Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title Apache Tomcat UTF8 Directory Traversal Vulnerability
Informations
Name VU#343355 First vendor Publication 2008-08-19
Vendor VU-CERT Last vendor Modification 2008-08-19
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:P/I:N/A:N)
Cvss Base Score 4.3 Attack Range Network
Cvss Impact Score 2.9 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#343355

Apache Tomcat UTF8 Directory Traversal Vulnerability

Overview

Apache Tomcat contains a vulnerability that may allow directory traversal.

I. Description

Apache Tomcat is an implementation of the Java Servlet and JavaServer Page (JSP) technologies. Apache Tomcat contains a vulnerability in the way malformed requests are handled. According to the Apache Tomcat 6.x Vulnerabilities page:

    If a context is configured with allowLinking="true" and the connector is configured with URIEncoding="UTF-8" then a malformed request may be used to access arbitrary files on the server.


This vulnerability affects versions 4.1.0-4.1.37, 5.5.0-5.5.26, and 6.0.0-6.0.16.

Note that we are aware of publicly-available exploit code for this vulnerability.

II. Impact

A remote attacker could gain access to arbitrary files on the server.

III. Solution

Apply an update

This vulnerability is addressed in Apache Tomcat 4.1.38, 5.5.27, and 6.0.18. Please check the Apache Tomcat Security page for availability of fixes for this and other versions of Tomcat.

Systems Affected

VendorStatusDate Updated
Apache TomcatVulnerable19-Aug-2008

References


http://tomcat.apache.org/security.html

Credit

This issue was reported by William A. Rowe of Apache.

This document was written by Chris Taschner.

Other Information

Date Public08/11/2008
Date First Published08/19/2008 04:28:12 PM
Date Last Updated08/19/2008
CERT Advisory 
CVE-ID(s)CVE-2008-2938
NVD-ID(s)CVE-2008-2938
US-CERT Technical Alerts 
Metric7.14
Document Revision4

Original Source

Url : http://www.kb.cert.org/vuls/id/343355

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10587
 
Oval ID: oval:org.mitre.oval:def:10587
Title: Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.
Description: Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.
Family: unix Class: vulnerability
Reference(s): CVE-2008-2938
 Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
 Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21729
 
Oval ID: oval:org.mitre.oval:def:21729
Title: ELSA-2008:0648: tomcat security update (Important)
Description: Directory traversal vulnerability in Apache Tomcat 4.1.0 through 4.1.37, 5.5.0 through 5.5.26, and 6.0.0 through 6.0.16, when allowLinking and UTF-8 are enabled, allows remote attackers to read arbitrary files via encoded directory traversal sequences in the URI, a different vulnerability than CVE-2008-2370. NOTE: versions earlier than 6.0.18 were reported affected, but the vendor advisory lists 6.0.16 as the last affected version.
Family: unix Class: patch
Reference(s): ELSA-2008:0648-01
CVE-2008-1232
CVE-2008-1947
CVE-2008-2370
CVE-2008-2938
 Version: 21
Platform(s): Oracle Linux 5
 Product(s): tomcat5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28407
 
Oval ID: oval:org.mitre.oval:def:28407
Title: RHSA-2008:0648 -- tomcat security update (Important)
Description: Updated tomcat packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. A cross-site scripting vulnerability was discovered in the HttpServletResponse.sendErrormethod. A remote attacker could inject arbitrary web script or HTML via forged HTTP headers. (CVE-2008-1232)
Family: unix Class: patch
Reference(s): RHSA-2008:0648
CESA-2008:0648-CentOS 5
CVE-2008-1232
CVE-2008-1947
CVE-2008-2370
CVE-2008-2938
 Version: 3
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
 Product(s): tomcat5
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 165

ExploitDB Exploits

id Description
2009-11-07 ToutVirtual VirtualIQ Pro 3.2 Multiple Vulnerabilities
2008-08-11 Apache Tomcat < 6.0.18 UTF8 Directory Traversal Vulnerability

OpenVAS Exploits

Date Description
2010-05-12 Name : Mac OS X Security Update 2008-007
File : nvt/macosx_secupd_2008-007.nasl
2009-10-13 Name : SLES10: Security update for Tomcat 5
File : nvt/sles10_tomcat51.nasl
2009-10-13 Name : SLES10: Security update for Websphere Community Edition
File : nvt/sles10_websphere-as_ce0.nasl
2009-10-10 Name : SLES9: Security update for Tomcat
File : nvt/sles9p5035120.nasl
2009-06-05 Name : Ubuntu USN-719-1 (libpam-krb5)
File : nvt/ubuntu_719_1.nasl
2009-06-05 Name : Ubuntu USN-720-1 (php5)
File : nvt/ubuntu_720_1.nasl
2009-05-05 Name : HP-UX Update for Apache Web Server Suite HPSBUX02401
File : nvt/gb_hp_ux_HPSBUX02401.nasl
2009-04-09 Name : Mandriva Update for tomcat5 MDVSA-2008:188 (tomcat5)
File : nvt/gb_mandriva_MDVSA_2008_188.nasl
2009-03-06 Name : RedHat Update for tomcat RHSA-2008:0648-01
File : nvt/gb_RHSA-2008_0648-01_tomcat.nasl
2009-02-18 Name : SuSE Security Summary SUSE-SR:2009:004
File : nvt/suse_sr_2009_004.nasl
2009-02-17 Name : Fedora Update for tomcat6 FEDORA-2008-7977
File : nvt/gb_fedora_2008_7977_tomcat6_fc9.nasl
2009-02-17 Name : Fedora Update for tomcat5 FEDORA-2008-8113
File : nvt/gb_fedora_2008_8113_tomcat5_fc9.nasl
2009-02-17 Name : Fedora Update for tomcat5 FEDORA-2008-8130
File : nvt/gb_fedora_2008_8130_tomcat5_fc8.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
47464 Apache Tomcat allowLinking / UTF-8 Traversal Arbitrary File Access

Snort® IPS/IDS

Date Description
2014-01-10 Apache Tomcat allowLinking URIencoding directory traversal attempt
RuleID : 17387 - Revision : 11 - Type : SERVER-APACHE

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2008-0648.nasl - Type : ACT_GATHER_INFO
2013-01-24 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2008-0877.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20080827_tomcat_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2010-01-10 Name : The remote Red Hat host is missing a security update.
File : redhat-RHSA-2008-1007.nasl - Type : ACT_GATHER_INFO
2010-01-06 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2008-0648.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_websphere-as_ce-5850.nasl - Type : ACT_GATHER_INFO
2009-09-24 Name : The remote SuSE 9 host is missing a security-related patch.
File : suse9_12232.nasl - Type : ACT_GATHER_INFO
2009-07-21 Name : The remote openSUSE host is missing a security update.
File : suse_11_0_tomcat6-080821.nasl - Type : ACT_GATHER_INFO
2009-04-23 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2008-188.nasl - Type : ACT_GATHER_INFO
2008-10-10 Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_SecUpd2008-007.nasl - Type : ACT_GATHER_INFO
2008-09-17 Name : The remote Fedora host is missing a security update.
File : fedora_2008-8113.nasl - Type : ACT_GATHER_INFO
2008-09-17 Name : The remote Fedora host is missing a security update.
File : fedora_2008-8130.nasl - Type : ACT_GATHER_INFO
2008-09-12 Name : The remote Fedora host is missing a security update.
File : fedora_2008-7977.nasl - Type : ACT_GATHER_INFO
2008-09-11 Name : The remote openSUSE host is missing a security update.
File : suse_tomcat55-5547.nasl - Type : ACT_GATHER_INFO
2008-09-10 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_tomcat5-5539.nasl - Type : ACT_GATHER_INFO
2008-09-10 Name : The remote openSUSE host is missing a security update.
File : suse_tomcat5-5542.nasl - Type : ACT_GATHER_INFO
2008-08-28 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2008-0648.nasl - Type : ACT_GATHER_INFO
2008-08-12 Name : The remote web server is affected by a directory traversal vulnerability.
File : tomcat_utf8_dir_traversal.nasl - Type : ACT_ATTACK