Rapid 7 Vulnerabilities- Apache Tomcat

Aasth — Wed, 14 Aug 2019 17:56:16 GMT

Hi,

We are using SAS 9.4M6 on AIX servers. We found out several Tomcat Vulnerabilities on Rapid 7 report which referenced older tomcat versions in SAS Environment Manager and SAS Web App Server which are not currently being used by our servers ( I checked the start up logs to find the current versions of tomcat being used , which is 8.5 for the SAS Web App and 9.0 for Env Manager)

Below are the vulns listed with their respective locations referred in the report:

Apache Tomcat: Low: Directory disclosure (CVE-2015-5345)	Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)
Apache Tomcat: Obsolete version	Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)
Apache Tomcat: Low: Limited directory traversal (CVE-2015-5174)	Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)
Apache Tomcat: Low: Security Manager Bypass (CVE-2016-5018)	Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)
Apache Tomcat: Important: Information Disclosure (CVE-2017-5647)	Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)
Apache Tomcat: Important: Information Disclosure (CVE-2016-6816)	Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)
Apache Tomcat: Low: Security Manager Bypass (CVE-2016-6796)	Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)
Apache Tomcat: Low: Unrestricted Access to Global Resources (CVE-2016-6797)	Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)
Apache Tomcat: Low: System Property Disclosure (CVE-2016-6794)	Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)
Apache Tomcat: Low: Timing Attack (CVE-2016-0762)	Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)
Apache Tomcat: Low: Security Manager bypass (CVE-2016-0706)	Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)
Apache Tomcat: Moderate: Security Manager bypass (CVE-2016-0714)	Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)
Apache Tomcat: Important: Remote Code Execution (CVE-2016-8735)	Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)
Apache Tomcat: Important: Information Disclosure (CVE-2016-8745)	Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar)
Apache Tomcat: Important: Remote Code Execution on Windows (CVE-2019-0232)	Vulnerable software installed: Apache Tomcat 7.0.55.A (/sas/install/SASHome/SASWebApplicationServer/9.4-1/9.4/tomcat-7.0.55.A.RELEASE/lib/catalina.jar)

I deleted the sas/install/SASHome/SASWebApplicationServer/9.4-1 folder for the last vuln but I am not sure if the hotfix folder can be deleted? I checked our current installer report and found that the following bundled hot fix is installed:

The link for that hotfix is : http://ftp.sas.com/techsup/download/hotfix/HF2/V/V77/V77014/xx/r64/V77014r6.html

This hotfix is now replaced by Hotfix : V77017 : http://ftp.sas.com/techsup/download/hotfix/HF2/V77.html#V77014

But, it is still listed for SAS Web Server 9.4_M3. We are currently using SAS 9.4_M6.

Can I remove the old hotfix folder ? Or have to install the new one? Please suggest

Re: Rapid 7 Vulnerabilities- Apache Tomcat

AnandVyas — Thu, 15 Aug 2019 04:04:18 GMT

Hi @Aasth,

Have you checked the SAS Security Bulletin board for SAS 9.4 M6 Version? Here: https://support.sas.com/en/security-bulletins.html

Most of the CVEs listed by you are already taken care as part of SAS Security Update for 9.4 M6. You can find the list of vulnerabilities addressed in this link: https://support.sas.com/en/security-bulletins/sas-security-update-for-sas-94m6.html#df3f745d-c882-4b54-bb90-ed727d5af5aa

It has also a hyperlink to the solution for these vulnerabilities. Here: http://ftp.sas.com/techsup/download/hotfix/HF2/SAS_Security_Updates.html

Suggest you to apply those instead of deleting any binaries.

Thanks!

Re: Rapid 7 Vulnerabilities- Apache Tomcat

nhvdwalt — Thu, 15 Aug 2019 05:13:43 GMT

Some good advise by @AnandVyas , thanks.

@Aasth , for questions like these, I would advise you to rather log a call with SAS Technical Support and resolve through that channel.

topic Rapid 7 Vulnerabilities- Apache Tomcat in Administration and Deployment

Rapid 7 Vulnerabilities- Apache Tomcat

Re: Rapid 7 Vulnerabilities- Apache Tomcat

Re: Rapid 7 Vulnerabilities- Apache Tomcat