CVE-2013-2071 T10:21:05.890-04:00 2.6 java/org/apache/catalina/core/AsyncContextImpl.java in Apache Tomcat 7.x before 7.0.40 does not properly handle the throwing of a RuntimeException in an AsyncListener in an application, which allows context-dependent attackers to obtain sensitive request information intended for other applications in opportunistic circumstances via an application that records the requests that it processes.NOTE: the vendor disputes the significance of this report, stating that “the Apache Tomcat Security team has not accepted any reports of CSRF attacks against the Manager application … as they require a reckless system administrator.” CVE-2013-6357 T10:55:04.190-05:00 6.8 ** DISPUTED ** Cross-site request forgery (CSRF) vulnerability in the Manager application in Apache Tomcat 5.5.25 and earlier allows remote attackers to hijack the authentication of administrators for requests that manipulate application deployment via the POST method, as demonstrated by a /manager/html/undeploy?path= URI.Version 1.0 NovemInitial version (TLP:WHITE).TLP:WHITE information may be distributed without restriction, subject to copyright controls. If in doubt, don’t hesitate to contact CIRCL. You can also use your network or security device to restrict the source IP to required Apache Tomcat administrators. This can be done using the Valve element from Tomcat or directly the Apache configuration To avoid username-password brute forcing of the Tomcat manager interface, we recommend to apply packet filtering It should be safe to block all access on your Firewalls/IPS/DNS to the following domains/IP addresses: You might use it as a base for reviewing log files. Review running processes on Apache Tomcat serverĪ list of domains/IP addresses is following hereafter.Review user accounts and password strength.Review DNS logs, Tomcat logs and Firewall logs.If you are running an Apache Tomcat server connected to the Internet, take your time to check: The same server apparently is used for fetching the malware: The worm also sends collected information to the following server in HTTP on port 80/TCP. DetectionĪs far as we know, the malware tries to connect to the following IRC servers: We recommend to keep Apache Tomcat updated to the latest version. In the appendix, we include also a reference of CVEs addressing vulnerabilities in Apache Tomcat. It is highly recommended to detect, block and prevent this and other attacks. Distributed Denial of Service (DoS) attacks.It is possible that compromised servers are used for If it is successful, it copies itself to the targeted server. The malicious software, when installed on a Tomcat server, start scanning the network for other Tomcat servers and tries to log in with a number of weak username-password combinations. Imaginable follow-up scenarios (malware spreading to visitors, DDoS).Installation of a back door which allows full access to the compromised server.Simple and successful propagation process.High number of Apache Tomcat installations in Luxembourg.The reasons for CIRCL to address this threat in a technical report are the following: When successful, it opens a backdoor connection to several Command and Control (C&C) servers. Java.Tomdep is a network worm copying itself between Apache Tomcat servers.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |