7.5 CVE-2021-25122

Patch
 

When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
https://nvd.nist.gov/vuln/detail/CVE-2021-25122

Categories

CWE-200 : Exposure of Sensitive Information to an Unauthorized Actor
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Developers may insert sensitive information that they do not believe, or they might forget to remove the sensitive information after it has been processed Separate mistakes or weaknesses could inadvertently make the sensitive information available to an attacker, such as in a detailed error message that can be read by an unauthorized party This term is frequently used in vulnerability advisories to describe a consequence or technical impact, for any vulnerability that has a loss of confidentiality. Often, CWE-200 can be misused to represent the loss of confidentiality, even when the mistake - i.e., the weakness - is not directly related to the mishandling of the information itself, such as an out-of-bounds read that accesses sensitive memory contents; here, the out-of-bounds read is the primary weakness, not the disclosure of the memory. In addition, this phrase is also used frequently in policies and legal documents, but it does not refer to any disclosure of security-relevant information. This is a frequently used term, however the "leak" term has multiple uses within security. In some cases it deals with the accidental exposure of information from a different weakness, but in other cases (such as "memory leak"), this deals with improper tracking of resources, which can lead to exhaustion. As a result, CWE is actively avoiding usage of the "leak" term. Rust library leaks Oauth client details in application debug logs Digital Rights Management (DRM) capability for mobile platform leaks pointer information, simplifying ASLR bypass Enumeration of valid usernames based on inconsistent responses Account number enumeration via inconsistent responses. User enumeration via discrepancies in error messages. Telnet protocol allows servers to obtain sensitive environment information from clients. Script calls phpinfo(), revealing system configuration to web user Product sets a different TTL when a port is being filtered than when it is not being filtered, which allows remote attackers to identify filtered ports by comparing TTLs. Version control system allows remote attackers to determine the existence of arbitrary files and directories via the -X command for an alternate history file, which causes different error messages to be returned. Virtual machine allows malicious web site operators to determine the existence of files on the client by measuring delays in the execution of the getSystemResource method. Product immediately sends an error message when a user does not exist, which allows remote attackers to determine valid usernames via a timing attack. POP3 server reveals a password in an error message after multiple APOP commands are sent. Might be resultant from another weakness. Program reveals password in error message if attacker can trigger certain database errors. Composite: application running with high privileges (CWE-250) allows user to specify a restricted file to process, which generates a parsing error that leaks the contents of the file (CWE-209). Direct request to library file in web application triggers pathname leak in error message. Malformed regexp syntax leads to information exposure in error message. Password exposed in debug information. FTP client with debug option enabled shows password to the screen. Collaboration platform does not clear team emails in a response, allowing leak of email addresses

References


 

CPE

cpe start end
Configuration 1
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* >= 8.5.0 <= 8.5.61
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* >= 9.0.0 <= 9.0.41
cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:-:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:10.0.0:milestone9:*:*:*:*:*:*
Configuration 2
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*
Configuration 3
cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_cloud_native_core_security_edge_protection_proxy:1.6.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:database:12.2.0.1:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:database:19c:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:database:21c:*:*:*:enterprise:*:*:*
cpe:2.3:a:oracle:graph_server_and_client:*:*:*:*:*:*:*:* < 21.3.0
cpe:2.3:a:oracle:graph_server_and_client:21.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*
cpe:2.3:a:oracle:managed_file_transfer:12.2.1.3.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:managed_file_transfer:12.2.1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:* <= 8.0.23
cpe:2.3:a:oracle:siebel_ui_framework:*:*:*:*:*:*:*:* <= 21.9


REMEDIATION


Patch

Url
https://www.oracle.com//security-alerts/cpujul2021.html
https://www.oracle.com/security-alerts/cpujan2022.html
https://www.oracle.com/security-alerts/cpuoct2021.html


EXPLOITS


Exploit-db.com

id description date
No known exploits

POC Github

Url
No known exploits

Other Nist (github, ...)

Url
No known exploits


CAPEC


Common Attack Pattern Enumerations and Classifications

id description severity
116 Excavation
Medium
13 Subverting Environment Variable Values
Very High
169 Footprinting
Very Low
22 Exploiting Trust in Client
High
224 Fingerprinting
Very Low
285 ICMP Echo Request Ping
Low
287 TCP SYN Scan
Low
290 Enumerate Mail Exchange (MX) Records
Low
291 DNS Zone Transfers
Low
292 Host Discovery
Low
293 Traceroute Route Enumeration
Low
294 ICMP Address Mask Request
Low
295 Timestamp Request
Low
296 ICMP Information Request
Low
297 TCP ACK Ping
Low
298 UDP Ping
Low
299 TCP SYN Ping
Low
300 Port Scanning
Low
301 TCP Connect Scan
Low
302 TCP FIN Scan
Low
303 TCP Xmas Scan
Low
304 TCP Null Scan
Low
305 TCP ACK Scan
Low
306 TCP Window Scan
Low
307 TCP RPC Scan
Low
308 UDP Scan
Low
309 Network Topology Mapping
Low
310 Scanning for Vulnerable Software
Low
312 Active OS Fingerprinting
Low
313 Passive OS Fingerprinting
Low
317 IP ID Sequencing Probe
Low
318 IP 'ID' Echoed Byte-Order Probe
Low
319 IP (DF) 'Don't Fragment Bit' Echoing Probe
Low
320 TCP Timestamp Probe
Low
321 TCP Sequence Number Probe
Low
322 TCP (ISN) Greatest Common Divisor Probe
Low
323 TCP (ISN) Counter Rate Probe
Low
324 TCP (ISN) Sequence Predictability Probe
Low
325 TCP Congestion Control Flag (ECN) Probe
Low
326 TCP Initial Window Size Probe
Low
327 TCP Options Probe
Low
328 TCP 'RST' Flag Checksum Probe
Low
329 ICMP Error Message Quoting Probe
Low
330 ICMP Error Message Echoing Integrity Probe
Low
472 Browser Fingerprinting
Low
497 File Discovery
Very Low
508 Shoulder Surfing
High
573 Process Footprinting
Low
574 Services Footprinting
Low
575 Account Footprinting
Low
576 Group Permission Footprinting
Low
577 Owner Footprinting
Low
59 Session Credential Falsification through Prediction
High
60 Reusing Session IDs (aka Session Replay)
High
616 Establish Rogue Location
Medium
643 Identify Shared Files/Directories on System
Medium
646 Peripheral Footprinting
Medium
651 Eavesdropping
Medium
79 Using Slashes in Alternate Encoding
High


MITRE


Techniques

id description
T1007 System Service Discovery
T1016 System Network Configuration Discovery
T1018 Remote System Discovery
T1033 System Owner/User Discovery
T1036.005 Masquerading: Match Legitimate Name or Location
T1046 Network Service Scanning
T1049 System Network Connections Discovery
T1057 Process Discovery
T1069 Permission Groups Discovery
T1082 System Information Discovery
T1083 File and Directory Discovery
T1087 Account Discovery
T1111 Multi-Factor Authentication Interception
T1120 Peripheral Device Discovery
T1124 System Time Discovery
T1134.001 Access Token Manipulation:Token Impersonation/Theft
T1135 Network Share Discovery
T1217 Browser Bookmark Discovery
T1550.004 Use Alternate Authentication Material:Web Session Cookie
T1562.003 Impair Defenses:Impair Command History Logging
T1574.006 Hijack Execution Flow:Dynamic Linker Hijacking
T1574.007 Hijack Execution Flow:Path Interception by PATH Environment Variable
T1590 Gather Victim Network Information
T1592 Gather Victim Host Information
T1595 Active Scanning
T1615 Group Policy Discovery
© 2022 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation.

Mitigations

id description
T1036.005 Use file system access controls to protect folders such as C:WindowsSystem32.
T1046 Ensure proper network segmentation is followed to protect critical servers and devices.
T1087 Manage the creation, modification, use, and permissions associated to user accounts.
T1111 Remove smart cards when not in use.
T1134.001 An adversary must already have administrator level access on the local system to make full use of this technique; be sure to restrict users and accounts to the least privileges they require.
T1135 Enable Windows Group Policy “Do Not Allow Anonymous Enumeration of SAM Accounts and Shares” security setting to limit users who can enumerate network shares.
T1550.004 Configure browsers or tasks to regularly delete persistent cookies.
T1562.003 Make sure that the <code>HISTCONTROL</code> environment variable is set to “ignoredups” instead of “ignoreboth” or “ignorespace”.
T1574.006 When System Integrity Protection (SIP) is enabled in macOS, the aforementioned environment variables are ignored when executing protected binaries. Third-party applications can also leverage Apple’s Hardened Runtime, ensuring these environment variables are subject to imposed restrictions. Admins can add restrictions to applications by setting the setuid and/or setgid bits, use entitlements, or have a __RESTRICT segment in the Mach-O binary.
T1574.007 Ensure that proper permissions and directory access control are set to deny users the ability to write files to the top-level directory <code>C:</code> and system directories, such as <code>C:Windows</code>, to reduce places where malicious files could be placed for execution. Require that all executables be placed in write-protected directories.
T1590 This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
T1592 This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
T1595 This technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls. Efforts should focus on minimizing the amount and sensitivity of data available to external parties.
© 2022 The MITRE Corporation. Esta obra se reproduce y distribuye con el permiso de The MITRE Corporation.