Hi Oleg,
it seems these issues are not related to BlazeDS ... the
flex-messaging-opt-tomcat7-4.7.2.jar for example contains only one class.
The CVEs reported by that tool seem to all be related to tomcat. We can’t do
much about that. Also as far ar I know there aren’t any CVEs in any of the
public lists, which we haven’t adressed.
I would suggest to update tomcat and not blazeds.
Chris
Am 21.11.16, 16:50 schrieb "olegkon" <oleg...@gmail.com>:
Hi,
We are in the process of upgrading BlazeDS in Flex+Java web app,
because when we run OWASP Dependency Check 1.4.3, it showed a High
Vulnerabilities in 1 file:
Dependency CPE GAV Highest Severity CVE Count CPE Confidence Evidence
Count
cre.war: blazeds-core-4.0.0.14931.jar cpe:/a:adobe:blazeds:4.0.0.14931
High 2 LOW 7
However, when we tried to do the same with Apache BlazeDS 4.7.2, we got even
more of those:
cre.war: flex-messaging-core-4.7.2.jar cpe:/a:apache:flex:4.7.2
org.apache.flex.blazeds:flex-messaging-core:4.7.2 Medium 1 LOW 16
cre.war: flex-messaging-opt-tomcat7-4.7.2.jar cpe:/a:apache:flex:4.7.2
cpe:/a:apache:tomcat:7.0.0
org.apache.flex.blazeds:flex-messaging-opt-tomcat7:4.7.2 High 59 MEDIUM
16
More details (on 4.7.2 - I only put High Severity, there is lots and lots of
Mediums):
cre.war: flex-messaging-opt-tomcat7-4.7.2.jar
File Path:
C:\web\cre\dist\cre.war\WEB-INF\lib\flex-messaging-opt-tomcat7-4.7.2.jar
MD5: 8e188c61285fa087116df2a350571c1c
SHA1: e34b3ab4b6d72384a44e15b992801bc4849b5412
Evidence
Identifiers
•cpe: cpe:/a:apache:flex:4.7.2 Confidence:LOW suppress
•cpe: cpe:/a:apache:tomcat:7.0.0 Confidence:MEDIUM suppress
•maven: org.apache.flex.blazeds:flex-messaging-opt-tomcat7:4.7.2
Confidence:HIGHEST
Published Vulnerabilities
CVE-2016-6325 suppress
Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web
Server 3.0, and JBoss EWS 2 uses weak permissions for (1)
/etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local
users to gain privileges by leveraging membership in the tomcat group.
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
•CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1367447
•REDHAT - RHSA-2016:2045
•REDHAT - RHSA-2016:2046
Vulnerable Software & Versions:
•cpe:/a:apache:tomcat:-
CVE-2016-5425 suppress
Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS,
Oracle Linux, and possibly other Linux distributions uses weak permissions
for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root
privileges by leveraging membership in the tomcat group.
•BID - 93472
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
•MISC -
http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
•MISC -
http://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-Escalation.html
•MLIST - [oss-security] 20161010 CVE-2016-5425 - Apache Tomcat packaging on
RedHat-based distros - Root Privilege Escalation (affecting CentOS, Fedora,
OracleLinux, RedHat etc.)
•REDHAT - RHSA-2016:2046
Vulnerable Software & Versions:
•cpe:/a:apache:tomcat
CVE-2016-3092 suppress
Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used
in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3,
and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause
a denial of service (CPU consumption) via a long boundary string.
•BID - 91453
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743480
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743722
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743738
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743742
•CONFIRM - http://tomcat.apache.org/security-7.html
•CONFIRM - http://tomcat.apache.org/security-8.html
•CONFIRM - http://tomcat.apache.org/security-9.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
•CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1349468
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
•DEBIAN - DSA-3609
•DEBIAN - DSA-3611
•DEBIAN - DSA-3614
•JVN - JVN#89379547
•JVNDB - JVNDB-2016-000121
•MLIST - [dev] 20160621 CVE-2016-3092: Apache Commons Fileupload information
disclosure vulnerability
•UBUNTU - USN-3024-1
•UBUNTU - USN-3027-1
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0.0:beta
•...
CVE-2016-1240 suppress
Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-20 Improper Input Validation
The Tomcat init script in the tomcat7 package before 7.0.56-3+deb8u4 and
tomcat8 package before 8.0.14-1+deb8u3 on Debian jessie and the tomcat6 and
libtomcat6-java packages before 6.0.35-1ubuntu3.8 on Ubuntu 12.04 LTS, the
tomcat7 and libtomcat7-java packages before 7.0.52-1ubuntu0.7 on Ubuntu
14.04 LTS, and tomcat8 and libtomcat8-java packages before 8.0.32-1ubuntu1.2
on Ubuntu 16.04 LTS allows local users with access to the tomcat account to
gain root privileges via a symlink attack on the Catalina log file, as
demonstrated by /var/log/tomcat7/catalina.out.
•BUGTRAQ - 20161001 CVE-2016-1240 - Tomcat packaging on Debian-based distros
- Local Root Privilege Escalation
•DEBIAN - DSA-3669
•DEBIAN - DSA-3670
•MISC -
http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.html
•SECTRACK - 1036845
•UBUNTU - USN-3081-1
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0
•...
CVE-2016-0763 suppress
Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x
before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider
whether ResourceLinkFactory.setGlobalContext callers are authorized, which
allows remote authenticated users to bypass intended SecurityManager
restrictions and read or write to arbitrary application data, or cause a
denial of service (application disruption), via a web application that sets
a crafted global context.
•BUGTRAQ - 20160222 [SECURITY] CVE-2016-0763 Apache Tomcat Security Manager
Bypass
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725926
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725929
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1725931
•CONFIRM - http://tomcat.apache.org/security-7.html
•CONFIRM - http://tomcat.apache.org/security-8.html
•CONFIRM - http://tomcat.apache.org/security-9.html
•CONFIRM -
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
•DEBIAN - DSA-3530
•DEBIAN - DSA-3552
•DEBIAN - DSA-3609
•UBUNTU - USN-3024-1
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0.0:beta
•...
CVE-2014-0230 suppress
Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9
does not properly handle cases where an HTTP response occurs before
finishing the reading of an entire request body, which allows remote
attackers to cause a denial of service (thread consumption) via a series of
aborted upload attempts.
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603770
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603775
•CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1603779
•CONFIRM - http://tomcat.apache.org/security-6.html
•CONFIRM - http://tomcat.apache.org/security-7.html
•CONFIRM - http://tomcat.apache.org/security-8.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/bulletinoct2015-2511968.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05054964
•DEBIAN - DSA-3530
•HP - HPSBOV03503
•HP - HPSBUX03561
•MLIST - [oss-security] 20150409 Apache Tomcat partial file upload DoS
CVE-2014-0230
•MLIST - [tomcat-announce] 20150505 [SECURITY] CVE-2014-0230: Apache Tomcat
DoS
•REDHAT - RHSA-2016:0595
•REDHAT - RHSA-2016:0596
•REDHAT - RHSA-2016:0597
•REDHAT - RHSA-2016:0598
•REDHAT - RHSA-2016:0599
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0.0:beta
•...
CVE-2014-0050 suppress
Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in
Apache Tomcat, JBoss Web, and other products, allows remote attackers to
cause a denial of service (infinite loop and CPU consumption) via a crafted
Content-Type header that bypasses a loop's intended exit conditions.
•BID - 65400
•BUGTRAQ - 20140625 NEW VMSA-2014-0007 - VMware product updates address
security vulnerabilities in Apache Struts library
•BUGTRAQ - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates
address security vulnerabilities
•CONFIRM - http://advisories.mageia.org/MGASA-2014-0110.html
•CONFIRM - http://svn.apache.org/r1565143
•CONFIRM - http://tomcat.apache.org/security-7.html
•CONFIRM - http://tomcat.apache.org/security-8.html
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21669554
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675432
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676091
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676092
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676401
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676403
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676405
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676410
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676656
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676853
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677691
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677724
•CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21681214
•CONFIRM -
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html
•CONFIRM -
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html
•CONFIRM -
http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html
•CONFIRM -
http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm
•CONFIRM -
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
•CONFIRM -
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
•CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0007.html
•CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0012.html
•CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1062337
•CONFIRM -
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
•FULLDISC - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates
address security vulnerabilities
•HP - HPSBGN03329
•JVN - JVN#14876762
•JVNDB - JVNDB-2014-000017
•MANDRIVA - MDVSA-2015:084
•MISC -
http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html
•MISC -
http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html
•MLIST - [commons-dev] 20140206 [SECURITY] CVE-2014-0050 Apache Commons
FileUpload and Apache Tomcat DoS
•REDHAT - RHSA-2014:0400
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0.0:beta
•...
CVE-2013-2185 suppress
Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation
** DISPUTED ** The readObject method in the DiskFileItem class in Apache
Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application
Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to
write to arbitrary files via a NULL byte in a file name in a serialized
instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly
disputed by the Apache Tomcat team, although Red Hat considers it a
vulnerability. The dispute appears to regard whether it is the
responsibility of applications to avoid providing untrusted data to be
deserialized, or whether this class should inherently protect against this
issue.
•MLIST - [oss-security] 20130905 Re: CVE-2013-2185 / Tomcat
•MLIST - [oss-security] 20141024 Re: Duplicate Request: CVE-2013-4444 as a
duplicate of CVE-2013-2185
•REDHAT - RHSA-2013:1193
•REDHAT - RHSA-2013:1194
•REDHAT - RHSA-2013:1265
Vulnerable Software & Versions: (show all)
•cpe:/a:apache:tomcat:7.0.39 and all previous versions
Can anyone look into that?
What would you recommend?
Thank you,
Oleg.
--
View this message in context:
http://apache-flex-users.2333346.n4.nabble.com/Security-vulnerabilities-in-BlazeDS-4-7-2-tp14175.html
Sent from the Apache Flex Users mailing list archive at Nabble.com.
