Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
chethan_m
Collaborator
Jump to solution

Checkpoint SMS - Apache Tomcat Information Disclosure Vulnerability (CVE-2023-28708)

Hi Everyone,

 

GAIA OS R81.10 JHF Take 95

 

We have deployed Checkpoint Security Management Sever in one of our customers environments. The security team have run VA (Vulnerability Assessment) tests and found a set of vulnerabilities and one of which is: Apache Tomcat Information Disclosure Vulnerability (CVE-2023-28708). 

CVE - CVE-2023-28708 (mitre.org)

Apache Tomcat® - Apache Tomcat 9 vulnerabilities - Affects: 9.0.0-M1 to 9.0.71, Fixed in Apache Tomcat 9.0.72.

 

Assessment Result:

Title: Apache Tomcat information disclosure Vulnerability (CVE-2023-28708)

Severity: Medium

Port: 80

Protocol: TCPzCVE-ID: CVE-2023-28708

CVSS Base: 5.4 (AV:A/AC:M/Au:M/C:N/I:C/A:P)

CVSS3.1 Base: 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Threat: 

"Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Affected versions:
Apache Tomcat 9.0.0-M1 to 9.0.71

QID Detection Logic (Unauthenticated):
This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host."

Impact:

Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

Solution:

"Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory (https://tomcat.apache.org/security-9.htmlFixed_in_Apache_Tomcat_9.0.72).
Patch:
Following are links for downloading patches to fix the vulnerabilities:
Apache Tomcat (https://tomcat.apache.org/security-9.htmlFixed_in_Apache_Tomcat_9.0.72)"

Result:

"Vulnerable version of Apache Tomcat detected on port 80.
<title>HTTP Status 404 Not Found</title><style type=""text/css"">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:525D76;border:none;}</style></head><body> HTTP Status 404 Not Found <hr class=""line"" /> Type Status Report</p> Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class=""line"" /> Apache Tomcat/9.0.71 </body>"

 

The VA Test team have suggested us to upgrade Apache Tomcat on Gaia.  

Is this vulnerability patched in latest GAIA version or JHF? or is it possible to upgrade only the Apache package individually?

 

Thank you.

 
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

The software included in our OS images cannot be updated independently of a (jumbo) hotfix or version upgrade.
In any case, from the couple of TAC cases that have been raised on this CVE, the answer is: not vulnerable to this CVE.
If you'd like a more formal statement, I recommend a TAC case.

View solution in original post

9 Replies
PhoneBoy
Admin
Admin

This does not appear to be a severe vulnerability.
Your best bet is to open a TAC case: https://help.checkpoint.com

0 Kudos
chethan_m
Collaborator

Thank you. I will update the same to our end customer and open a TAC case if necessary.

0 Kudos
the_rock
Legend
Legend

Based on below, its medium score:

https://nvd.nist.gov/vuln/detail/CVE-2023-28708

As far as below, cant even find it anywhere.

https://advisories.checkpoint.com/advisories/

Andy

0 Kudos
chethan_m
Collaborator

Thank you for sharing. We had checked it already.

I personally wanted to know if we can view and upgrade Apache Tomcat separately or will it be like regular process i.e., using CPUSE engine for HF, JHF, applicable software package installation.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Regular process if deemed necessary, jumbos have had updates for Apache in the past.

CCSM R77/R80/ELITE
0 Kudos
chethan_m
Collaborator

Got it. Thank you.

0 Kudos
the_rock
Legend
Legend

As Phoneboy said, if you need an official statement, TAC case would be best.

Andy

0 Kudos
chethan_m
Collaborator

Thank you. Opened aTAC case.

0 Kudos
PhoneBoy
Admin
Admin

The software included in our OS images cannot be updated independently of a (jumbo) hotfix or version upgrade.
In any case, from the couple of TAC cases that have been raised on this CVE, the answer is: not vulnerable to this CVE.
If you'd like a more formal statement, I recommend a TAC case.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events