This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
chethan_m
Collaborator
‎2023-06-02 01:19 AM
Jump to solution

Checkpoint SMS - Apache Tomcat Information Disclosure Vulnerability (CVE-2023-28708)

Hi Everyone,

 

GAIA OS R81.10 JHF Take 95

 

We have deployed Checkpoint Security Management Sever in one of our customers environments. The security team have run VA (Vulnerability Assessment) tests and found a set of vulnerabilities and one of which is: Apache Tomcat Information Disclosure Vulnerability (CVE-2023-28708). 

CVE - CVE-2023-28708 (mitre.org)

Apache Tomcat® - Apache Tomcat 9 vulnerabilities - Affects: 9.0.0-M1 to 9.0.71, Fixed in Apache Tomcat 9.0.72.

 

Assessment Result:

Title: Apache Tomcat information disclosure Vulnerability (CVE-2023-28708)

Severity: Medium

Port: 80

Protocol: TCPzCVE-ID: CVE-2023-28708

CVSS Base: 5.4 (AV:A/AC:M/Au:M/C:N/I:C/A:P)

CVSS3.1 Base: 4.3 (AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N)

Threat: 

"Apache Tomcat is an open source web server and servlet container developed by the Apache Software Foundation.

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Affected versions:
Apache Tomcat 9.0.0-M1 to 9.0.71

QID Detection Logic (Unauthenticated):
This QID sends a HTTP GET request to an invalid URL and based on the response confirms the vulnerable instance of Apache Tomcat running on the host."

Impact:

Successful exploitation of this vulnerability could reveal sensitive information to an unauthorized attacker.

Solution:

"Customers are advised to upgrade Apache Tomcat to the new version to remediate this vulnerability. For more information please refer to Apache Tomcat Security Advisory (https://tomcat.apache.org/security-9.htmlFixed_in_Apache_Tomcat_9.0.72).
Patch:
Following are links for downloading patches to fix the vulnerabilities:
Apache Tomcat (https://tomcat.apache.org/security-9.htmlFixed_in_Apache_Tomcat_9.0.72)"

Result:

"Vulnerable version of Apache Tomcat detected on port 80.
<title>HTTP Status 404 Not Found</title><style type=""text/css"">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:525D76;border:none;}</style></head><body> HTTP Status 404 Not Found <hr class=""line"" /> Type Status Report</p> Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class=""line"" /> Apache Tomcat/9.0.71 </body>"

 

The VA Test team have suggested us to upgrade Apache Tomcat on Gaia.  

Is this vulnerability patched in latest GAIA version or JHF? or is it possible to upgrade only the Apache package individually?

 

Thank you.

 
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-06-05 09:05 AM
In response to chethan_m
Jump to solution

The software included in our OS images cannot be updated independently of a (jumbo) hotfix or version upgrade.
In any case, from the couple of TAC cases that have been raised on this CVE, the answer is: not vulnerable to this CVE.
If you'd like a more formal statement, I recommend a TAC case.

View solution in original post

9 Replies
PhoneBoy
Admin
Admin
‎2023-06-02 10:10 AM
Jump to solution

This does not appear to be a severe vulnerability.
Your best bet is to open a TAC case: https://help.checkpoint.com

0 Kudos
chethan_m
Collaborator
‎2023-06-03 05:32 AM
In response to PhoneBoy
Jump to solution

Thank you. I will update the same to our end customer and open a TAC case if necessary.

0 Kudos
the_rock
Legend
Legend
‎2023-06-02 11:35 AM
Jump to solution

Based on below, its medium score:

https://nvd.nist.gov/vuln/detail/CVE-2023-28708

As far as below, cant even find it anywhere.

https://advisories.checkpoint.com/advisories/

Andy

0 Kudos
chethan_m
Collaborator
‎2023-06-03 05:43 AM
In response to the_rock
Jump to solution

Thank you for sharing. We had checked it already.

I personally wanted to know if we can view and upgrade Apache Tomcat separately or will it be like regular process i.e., using CPUSE engine for HF, JHF, applicable software package installation.

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-06-03 06:31 AM
In response to chethan_m
Jump to solution

Regular process if deemed necessary, jumbos have had updates for Apache in the past.

CCSM R77/R80/ELITE
0 Kudos
chethan_m
Collaborator
‎2023-06-04 11:05 PM
In response to Chris_Atkinson
Jump to solution

Got it. Thank you.

0 Kudos
the_rock
Legend
Legend
‎2023-06-05 09:22 AM
In response to chethan_m
Jump to solution

As Phoneboy said, if you need an official statement, TAC case would be best.

Andy

0 Kudos
chethan_m
Collaborator
‎2023-06-19 08:36 PM
In response to the_rock
Jump to solution

Thank you. Opened aTAC case.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-06-05 09:05 AM
In response to chethan_m
Jump to solution

The software included in our OS images cannot be updated independently of a (jumbo) hotfix or version upgrade.
In any case, from the couple of TAC cases that have been raised on this CVE, the answer is: not vulnerable to this CVE.
If you'd like a more formal statement, I recommend a TAC case.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events