Hi,
We are using SAS 9.4M6 on AIX servers. We found out several Tomcat Vulnerabilities on Rapid 7 report which referenced older tomcat versions in SAS Environment Manager and SAS Web App Server which are not currently being used by our servers ( I checked the start up logs to find the current versions of tomcat being used , which is 8.5 for the SAS Web App and 9.0 for Env Manager)
Below are the vulns listed with their respective locations referred in the report:
Apache Tomcat: Low: Directory disclosure (CVE-2015-5345) | Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar) |
Apache Tomcat: Obsolete version | Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar) |
Apache Tomcat: Low: Limited directory traversal (CVE-2015-5174) | Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar) |
Apache Tomcat: Low: Security Manager Bypass (CVE-2016-5018) | Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar) |
Apache Tomcat: Important: Information Disclosure (CVE-2017-5647) | Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar) |
Apache Tomcat: Important: Information Disclosure (CVE-2016-6816) | Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar) |
Apache Tomcat: Low: Security Manager Bypass (CVE-2016-6796) | Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar) |
Apache Tomcat: Low: Unrestricted Access to Global Resources (CVE-2016-6797) | Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar) |
Apache Tomcat: Low: System Property Disclosure (CVE-2016-6794) | Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar) |
Apache Tomcat: Low: Timing Attack (CVE-2016-0762) | Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar) |
Apache Tomcat: Low: Security Manager bypass (CVE-2016-0706) | Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar) |
Apache Tomcat: Moderate: Security Manager bypass (CVE-2016-0714) | Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar) |
Apache Tomcat: Important: Remote Code Execution (CVE-2016-8735) | Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar) |
Apache Tomcat: Important: Information Disclosure (CVE-2016-8745) | Vulnerable software installed: Apache Tomcat 6.0.44.B (/sas/install/SASHome/SASEnvironmentManager/2.5/hotfix/tomcat-6.0.44.B.RELEASE/lib/catalina.jar) |
Apache Tomcat: Important: Remote Code Execution on Windows (CVE-2019-0232) | Vulnerable software installed: Apache Tomcat 7.0.55.A (/sas/install/SASHome/SASWebApplicationServer/9.4-1/9.4/tomcat-7.0.55.A.RELEASE/lib/catalina.jar) |
I deleted the sas/install/SASHome/SASWebApplicationServer/9.4-1 folder for the last vuln but I am not sure if the hotfix folder can be deleted? I checked our current installer report and found that the following bundled hot fix is installed:
The link for that hotfix is : http://ftp.sas.com/techsup/download/hotfix/HF2/V/V77/V77014/xx/r64/V77014r6.html
This hotfix is now replaced by Hotfix : V77017 : http://ftp.sas.com/techsup/download/hotfix/HF2/V77.html#V77014
But, it is still listed for SAS Web Server 9.4_M3. We are currently using SAS 9.4_M6.
Can I remove the old hotfix folder ? Or have to install the new one? Please suggest