SA118: February 2016 Apache Tomcat Vulnerabilities

Back to all Security AdvisoriesFollow
Security Advisories ID: 
SA118
Published Date: 
March 15, 2016
Advisory Status: 
Interim
Advisory Severity: 
Medium
CVSS v2 base score: 6.8 (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE Number: 
CVE-2015-5174 - 4.0 (MEDIUM) (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVE-2015-5345 - 5.0 (MEDIUM) (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CVE-2015-5346 - 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2015-5351 - 6.8 (MEDIUM) (AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVE-2016-0706 - 4.0 (MEDIUM) (AV:N/AC:L/Au:S/C:P/I:N/A:N)
CVE-2016-0714 - 6.5 (MEDIUM) (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CVE-2016-0763 - 6.5 (MEDIUM) (AV:N/AC:L/Au:S/C:P/I:P/A:P)

Blue Coat products that include affected versions of Apache Tomcat are susceptible to multiple vulnerabilities.  A remote attacker, with access to the management interface, can exploit these vulnerabilities to determine the existence of a directory that they are not authorized to view, and perform session fixation and CSRF attacks.  An authenticated remote attacker, who can access the management interface and deploy a malicious web application, can also execute arbitrary code, impersonate authenticated clients, view the directory listing of the Apache Tomcat web applications directory, gain unauthorized read/write access to data owned by other deployed web applications, and disrupt other deployed web applications.

Affected Products: 

The following products are vulnerable:

Director
Director 6.1 prior to 6.1.22.1 is vulnerable to CVE-2015-5345.

IntelligenceCenter
IC 3.3 prior to 3.3.3.3 is vulnerable to CVE-2015-5174, CVE-2015-5345, CVE-2016-0706, and CVE-2016-0714.

IntelligenceCenter Data Collector
DC 3.3 is vulnerable to all CVEs.

Management Center
MC 1.5, 1.6, 1.7, 1.8, and 1.9 are vulnerable to CVE-2015-5345.  Exploiting the vulnerability does not have any security impact because MC does not have any non-public directories or web applications.

X-Series XOS
XOS 9.7, 10.0 and 11.0 are vulnerable to CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2016-0706, CVE-2016-0714, and CVE-2016-0763.

The following products have a vulnerable version of Apache Tomcat, but are not vulnerable to known vectors of attack:

Advanced Secure Gateway
ASG 6.6 has a vulnerable version of Apache Tomcat.

Content Analysis System
CAS 1.2 and 1.3 have a vulnerable version of Apache Tomcat.

Mail Threat Defense
MTD 1.1 has a vulnerable version of Apache Tomcat.

The following products are not vulnerable:
Android Mobile Agent
AuthConnector
BCAAA
Blue Coat HSM Agent for the Luna SP
CacheFlow
Client Connector
Cloud Data Protection for Salesforce
Cloud Data Protection for Salesforce Analytics
Cloud Data Protection for ServiceNow
Cloud Data Protection for Oracle CRM On Demand
Cloud Data Protection for Oracle Field Service Cloud
Cloud Data Protection for Oracle Sales Cloud
Cloud Data Protection Integration Server
Cloud Data Protection Communication Server
Cloud Data Protection Policy Builder
General Auth Connector Login Application
K9
Malware Analysis Appliance
Norman Shark Industrial Control System Protection
Norman Shark Network Protection
Norman Shark SCADA Protection
PacketShaper
PacketShaper S-Series
PolicyCenter
PolicyCenter S-Series
ProxyAV
ProxyAV ConLog and ConLogXP
ProxyClient
ProxySG
Reporter
Security Analytics
SSL Visibility
Unified Agent

Blue Coat no longer provides vulnerability information for the following products:

DLP
Please, contact Digital Guardian technical support regarding vulnerability information for DLP.

Advisory Details: 

This Security Advisory addresses multiple Apache Tomcat vulnerabilities announced in February 2016.  Blue Coat products that include a vulnerable version of Apache Tomcat and make use of the affected functionality are vulnerable.  Attackers must have access to the management interface to exploit these vulnerabilities.

  • CVE-2015-5174 is a flaw in the ServletContext class that allows a remote attacker to bypass security restrictions and obtain the directory listing of the Tomcat web applications directory.  The attacker must be able to deploy a malicious web application to exploit the vulnerability.
  • CVE-2015-5345 is a flaw in the request redirect logic that allows a remote attacker to determine the existence of a directory that the attacker is not authorized to view.
  • CVE-2015-5346 is a flaw in Request object recycling where the object's requestedSessionSSL is not correctly recycled.  A remote attacker, who can force a client to use a recycled Request object, can perform a session fixation attack if the web application is configured to use the SSL session ID as the HTTP session ID.  A successful session fixation attack allows the remote attacker to send malicious requests to the victim on behalf of an authenticated user.
  • CVE-2015-5351 is a flaw in the Manager and Host Manager applications that allows a remote attacker to obtain a valid CSRF token and use the token perform a CSRF attack.
  • CVE-2016-0706 is a flaw in servlet restrictions that allows a remote attacker to bypass security restrictions and obtain the currently processed HTTP request lines for all deployed web applications.  The HTTP requests obtained include web application session IDs, which may allow the attacker to impersonate authenticated users of any deployed web application.  The attacker must be able to deploy a malicious web application to exploit the vulnerability.
  • CVE-2016-0714 is a flaw in session persistence that allows a remote attacker to bypass security restrictions and execute arbitrary code in a privileged context by plassing a crafted object in a session.  The attacker must be able to deploy a malicious web application to exploit the vulnerability.
  • CVE-2016-0763 is a flaw in the ResourceLinkFactory class that allows a remote attacker to bypass security restrictions and gain unauthorized read and write access to data owned by deployed web applications. The attacker can also disrupt deployed web applications, causing denial of service.  The attacker must be able to deploy a malicious web application to exploit the vulnerability.

Blue Coat products that use a native installation of Apache Tomcat but do not install or maintain it are not vulnerable to any of the CVEs in this Security Advisory.  However, the underlying platform or application that installs and maintains Apache Tomcat may be vulnerable.  Blue Coat urges customers using the Blue Coat HSM Agent for the SafeNet Luna SP to contact SafeNet for more information about these vulnerabilities.

Blue Coat products do not enable or use all functionality within Apache Tomcat.  The products listed below do not utilize the functionality described in the CVEs below and are thus not known to be vulnerable to them.  However, fixes for these CVEs will be included in the patches that are provided.

  • ASG: CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2016-0706, CVE-2016-0714, and CVE-2016-0763
  • CAS: CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2016-0706, CVE-2016-0714, and CVE-2016-0763
  • Director: CVE-2015-5174, CVE-2016-0706, and CVE-2016-0714
  • MTD: CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2016-0706, CVE-2016-0714, and CVE-2016-0763
  • MC: CVE-2015-5174, CVE-2015-5346, CVE-2016-0706, CVE-2016-0714, and CVE-2016-0763
Workarounds: 

These vulnerabilities can be exploited only through the management interfaces for all vulnerable products.  Allowing only machines, IP addresses and subnets from a trusted network to access the management interface reduces the threat of exploiting the vulnerabilities.

Patches: 

Advanced Secure Gateway
ASG 6.6 - a fix is not available at this time.

Content Analysis System
CAS 1.3 - a fix is not available at this time.
CAS 1.2 - a fix will not be provided.  Please upgrade to the latest version with the vulnerability fixes.

Director
Director 6.1 - a fix is available in 6.1.22.1.

IntelligenceCenter
IC 3.3 - a fix is available in 3.3.3.3.

IntelligenceCenter Data Collector
DC 3.3 - a fix is not available at this time.

Mail Threat Defense
MTD 1.1 - a fix is not available at this time.

Management Center
MC 1.9 - a fix is not available at this time.
MC 1.8 - a fix will not be provided.  Please upgrade to the latest version with the vulnerability fixes.
MC 1.7 - a fix will not be provided.  Please upgrade to the latest version with the vulnerability fixes.
MC 1.6 - a fix will not be provided.  Please upgrade to the latest version with the vulnerability fixes.
MC 1.5 - a fix will not be provided.  Please upgrade to the latest version with the vulnerability fixes.

X-Series XOS
XOS 11.0 - a fix is not available at this time.
XOS 10.0 - a fix is not available at this time.
XOS 9.7 - a fix will not be provided.  Please upgrade to the latest version with the vulnerability fixes.

Advisory History: 

2017-03-30 MC 1.9 is vulnerable to CVE-2015-5345.  Exploiting the vulnerability does not have any security impact because MC does not have any non-public directories or web applications.
2017-03-06 MC 1.8 is vulnerable to CVE-2015-5345.  Exploiting the vulnerability does not have any security impact because MC does not have any non-public directories or web applications.
2017-02-07 A fix for IntelligenceCenter is available in 3.3.3.3.
2016-11-29 A fix for Director is available in 6.1.22.1.  Customers should contact Digital Guardian regarding vulnerability information for DLP.
2016-11-17 Cloud Data Protection for Oracle Field Service Cloud is not vulnerable.  MC 1.6 and 1.7 are vulnerable to CVE-2015-5345.  Exploiting the vulnerability does not have any security impact because MC does not have any non-public directories or web applications.
2016-05-11 No Cloud Data Protection products are vulnerable.
2016-04-25 MTD 1.1 has vulnerable code for multiple CVEs, but is not vulnerable to known vectors of attack.
2016-04-22 IntelligenceCenter 3.3 is vulnerable to CVE-2015-5174, CVE-2015-5345, CVE-2016-0706, and CVE-2016-0714.
2016-03-23 Previously it was reported that CAS 1.2 and 1.3 are vulnerable to CVE-2015-5345 and CVE-2015-5346.  Further investigation shows that CAS 1.2 and 1.3 only have vulnerable code for these CVEs, but are not vulnerable to known vectors of attack. Fixes for these CVEs will still included in the patches that are provided.
2016-03-23 X-Series XOS 9.7 is vulnerable CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2016-0706, CVE-2016-0714, and CVE-2016-0763.
2016-03-17 IntelligenceCenter Data Collector is vulnerable to all CVEs.
2016-03-15 initial public release

Feedback