * It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user     to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a     web application that placed a crafted object in a session. (CVE-2016-0714)

    * A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to     access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763)

    * A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of     the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file     if the boundary was the typical tens of bytes long. (CVE-2016-3092)

    * A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could     use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a     pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call.
    (CVE-2015-5174)

    * It was found that Tomcat could reveal the presence of a directory even when that directory was protected     by a security constraint. A user could make a request to a directory via a URL not ending with a slash     and, depending on whether Tomcat redirected that request, could confirm whether that directory existed.
    (CVE-2015-5345)

    * It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a     security manager was configured. This allowed a web application to list all deployed web applications and     expose sensitive information such as session IDs. (CVE-2016-0706)

    Additional Changes:

    For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes     linked from the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

An update for tomcat is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

The following packages have been upgraded to a newer upstream version:
tomcat (7.0.69). (BZ#1287928)

Security Fix(es) :

* A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351)

* It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714)

* A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763)

* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.
(CVE-2016-3092)

* A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call. (CVE-2015-5174)

* It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345)

* It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured.
This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)

Additional Changes :

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

Tomcat 6 是一种纯 Java Web 服务器环境，作为 Java Servlet 与 JavaServer Pages (JSP) 规范的实现，受到 6.0.45 版之前的多种安全问题影响。

CVE-2015-5174 在 Apache Tomcat 6.0.45 之前的 6.x 版、7.0.65 之前的 7.x 版以及 8.0.27 之前的 8.x 版中，RequestUtil.java 有一个目录遍历漏洞，可允许经认证的远程用户绕过预定 SecurityManager 限制并通过 /..
Web 应用程序在 getResource、getResourceAsStream 或 getResourcePaths 调用中使用的路径名称中的 /..（斜线点点），这一点已由 $CATALINA_BASE/webapps 目录证实。

CVE-2015-5345 在 Apache Tomcat 6.0.45 之前的 6.x 版、7.0.67 之前的 7.x 版、8.0.30 之前的 8.x 版以及 9.0.0.M2 之前的 9.x 版中，Mapper 组件会在考虑安全限制与筛选器之前处理重定向，这可允许远程攻击者通过缺少结尾 / (斜线) 字符的 URL 来确定目录是否存在。

CVE-2015-5351 Apache Tomcat 中的 Manager 和 Host Manager 应用程序可建立会话，并为任意新请求发送 CSRF 标记，这可允许远程攻击者使用标记绕过 CSRF 保护机制。

CVE-2016-0706 Apache Tomcat 6.0.45 之前的 6.x 版、7.0.68 之前的 7.x 版、8.0.31 之前的 8.x 版以及 9.0.0.M2 之前的 9.x 版未将 org.apache.catalina.manager.StatusManagerServlet 放在 org/apache /catalina/core/RestrictedServlets.properties 列表上，可允许经认证的远程用户通过特别构建的 Web 应用程序，绕过预定的 SecurityManager 限制并读取任意 HTTP 请求，进而查找会话 ID 值。

CVE-2016-0714 在 Apache Tomcat 6.0.45 之前的 6.x 版、7.0.68 之前的 7.x 版、8.0.31 之前的 8.x 版以及 9.0.0.M2 之前的 9.x 版中，会话持久性功能的实现未正确处理会话属性，这可允许经认证的远程用户通过 Web 应用程序，在会话中放置特别构建的对象，进而绕过预定的 SecurityManager 限制，并在特权上下文中执行任意代码。

- CVE-2016-0763：在 Apache Tomcat 的 org/apache/naming/factory /ResourceLinkFactory.java 中，setGlobalContext 方法未考虑 ResourceLinkFactory.setGlobalContext 调用器是否获得授权，这可允许经认证的远程用户通过 Web 应用程序设置特别构建的全局环境，绕过预期 SecurityManager 限制，并读取或写入任意应用程序数据，或造成拒绝服务（应用程序中断）。

对于 Debian 6 'Squeeze'，已在 6.0.45-1~deb6u1 版本中修复这些问题。

我们建议您升级 tomcat6 程序包。

注意：Tenable Network Security 已直接从 DLA 安全公告中提取上述描述块。Tenable 已尝试在不引入其他问题的情况下尽可能进行了自动整理和排版。

在 Apache Tomcat 6.0.45 之前的 6.x 版、7.0.65 之前的 7.x 版以及 8.0.27 之前的 8.x 版中，RequestUtil.java 有一个目录遍历漏洞，可允许经过身份验证的远程用户绕过预期 SecurityManager 限制并通过 web 应用程序在 getResource、getResourceAsStream 或 getResourcePaths 调用中使用的路径名的 /..（斜杠、点、点）来列出父目录，$CATALINA_BASE/webapps 目录即为一例。(CVE-2015-5174) 影响 经过身份验证的远程用户可以绕过安全管理器获取部署 web 应用程序的目录的目录列表。BIG-IP/Enterprise Manager 拥有了创建和部署恶意 web 应用程序所需的访问级别意味着用户已经具有重要的信任级别（例如：root 级别）。BIG-IP 和 Enterprise Manager 系统不支持 Tomcat 配置中的自定义 web 应用程序。Traffix SDC 如果攻击者有系统本地网络的访问权限，就有可能会利用此漏洞；Tomcat 服务只能从内部网络访问。

远程 Redhat Enterprise Linux 6 主机上安装的程序包受到 RHSA-2016:2045 公告中提及的多个漏洞影响。

    Apache Tomcat 是适用于 Java Servlet 和 JavaServer Pages (JSP) 技术的 servlet 容器。

    安全修复：

    * 已发现 Tomcat 程序包安装的由 Tomcat 初始化脚本读取的某些配置文件，可写入 tomcat 群组。群组中的成员或部署在 Tomcat 上的恶意 Web 应用程序可使用此缺陷，升级其权限。(CVE-2016-6325)

    * 已发现多个 Tomcat 会话持久性机制可允许经身份验证的远程用户通过 Web 应用程序，在会话中放置构建的对象，绕过预期的 SecurityManager 限制，并在特权环境中执行任意代码。(CVE-2016-0714)

    * 已发现 tomcat 使用 HTTP 请求中 Proxy 标头的值来初始化 CGI 脚本的 HTTP_PROXY 环境变量，而某些 HTTP 客户端实现会不当使用这些变量来配置传出 HTTP 请求的代理。远程攻击者可能利用此缺陷，通过恶意 HTTP 请求，将 CGI 脚本执行的 HTTP 请求重定向到受攻击者控制的代理。(CVE-2016-5388)

    * 在 Tomcat 的 RequestUtil.java 中发现一个目录遍历缺陷。经身份验证的远程用户可利用此缺陷，绕过预期 SecurityManager 限制，并通过 Web 应用程序在 getResource、getResourceAsStream 或 getResourcePaths 调用中使用的路径名的“/..”来列出父目录，$CATALINA_BASE/webapps 目录即为一例。(CVE-2015-5174)

    * 已发现即使目录受到安全限制保护，Tomcat 仍可泄露该目录的存在。用户可通过不以斜线结尾的 URL 来请求某目录，且可确认该目录是否存在（根据 Tomcat 是否重定向该请求）。
    (CVE-2015-5345)

    * 已发现当配置了安全管理员时，Tomcat 允许 Web 应用程序加载 StatusManagerServlet。这允许 Web 应用程序列出所有已部署的 Web 应用程序，并泄露会话 ID 等敏感信息。(CVE-2016-0706)

    Red Hat 在此感谢 Scott Geary (VendHQ) 报告 CVE-2016-5388。CVE-2016-6325 问题由 Red Hat 产品安全团队发现。

    错误修复：

    * 由于 tomcat6 规范文件中的缺陷，所以在安装时会将 catalina.out 文件的 md5sum、大小、mtime 属性与该文件属性进行比较。由于这些属性在服务开始后发生更改，所以之前的 rpm -V 命令失败。通过此更新，在 RPM 验证中会忽略上述属性，且 catalina.out 文件现已通过验证检查。(BZ#1357123)

Tenable 已直接从 Red Hat Enterprise Linux 安全公告中提取上述描述块。

请注意，Nessus 尚未测试这些问题，而是只依据应用程序自我报告的版本号进行判断。

在 Tomcat servlet 和 JSP 引擎中发现多个安全漏洞，其可能导致信息泄露、绕过 CSRF 保护和 SecurityManager 或造成拒绝服务。

更新后的 Red Hat JBoss Web Server 3.0.2 程序包现在可用于 Red Hat Enterprise Linux 6。

Red Hat 产品安全团队将此更新评级为具有中等安全影响。可从“参考”部分中的 CVE 链接获取针对每个漏洞的通用漏洞评分系统 (CVSS) 基本分数，其给出了详细的严重性等级。

Red Hat JBoss Web Server 是一组用于托管 Java Web 应用程序的完全集成且经过认证的组件。它由 Apache HTTP Server、Apache Tomcat Servlet 容器、Apache Tomcat Connector (mod_jk)、JBoss HTTP Connector (mod_cluster)、Hibernate 和 Tomcat Native 库组成。

发现 Tomcat 在处理具有足够大请求正文的请求之后将保持连接处于打开状态。远程攻击者可能会利用此缺陷耗尽可用连接池并进一步阻止建立到 Tomcat 服务器的合法连接。
(CVE-2014-0230)

当处理使用分块编码的请求时，在 httpd 处理 HTTP 尾部标头的方式中发现一个缺陷。恶意客户端可使用尾部标头在其他模块执行了标头处理之后设置附加 HTTP 标头。例如，这可导致绕过 mod_headers 定义的标头限制。
(CVE-2013-5704)

在 httpd 使用分块传输编码解析 HTTP 请求和响应的方式中发现多种缺陷。远程攻击者可使用这些缺陷创建特别构建的请求，在该请求前 httpd 将以不同于解码 HTTP 代理软件的方式对其进行解码，从而可能导致 HTTP request smuggling 攻击。(CVE-2015-3183)

* 此增强更新为 Red Hat Enterprise Linux 6 添加了 Red Hat JBoss Web Server 3.0.2 程序包。这些程序包提供了对之前 Red Hat JBoss Web Server 版本的多个增强。(JIRA#JWS-228)

建议 Red Hat JBoss Web Server 用户升级这些更新后的程序包，其中添加了此项增强。

远程 Redhat Enterprise Linux 7 主机上安装的程序包受到 RHSA-2016:2599 公告中提及的多个漏洞的影响。

    Apache Tomcat 是适用于 Java Servlet 和 JavaServer Pages (JSP) 技术的 servlet 容器。

    下列程序包已升级到更新的上游版本：tomcat (7.0.69)。(BZ#1287928)

    安全修复：

    * 在 Manager 和 Host Manager 应用程序的 Tomcat 索引页面中发现一个 CSRF 缺陷。收到未经身份验证的 Web 应用程序根请求而发出重定向时，这些应用程序包含有效的 CSRF 标记。然后攻击者可利用此标记发动 CSRF 攻击。
    (CVE-2015-5351)

    * 已发现多个 Tomcat 会话持久性机制可允许经身份验证的远程用户通过 Web 应用程序，在会话中放置构建的对象，绕过预期的 SecurityManager 限制，并在特权环境中执行任意代码。(CVE-2016-0714)

    * 在 Tomcat 中发现一个安全管理员绕过缺陷，其允许经认证的远程用户访问任意应用程序数据，从而可能导致拒绝服务。(CVE-2016-0763)

    * 在 Commons FileUpload 中发现一个拒绝服务漏洞，如果边界是典型的数十字节长，而 multipart 边界的长度刚好小于用来读取已上传文件的缓冲区大小（4096 字节）时，便可能触发此漏洞。(CVE-2016-3092)

    * 在 Tomcat 的 RequestUtil.java 中发现一个目录遍历缺陷。经身份验证的远程用户可利用此缺陷，绕过预期 SecurityManager 限制，并通过 Web 应用程序在 getResource、getResourceAsStream 或 getResourcePaths 调用中使用的路径名的“/..”来列出父目录。
    (CVE-2015-5174)

    * 已发现即使目录受到安全限制保护，Tomcat 仍可泄露该目录的存在。用户可通过不以斜线结尾的 URL 来请求某目录，且可确认该目录是否存在（根据 Tomcat 是否重定向该请求）。
    (CVE-2015-5345)

    * 已发现当配置了安全管理员时，Tomcat 允许 Web 应用程序加载 StatusManagerServlet。这允许 Web 应用程序列出所有已部署的 Web 应用程序，并泄露会话 ID 等敏感信息。(CVE-2016-0706)

    其他变更：

    如需有关此发行版本的详细变更信息，请参阅可从“参考”部分链接的 Red Hat Enterprise Linux 7.3 版本说明。

Tenable 已直接从 Red Hat Enterprise Linux 安全公告中提取上述描述块。

请注意，Nessus 尚未测试这些问题，而是只依据应用程序自我报告的版本号进行判断。

Tomcat 更新现可用于 Red Hat Enterprise Linux 7。Red Hat 产品安全团队将此更新评级为具有中等安全影响。可从“参考”部分中的 CVE 链接获取通用漏洞评分系统 (CVSS) 基本分数，其针对每个漏洞给出了详细的严重性等级。Apache Tomcat 是适用于 Java Servlet 和 JavaServer Pages (JSP) 技术的 servlet 容器。下列程序包已升级到更新的上游版本：tomcat (7.0.69)。(BZ#1287928) 安全修复：* 在 Manager 和 Host Manager 应用程序的 Tomcat 索引页面中发现 CSRF 缺陷。收到未经身份验证的 Web 应用程序根请求而发出重定向时，这些应用程序包含有效的 CSRF 标记。然后攻击者可利用此标记发动 CSRF 攻击。(CVE-2015-5351) * 已发现多个 Tomcat 会话持久性机制可允许经身份验证的远程用户通过 Web 应用程序，在会话中放置构建的对象，绕过预期的 SecurityManager 限制，并在特权环境中执行任意代码。(CVE-2016-0714) * 在 Tomcat 中发现安全管理员绕过缺陷，其允许经身份验证的远程用户访问任意应用程序数据，从而可能导致拒绝服务。(CVE-2016-0763) * 在 Commons FileUpload 中发现拒绝服务漏洞，如果边界是典型的数十字节长，而 multipart 边界的长度刚好小于用来读取已上传文件的缓冲区大小（4096 字节）时，便可能触发此漏洞。(CVE-2016-3092) * 在 Tomcat 的 RequestUtil.java 中发现目录遍历缺陷。经身份验证的远程用户可利用此缺陷，绕过预期 SecurityManager 限制，并通过 Web 应用程序在 getResource、getResourceAsStream 或 getResourcePaths 调用中使用的路径名的“/..”来列出父目录。(CVE-2015-5174) * 已发现即使目录受到安全限制保护，Tomcat 仍可泄露该目录的存在。用户可通过不以斜线结尾的 URL 来请求某目录，且可确认该目录是否存在（根据 Tomcat 是否重定向该请求）。(CVE-2015-5345) * 已发现当配置了安全管理员时，Tomcat 允许 Web 应用程序加载 StatusManagerServlet。这允许 Web 应用程序列出所有已部署的 Web 应用程序，并泄露会话 ID 等敏感信息。(CVE-2016-0706) 其他更改：如需有关此发行版本的详细变更信息，请参阅可从“参考”部分链接的 Red Hat Enterprise Linux 7.3 发行说明。

The version of Apache Tomcat installed on the remote host is < 7.0.65. It is, therefore, affected by a vulnerability as referenced in the fixed_in_apache_tomcat_7.0.65_security-7 advisory. Note that Nessus Network Monitor has not tested for this issue but has instead relied only on the application's self-reported version number.

According to its self-reported version number, the Apache Tomcat instance listening on the remote host is 6.0.x prior to 6.0.45, or 7.0.x prior to 7.0.65, or 8.0.x prior to 8.0.27. It is, therefore, affected by the following vulnerability:

 - A directory traversal vulnerability exists in Tomcat when accessing resources via ServletContext methods using paths beginning with '/..'. An unauthenticated, remote attacker can exploit this, by sending a specially crafted request, to obtain a directory listing for the directory in which the application was deployed.

Note that Nessus Network Monitor has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	名称	产品	系列	发布时间	最近更新时间	严重程度
91906	Debian DSA-3609-1 : tomcat8 - security update	Nessus	Debian Local Security Checks	2016/7/1	2021/1/11	high
88996	Debian DLA-435-1 : tomcat6 security update	Nessus	Debian Local Security Checks	2016/2/29	2021/1/11	high
93950	RHEL 6 : tomcat6 (RHSA-2016:2045)	Nessus	Red Hat Local Security Checks	2016/10/11	2025/3/20	high
87457	RHEL 6 : JBoss Web Server (RHSA-2015:2659)	Nessus	Red Hat Local Security Checks	2015/12/17	2021/2/5	medium
94562	RHEL 7 : tomcat (RHSA-2016:2599)	Nessus	Red Hat Local Security Checks	2016/11/4	2025/3/20	high
95345	CentOS 7 : tomcat (CESA-2016:2599)	Nessus	CentOS Local Security Checks	2016/11/28	2021/1/4	high
88996	Debian DLA-435-1：tomcat6 安全更新	Nessus	Debian Local Security Checks	2016/2/29	2021/1/11	high
97421	F5 网络 BIG-IP：Apache Tomcat 6.x 漏洞 (K30971148)	Nessus	F5 Networks Local Security Checks	2017/2/28	2020/3/18	medium
93950	RHEL 6：tomcat6 (RHSA-2016:2045)	Nessus	Red Hat Local Security Checks	2016/10/11	2025/3/20	high
91906	Debian DSA-3609-1：tomcat8 - 安全更新	Nessus	Debian Local Security Checks	2016/7/1	2021/1/11	high
87457	RHEL 6：JBoss Web Server (RHSA-2015:2659)	Nessus	Red Hat Local Security Checks	2015/12/17	2021/2/5	medium
94562	RHEL 7：tomcat (RHSA-2016:2599)	Nessus	Red Hat Local Security Checks	2016/11/4	2025/3/20	high
95345	CentOS 7 : tomcat (CESA-2016:2599)	Nessus	CentOS Local Security Checks	2016/11/28	2021/1/4	high
701335	Apache Tomcat < 7.0.65 Vulnerability	Nessus Network Monitor	Web Servers	2021/4/14	2021/4/14	medium
9317	Apache Tomcat 6.0.x < 6.0.45 / 7.0.x < 7.0.65 / 8.0.x < 8.0.27 Directory Traversal	Nessus Network Monitor	Web Servers	2016/5/24	2019/3/6	medium

检测

插件搜索

high

high

high

medium

high

high

high

medium

high

high

medium

high

high

medium

medium