4.3 - RHSA-2014:1038

Executive Summary

Summary
Title	tomcat6 security update

Informations
Name	RHSA-2014:1038	First vendor Publication	2014-08-11
Vendor	RedHat	Last vendor Modification	2014-08-11
Severity (Vendor)	Low	Revision	01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score	4.3	Attack Range	Network
Cvss Impact Score	2.9	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated tomcat6 packages that fix two security issues are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Low security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop Optional (v. 6) - noarch Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch Red Hat Enterprise Linux Server (v. 6) - noarch Red Hat Enterprise Linux Server Optional (v. 6) - noarch Red Hat Enterprise Linux Workstation (v. 6) - noarch Red Hat Enterprise Linux Workstation Optional (v. 6) - noarch

3. Description:

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

It was found that several application-provided XML files, such as web.xml, content.xml, *.tld, *.tagx, and *.jspx, resolved external entities, permitting XML External Entity (XXE) attacks. An attacker able to deploy malicious applications to Tomcat could use this flaw to circumvent security restrictions set by the JSM, and gain access to sensitive information on the system. Note that this flaw only affected deployments in which Tomcat is running applications from untrusted sources, such as in a shared hosting environment. (CVE-2013-4590)

It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same Apache Tomcat instance. (CVE-2014-0119)

All Tomcat users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1069911 - CVE-2013-4590 tomcat: information disclosure via XXE when running untrusted web applications 1102038 - CVE-2014-0119 Tomcat/JBossWeb: XML parser hijack by malicious web application

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2014-1038.html

CWE : Common Weakness Enumeration

%	Id	Name
50 %	CWE-264	Permissions, Privileges, and Access Controls
50 %	CWE-200	Information Exposure

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:26183

Oval ID:	oval:org.mitre.oval:def:26183
Title:	RHSA-2014:1034: tomcat security update (Low)
Description:	Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same Apache Tomcat instance. (CVE-2014-0119) All Tomcat users are advised to upgrade to these updated packages, which contain a backported patch to correct this issue. Tomcat must be restarted for this update to take effect.
Family:	unix	Class:	patch
Reference(s):	RHSA-2014:1034-00 CESA-2014:1034 CVE-2014-0119	Version:	3
Platform(s):	Red Hat Enterprise Linux 7 CentOS Linux 7	Product(s):	tomcat
Definition Synopsis:
Redhat 7 or Centos 7 release The operating system installed on the system is Red Hat Enterprise Linux 7 AND The operating system installed on the system is CentOS Linux 7.x Packages section tomcat is earlier than 0:7.0.42-8.el7_0 AND tomcat-admin-webapps is earlier than 0:7.0.42-8.el7_0 AND tomcat-docs-webapp is earlier than 0:7.0.42-8.el7_0 AND tomcat-el-2.2-api is earlier than 0:7.0.42-8.el7_0 AND tomcat-javadoc is earlier than 0:7.0.42-8.el7_0 AND tomcat-jsp-2.2-api is earlier than 0:7.0.42-8.el7_0 AND tomcat-jsvc is earlier than 0:7.0.42-8.el7_0 AND tomcat-lib is earlier than 0:7.0.42-8.el7_0 AND tomcat-servlet-3.0-api is earlier than 0:7.0.42-8.el7_0 AND tomcat-webapps is earlier than 0:7.0.42-8.el7_0

Definition Id: oval:org.mitre.oval:def:26374

Oval ID:	oval:org.mitre.oval:def:26374
Title:	RHSA-2014:1038: tomcat6 security update (Low)
Description:	Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was found that several application-provided XML files, such as web.xml, content.xml, .tld, .tagx, and *.jspx, resolved external entities, permitting XML External Entity (XXE) attacks. An attacker able to deploy malicious applications to Tomcat could use this flaw to circumvent security restrictions set by the JSM, and gain access to sensitive information on the system. Note that this flaw only affected deployments in which Tomcat is running applications from untrusted sources, such as in a shared hosting environment. (CVE-2013-4590) It was found that, in certain circumstances, it was possible for a malicious web application to replace the XML parsers used by Apache Tomcat to process XSLTs for the default servlet, JSP documents, tag library descriptors (TLDs), and tag plug-in configuration files. The injected XML parser(s) could then bypass the limits imposed on XML external entities and/or gain access to the XML files processed for other web applications deployed on the same Apache Tomcat instance. (CVE-2014-0119) All Tomcat users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. Tomcat must be restarted for this update to take effect.
Family:	unix	Class:	patch
Reference(s):	RHSA-2014:1038-00 CESA-2014:1038 CVE-2013-4590 CVE-2014-0119	Version:	3
Platform(s):	Red Hat Enterprise Linux 6 CentOS Linux 6	Product(s):	tomcat6
Definition Synopsis:
Redhat 6 or Centos 6 release The operating system installed on the system is Red Hat Enterprise Linux 6 AND The operating system installed on the system is CentOS Linux 6.x Packages section tomcat6 is earlier than 0:6.0.24-78.el6_5 AND tomcat6-admin-webapps is earlier than 0:6.0.24-78.el6_5 AND tomcat6-docs-webapp is earlier than 0:6.0.24-78.el6_5 AND tomcat6-el-2.1-api is earlier than 0:6.0.24-78.el6_5 AND tomcat6-javadoc is earlier than 0:6.0.24-78.el6_5 AND tomcat6-jsp-2.1-api is earlier than 0:6.0.24-78.el6_5 AND tomcat6-lib is earlier than 0:6.0.24-78.el6_5 AND tomcat6-servlet-2.5-api is earlier than 0:6.0.24-78.el6_5 AND tomcat6-webapps is earlier than 0:6.0.24-78.el6_5

Definition Id: oval:org.mitre.oval:def:27179

Oval ID:	oval:org.mitre.oval:def:27179
Title:	ELSA-2014-1034 -- tomcat security update (low)
Description:	[0:7.0.42-8] - Resolves: CVE-2013-4590 - Resolves: CVE-2014-0119
Family:	unix	Class:	patch
Reference(s):	ELSA-2014-1034 CVE-2014-0119	Version:	3
Platform(s):	Oracle Linux 7	Product(s):	tomcat
Definition Synopsis:
Oracle Linux 7.x Packages match section tomcat is earlier than 0:7.0.42-8.el7_0 AND tomcat-admin-webapps is earlier than 0:7.0.42-8.el7_0 AND tomcat-docs-webapp is earlier than 0:7.0.42-8.el7_0 AND tomcat-el-2.2-api is earlier than 0:7.0.42-8.el7_0 AND tomcat-javadoc is earlier than 0:7.0.42-8.el7_0 AND tomcat-jsp-2.2-api is earlier than 0:7.0.42-8.el7_0 AND tomcat-jsvc is earlier than 0:7.0.42-8.el7_0 AND tomcat-lib is earlier than 0:7.0.42-8.el7_0 AND tomcat-servlet-3.0-api is earlier than 0:7.0.42-8.el7_0 AND tomcat-webapps is earlier than 0:7.0.42-8.el7_0

Definition Id: oval:org.mitre.oval:def:27228

Oval ID:	oval:org.mitre.oval:def:27228
Title:	ELSA-2014-1038 -- tomcat6 security update (low)
Description:	[0:6.0.24-78] - Related: CVE-2013-4590 - remove xml schema names javaee_5, - javaee_web_services_1_2, and javaee_web_services_1_2_client - from descriptor.DigesterFactory initialization. These - schema definitions are not relevant to 6.0.24 as the version - of their spec did not exist at the time.
Family:	unix	Class:	patch
Reference(s):	ELSA-2014-1038 CVE-2014-0119 CVE-2013-4590	Version:	3
Platform(s):	Oracle Linux 6	Product(s):	tomcat6
Definition Synopsis:
Oracle Linux 6.x Packages match section tomcat6 is earlier than 0:6.0.24-78.el6_5 AND tomcat6-admin-webapps is earlier than 0:6.0.24-78.el6_5 AND tomcat6-docs-webapp is earlier than 0:6.0.24-78.el6_5 AND tomcat6-el-2.1-api is earlier than 0:6.0.24-78.el6_5 AND tomcat6-javadoc is earlier than 0:6.0.24-78.el6_5 AND tomcat6-jsp-2.1-api is earlier than 0:6.0.24-78.el6_5 AND tomcat6-lib is earlier than 0:6.0.24-78.el6_5 AND tomcat6-servlet-2.5-api is earlier than 0:6.0.24-78.el6_5 AND tomcat6-webapps is earlier than 0:6.0.24-78.el6_5

CPE : Common Platform Enumeration

Type	Description	Count
Application	Apache Tomcat cpe:2.3:a:apache:tomcat:8.0.5:::::::* cpe:2.3:a:apache:tomcat:8.0.3:::::::* cpe:2.3:a:apache:tomcat:8.0.1:::::::* cpe:2.3:a:apache:tomcat:8.0.0:rc1:::::: cpe:2.3:a:apache:tomcat:8.0.0:rc2:::::: cpe:2.3:a:apache:tomcat:8.0.0:rc5:::::: cpe:2.3:a:apache:tomcat:8.0.0:rc10:::::: cpe:2.3:a:apache:tomcat:8.0.0:rc9:::::: cpe:2.3:a:apache:tomcat:8.0.0:rc7:::::: cpe:2.3:a:apache:tomcat:8.0.0:rc8:::::: cpe:2.3:a:apache:tomcat:8.0.0:rc6:::::: cpe:2.3:a:apache:tomcat:8.0.0:rc3:::::: cpe:2.3:a:apache:tomcat:8.0.0:rc4:::::: cpe:2.3:a:apache:tomcat:7.0.9:::::::* cpe:2.3:a:apache:tomcat:7.0.8:::::::* cpe:2.3:a:apache:tomcat:7.0.7:::::::* cpe:2.3:a:apache:tomcat:7.0.6:::::::* cpe:2.3:a:apache:tomcat:7.0.53:::::::* cpe:2.3:a:apache:tomcat:7.0.52:::::::* cpe:2.3:a:apache:tomcat:7.0.50:::::::* cpe:2.3:a:apache:tomcat:7.0.5:::::::* cpe:2.3:a:apache:tomcat:7.0.49:::::::* cpe:2.3:a:apache:tomcat:7.0.48:::::::* cpe:2.3:a:apache:tomcat:7.0.47:::::::* cpe:2.3:a:apache:tomcat:7.0.46:::::::* cpe:2.3:a:apache:tomcat:7.0.45:::::::* cpe:2.3:a:apache:tomcat:7.0.44:::::::* cpe:2.3:a:apache:tomcat:7.0.43:::::::* cpe:2.3:a:apache:tomcat:7.0.42:::::::* cpe:2.3:a:apache:tomcat:7.0.41:::::::* cpe:2.3:a:apache:tomcat:7.0.40:::::::* cpe:2.3:a:apache:tomcat:7.0.4:::::::* cpe:2.3:a:apache:tomcat:7.0.4:beta:::::: cpe:2.3:a:apache:tomcat:7.0.39:::::::* cpe:2.3:a:apache:tomcat:7.0.38:::::::* cpe:2.3:a:apache:tomcat:7.0.37:::::::* cpe:2.3:a:apache:tomcat:7.0.36:::::::* cpe:2.3:a:apache:tomcat:7.0.35:::::::* cpe:2.3:a:apache:tomcat:7.0.34:::::::* cpe:2.3:a:apache:tomcat:7.0.33:::::::* cpe:2.3:a:apache:tomcat:7.0.32:::::::* cpe:2.3:a:apache:tomcat:7.0.31:::::::* cpe:2.3:a:apache:tomcat:7.0.30:::::::* cpe:2.3:a:apache:tomcat:7.0.3:::::::* cpe:2.3:a:apache:tomcat:7.0.29:::::::* cpe:2.3:a:apache:tomcat:7.0.28:::::::* cpe:2.3:a:apache:tomcat:7.0.27:::::::* cpe:2.3:a:apache:tomcat:7.0.26:::::::* cpe:2.3:a:apache:tomcat:7.0.25:::::::* cpe:2.3:a:apache:tomcat:7.0.24:::::::* cpe:2.3:a:apache:tomcat:7.0.23:::::::* cpe:2.3:a:apache:tomcat:7.0.22:::::::* cpe:2.3:a:apache:tomcat:7.0.21:::::::* cpe:2.3:a:apache:tomcat:7.0.20:::::::* cpe:2.3:a:apache:tomcat:7.0.2:::::::* cpe:2.3:a:apache:tomcat:7.0.2:beta:::::: cpe:2.3:a:apache:tomcat:7.0.19:::::::* cpe:2.3:a:apache:tomcat:7.0.18:::::::* cpe:2.3:a:apache:tomcat:7.0.17:::::::* cpe:2.3:a:apache:tomcat:7.0.16:::::::* cpe:2.3:a:apache:tomcat:7.0.15:::::::* cpe:2.3:a:apache:tomcat:7.0.14:::::::* cpe:2.3:a:apache:tomcat:7.0.13:::::::* cpe:2.3:a:apache:tomcat:7.0.12:::::::* cpe:2.3:a:apache:tomcat:7.0.11:::::::* cpe:2.3:a:apache:tomcat:7.0.10:::::::* cpe:2.3:a:apache:tomcat:7.0.1:::::::* cpe:2.3:a:apache:tomcat:7.0.0:::::::* cpe:2.3:a:apache:tomcat:7.0.0:beta:::::: cpe:2.3:a:apache:tomcat:6.0.9:::::::* cpe:2.3:a:apache:tomcat:6.0.9:beta:::::: cpe:2.3:a:apache:tomcat:6.0.8:::::::* cpe:2.3:a:apache:tomcat:6.0.8:alpha:::::: cpe:2.3:a:apache:tomcat:6.0.7:::::::* cpe:2.3:a:apache:tomcat:6.0.7:alpha:::::: cpe:2.3:a:apache:tomcat:6.0.7:beta:::::: cpe:2.3:a:apache:tomcat:6.0.6:::::::* cpe:2.3:a:apache:tomcat:6.0.6:alpha:::::: cpe:2.3:a:apache:tomcat:6.0.5:::::::* cpe:2.3:a:apache:tomcat:6.0.4:::::::* cpe:2.3:a:apache:tomcat:6.0.4:alpha:::::: cpe:2.3:a:apache:tomcat:6.0.39:::::::* cpe:2.3:a:apache:tomcat:6.0.38:::::::* cpe:2.3:a:apache:tomcat:6.0.37:::::::* cpe:2.3:a:apache:tomcat:6.0.36:::::::* cpe:2.3:a:apache:tomcat:6.0.35:::::::* cpe:2.3:a:apache:tomcat:6.0.34:::::::* cpe:2.3:a:apache:tomcat:6.0.33:::::::* cpe:2.3:a:apache:tomcat:6.0.32:::::::* cpe:2.3:a:apache:tomcat:6.0.31:::::::* cpe:2.3:a:apache:tomcat:6.0.30:::::::* cpe:2.3:a:apache:tomcat:6.0.3:::::::* cpe:2.3:a:apache:tomcat:6.0.29:::::::* cpe:2.3:a:apache:tomcat:6.0.28:::::::* cpe:2.3:a:apache:tomcat:6.0.27:::::::* cpe:2.3:a:apache:tomcat:6.0.26:::::::* cpe:2.3:a:apache:tomcat:6.0.25:::::::* cpe:2.3:a:apache:tomcat:6.0.24:::::::* cpe:2.3:a:apache:tomcat:6.0.23:::::::* cpe:2.3:a:apache:tomcat:6.0.22:::::::* cpe:2.3:a:apache:tomcat:6.0.21:::::::* cpe:2.3:a:apache:tomcat:6.0.20:::::::* cpe:2.3:a:apache:tomcat:6.0.2:::::::* cpe:2.3:a:apache:tomcat:6.0.2:alpha:::::: cpe:2.3:a:apache:tomcat:6.0.2:beta:::::: cpe:2.3:a:apache:tomcat:6.0.19:::::::* cpe:2.3:a:apache:tomcat:6.0.18:::::::* cpe:2.3:a:apache:tomcat:6.0.17:::::::* cpe:2.3:a:apache:tomcat:6.0.16:::::::* cpe:2.3:a:apache:tomcat:6.0.15:::::::* cpe:2.3:a:apache:tomcat:6.0.14:::::::* cpe:2.3:a:apache:tomcat:6.0.13:::::::* cpe:2.3:a:apache:tomcat:6.0.12:::::::* cpe:2.3:a:apache:tomcat:6.0.11:::::::* cpe:2.3:a:apache:tomcat:6.0.10:::::::* cpe:2.3:a:apache:tomcat:6.0.1:::::::* cpe:2.3:a:apache:tomcat:6.0.1:alpha:::::: cpe:2.3:a:apache:tomcat:6.0.0:::::::* cpe:2.3:a:apache:tomcat:6.0.0:alpha:::::: cpe:2.3:a:apache:tomcat:6.0:::::::* cpe:2.3:a:apache:tomcat:6:::::::* cpe:2.3:a:apache:tomcat:5.5.9:::::::* cpe:2.3:a:apache:tomcat:5.5.8:::::::* cpe:2.3:a:apache:tomcat:5.5.7:::::::* cpe:2.3:a:apache:tomcat:5.5.6:::::::* cpe:2.3:a:apache:tomcat:5.5.5:::::::* cpe:2.3:a:apache:tomcat:5.5.4:::::::* cpe:2.3:a:apache:tomcat:5.5.35:::::::* cpe:2.3:a:apache:tomcat:5.5.34:::::::* cpe:2.3:a:apache:tomcat:5.5.33:::::::* cpe:2.3:a:apache:tomcat:5.5.32:::::::* cpe:2.3:a:apache:tomcat:5.5.31:::::::* cpe:2.3:a:apache:tomcat:5.5.30:::::::* cpe:2.3:a:apache:tomcat:5.5.3:::::::* cpe:2.3:a:apache:tomcat:5.5.29:::::::* cpe:2.3:a:apache:tomcat:5.5.28:::::::* cpe:2.3:a:apache:tomcat:5.5.27:::::::* cpe:2.3:a:apache:tomcat:5.5.26:::::::* cpe:2.3:a:apache:tomcat:5.5.25:::::::* cpe:2.3:a:apache:tomcat:5.5.24:::::::* cpe:2.3:a:apache:tomcat:5.5.23:::::::* cpe:2.3:a:apache:tomcat:5.5.22:::::::* cpe:2.3:a:apache:tomcat:5.5.21:::::::* cpe:2.3:a:apache:tomcat:5.5.20:::::::* cpe:2.3:a:apache:tomcat:5.5.2:::::::* cpe:2.3:a:apache:tomcat:5.5.19:::::::* cpe:2.3:a:apache:tomcat:5.5.18:::::::* cpe:2.3:a:apache:tomcat:5.5.17:::::::* cpe:2.3:a:apache:tomcat:5.5.16:::::::* cpe:2.3:a:apache:tomcat:5.5.15:::::::* cpe:2.3:a:apache:tomcat:5.5.14:::::::* cpe:2.3:a:apache:tomcat:5.5.13:::::::* cpe:2.3:a:apache:tomcat:5.5.12:::::::* cpe:2.3:a:apache:tomcat:5.5.11:::::::* cpe:2.3:a:apache:tomcat:5.5.10:::::::* cpe:2.3:a:apache:tomcat:5.5.1:::::::* cpe:2.3:a:apache:tomcat:5.5.0:::::::* cpe:2.3:a:apache:tomcat:5.0.9:::::::* cpe:2.3:a:apache:tomcat:5.0.8:::::::* cpe:2.3:a:apache:tomcat:5.0.7:::::::* cpe:2.3:a:apache:tomcat:5.0.6:::::::* cpe:2.3:a:apache:tomcat:5.0.5:::::::* cpe:2.3:a:apache:tomcat:5.0.4:::::::* cpe:2.3:a:apache:tomcat:5.0.30:::::::* cpe:2.3:a:apache:tomcat:5.0.3:::::::* cpe:2.3:a:apache:tomcat:5.0.29:::::::* cpe:2.3:a:apache:tomcat:5.0.28:::::::* cpe:2.3:a:apache:tomcat:5.0.27:::::::* cpe:2.3:a:apache:tomcat:5.0.26:::::::* cpe:2.3:a:apache:tomcat:5.0.25:::::::* cpe:2.3:a:apache:tomcat:5.0.24:::::::* cpe:2.3:a:apache:tomcat:5.0.23:::::::* cpe:2.3:a:apache:tomcat:5.0.22:::::::* cpe:2.3:a:apache:tomcat:5.0.21:::::::* cpe:2.3:a:apache:tomcat:5.0.2:::::::* cpe:2.3:a:apache:tomcat:5.0.19:::::::* cpe:2.3:a:apache:tomcat:5.0.18:::::::* cpe:2.3:a:apache:tomcat:5.0.17:::::::* cpe:2.3:a:apache:tomcat:5.0.16:::::::* cpe:2.3:a:apache:tomcat:5.0.15:::::::* cpe:2.3:a:apache:tomcat:5.0.14:::::::* cpe:2.3:a:apache:tomcat:5.0.13:::::::* cpe:2.3:a:apache:tomcat:5.0.12:::::::* cpe:2.3:a:apache:tomcat:5.0.11:::::::* cpe:2.3:a:apache:tomcat:5.0.10:::::::* cpe:2.3:a:apache:tomcat:5.0.1:::::::* cpe:2.3:a:apache:tomcat:5.0.0:::::::* cpe:2.3:a:apache:tomcat:5:::::::* cpe:2.3:a:apache:tomcat:4.1.9:beta:::::: cpe:2.3:a:apache:tomcat:4.1.9:::::::* cpe:2.3:a:apache:tomcat:4.1.8:::::::* cpe:2.3:a:apache:tomcat:4.1.7:::::::* cpe:2.3:a:apache:tomcat:4.1.6:::::::* cpe:2.3:a:apache:tomcat:4.1.5:::::::* cpe:2.3:a:apache:tomcat:4.1.40:::::::* cpe:2.3:a:apache:tomcat:4.1.4:::::::* cpe:2.3:a:apache:tomcat:4.1.39:::::::* cpe:2.3:a:apache:tomcat:4.1.38:::::::* cpe:2.3:a:apache:tomcat:4.1.37:::::::* cpe:2.3:a:apache:tomcat:4.1.36:::::::* cpe:2.3:a:apache:tomcat:4.1.35:::::::* cpe:2.3:a:apache:tomcat:4.1.34:::::::* cpe:2.3:a:apache:tomcat:4.1.33:::::::* cpe:2.3:a:apache:tomcat:4.1.32:::::::* cpe:2.3:a:apache:tomcat:4.1.31:::::::* cpe:2.3:a:apache:tomcat:4.1.30:::::::* cpe:2.3:a:apache:tomcat:4.1.3:::::::* cpe:2.3:a:apache:tomcat:4.1.3:beta:::::: cpe:2.3:a:apache:tomcat:4.1.29:::::::* cpe:2.3:a:apache:tomcat:4.1.29:alpha:::::: cpe:2.3:a:apache:tomcat:4.1.28:::::::* cpe:2.3:a:apache:tomcat:4.1.28:alpha:::::: cpe:2.3:a:apache:tomcat:4.1.27:::::::* cpe:2.3:a:apache:tomcat:4.1.26:::::::* cpe:2.3:a:apache:tomcat:4.1.25:::::::* cpe:2.3:a:apache:tomcat:4.1.24:::::::* cpe:2.3:a:apache:tomcat:4.1.23:::::::* cpe:2.3:a:apache:tomcat:4.1.22:::::::* cpe:2.3:a:apache:tomcat:4.1.21:::::::* cpe:2.3:a:apache:tomcat:4.1.20:::::::* cpe:2.3:a:apache:tomcat:4.1.2:::::::* cpe:2.3:a:apache:tomcat:4.1.19:::::::* cpe:2.3:a:apache:tomcat:4.1.18:::::::* cpe:2.3:a:apache:tomcat:4.1.17:::::::* cpe:2.3:a:apache:tomcat:4.1.16:::::::* cpe:2.3:a:apache:tomcat:4.1.15:::::::* cpe:2.3:a:apache:tomcat:4.1.14:::::::* cpe:2.3:a:apache:tomcat:4.1.13:::::::* cpe:2.3:a:apache:tomcat:4.1.12:::::::* cpe:2.3:a:apache:tomcat:4.1.11:::::::* cpe:2.3:a:apache:tomcat:4.1.10:::::::* cpe:2.3:a:apache:tomcat:4.1.1:::::::* cpe:2.3:a:apache:tomcat:4.1.0:::::::* cpe:2.3:a:apache:tomcat:4.0.6:::::::* cpe:2.3:a:apache:tomcat:4.0.5:::::::* cpe:2.3:a:apache:tomcat:4.0.4:::::::* cpe:2.3:a:apache:tomcat:4.0.3:::::::* cpe:2.3:a:apache:tomcat:4.0.2:::::::* cpe:2.3:a:apache:tomcat:4.0.1:::::::* cpe:2.3:a:apache:tomcat:4.0.0:::::::* cpe:2.3:a:apache:tomcat:4:::::::* cpe:2.3:a:apache:tomcat:3.3.2:::::::* cpe:2.3:a:apache:tomcat:3.3.1a:::::::* cpe:2.3:a:apache:tomcat:3.3.1:::::::* cpe:2.3:a:apache:tomcat:3.3:::::::* cpe:2.3:a:apache:tomcat:3.2.4:::::::* cpe:2.3:a:apache:tomcat:3.2.3:::::::* cpe:2.3:a:apache:tomcat:3.2.2:::::::* cpe:2.3:a:apache:tomcat:3.2.2:beta2:::::: cpe:2.3:a:apache:tomcat:3.2.1:::::::* cpe:2.3:a:apache:tomcat:3.2:::::::* cpe:2.3:a:apache:tomcat:3.1.1:::::::* cpe:2.3:a:apache:tomcat:3.1:::::::* cpe:2.3:a:apache:tomcat:3.0:::::::* cpe:2.3:a:apache:tomcat:1.1.3:::::::* cpe:2.3:a:apache:tomcat:::::::: cpe:2.3:a:apache:tomcat:-:::::::*	257
Os	Debian Debian Linux cpe:2.3:o:debian:debian_linux:7.0:::::::*	1
Os	Oracle Solaris cpe:2.3:o:oracle:solaris:11.2:::::::*	1

Information Assurance Vulnerability Management (IAVM)

Date	Description
2015-06-25	IAVM : 2015-B-0083 - Multiple Vulnerabilities in IBM Storwize V7000 Unified Severity : Category I - VMSKEY : V0060983
2014-05-29	IAVM : 2014-B-0063 - Multiple Vulnerabilities in Apache Tomcat Severity : Category I - VMSKEY : V0051613
2014-02-27	IAVM : 2014-B-0019 - Multiple Vulnerabilities in Apache Tomcat Severity : Category I - VMSKEY : V0044527

Nessus® Vulnerability Scanner

Date	Description
2016-04-18	Name : The remote Debian host is missing a security-related update. File : debian_DSA-3552.nasl - Type : ACT_GATHER_INFO
2016-03-28	Name : The remote Debian host is missing a security-related update. File : debian_DSA-3530.nasl - Type : ACT_GATHER_INFO
2015-06-26	Name : The remote Ubuntu host is missing a security-related patch. File : ubuntu_USN-2654-1.nasl - Type : ACT_GATHER_INFO
2015-06-26	Name : The remote IBM Storwize device is affected by multiple vulnerabilities. File : ibm_storwize_1_5_0_2.nasl - Type : ACT_GATHER_INFO
2015-03-30	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-084.nasl - Type : ACT_GATHER_INFO
2015-03-19	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-053.nasl - Type : ACT_GATHER_INFO
2015-03-19	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-052.nasl - Type : ACT_GATHER_INFO
2015-01-19	Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_tomcat_20140715.nasl - Type : ACT_GATHER_INFO
2015-01-19	Name : The remote Solaris system is missing a security patch for third-party software. File : solaris11_tomcat_20140522.nasl - Type : ACT_GATHER_INFO
2014-12-15	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-201412-29.nasl - Type : ACT_GATHER_INFO
2014-10-30	Name : The remote host is affected by multiple vulnerabilities. File : oracle_edq_oct_2014_cpu.nasl - Type : ACT_GATHER_INFO
2014-10-10	Name : The remote device is missing a vendor-supplied security patch. File : f5_bigip_SOL15429.nasl - Type : ACT_GATHER_INFO
2014-09-29	Name : The remote Fedora host is missing a security update. File : fedora_2014-11048.nasl - Type : ACT_GATHER_INFO
2014-09-17	Name : The remote host has a virtualization management application installed that is... File : vmware_vcenter_vmsa-2014-0008.nasl - Type : ACT_GATHER_INFO
2014-09-11	Name : The remote VMware ESXi host is missing a security-related patch. File : vmware_VMSA-2014-0008.nasl - Type : ACT_GATHER_INFO
2014-08-23	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1088.nasl - Type : ACT_GATHER_INFO
2014-08-23	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1087.nasl - Type : ACT_GATHER_INFO
2014-08-14	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_tomcat6-201407-140706.nasl - Type : ACT_GATHER_INFO
2014-08-12	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20140811_tomcat6_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2014-08-12	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1038.nasl - Type : ACT_GATHER_INFO
2014-08-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-1038.nasl - Type : ACT_GATHER_INFO
2014-08-12	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-1038.nasl - Type : ACT_GATHER_INFO
2014-08-08	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2014-1034.nasl - Type : ACT_GATHER_INFO
2014-08-08	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2014-1034.nasl - Type : ACT_GATHER_INFO
2014-08-08	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2014-1034.nasl - Type : ACT_GATHER_INFO
2014-07-08	Name : The remote Red Hat host is missing a security update. File : redhat-RHSA-2014-0843.nasl - Type : ACT_GATHER_INFO
2014-05-30	Name : The remote Apache Tomcat server is affected by an information disclosure vuln... File : tomcat_8_0_8.nasl - Type : ACT_GATHER_INFO
2014-05-30	Name : The remote Apache Tomcat server is affected by an information disclosure vuln... File : tomcat_7_0_54.nasl - Type : ACT_GATHER_INFO
2014-05-30	Name : The remote Apache Tomcat server is affected by multiple vulnerabilities. File : tomcat_6_0_41.nasl - Type : ACT_GATHER_INFO
2014-02-25	Name : The remote Apache Tomcat server is affected by multiple vulnerabilities. File : tomcat_6_0_39.nasl - Type : ACT_GATHER_INFO
2014-02-25	Name : The remote Apache Tomcat server is affected by multiple vulnerabilities. File : tomcat_7_0_50.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2014-08-13 13:25:01	Multiple Updates
2014-08-11 21:21:11	First insertion

Global Informations

Type	Count
CWE ID(s)	2
Oval ID(s)	4
CPE ID(s)	259
IAVM(s)	3
Nessus® Exploit(s)	31

	Related
4.3	CVE-2014-0119
4.3	CVE-2013-4590
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 2 more Alert(s)

4.3 - RHSA-2014:1038

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

Information Assurance Vulnerability Management (IAVM)

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU