Vulnerability CVE-2013-4286 - CERT Civis.Net

Vulnerability Name:

CVE-2013-4286 (CCN-91426)

Assigned:

2013-06-12

Published:

2014-02-25

Updated:

2019-04-15

Summary:

Apache Tomcat before 6.0.39, 7.x before 7.0.47, and 8.x before 8.0.0-RC3, when an HTTP connector or AJP connector is used, does not properly handle certain inconsistent HTTP request headers, which allows remote attackers to trigger incorrect identification of a request's length and conduct request-smuggling attacks via (1) multiple Content-Length headers or (2) a Content-Length header and a "Transfer-Encoding: chunked" header.
Note: this vulnerability exists because of an incomplete fix for CVE-2005-2090.

CVSS v3 Severity:

5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)

Exploitability Metrics:	Attack Vector (AV): Network Attack Complexity (AC): Low Privileges Required (PR): None User Interaction (UI): None
Scope:	Scope (S): Unchanged
Impact Metrics:	Confidentiality (C): None Integrity (I): Low Availibility (A): None

CVSS v2 Severity:

5.8 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N)
4.3 Medium (Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

4.3 Medium (CCN CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N)
3.2 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Athentication (Au): None
Impact Metrics:	Confidentiality (C): None Integrity (I): Partial Availibility (A): None

5.8 Medium (REDHAT CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N)
4.3 Medium (REDHAT Temporal CVSS v2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Medium Authentication (Au): None
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): None

Vulnerability Type:

Vulnerability Consequences:

Gain Access

References:

Source: CONFIRM
Type: UNKNOWN
http://advisories.mageia.org/MGASA-2014-0148.html

Source: MITRE
Type: CNA
CVE-2013-4286

Source: CCN
Type: www-announce mailing list archives
CVE-2013-4286 Incomplete fix for CVE-2005-2090 (Information disclosure)

Source: HP
Type: UNKNOWN
HPSBUX03150

Source: HP
Type: UNKNOWN
HPSBOV03503

Source: CCN
Type: RHSA-2014-0343
Moderate: Red Hat JBoss Enterprise Application Platform 6.2.2 update

Source: REDHAT
Type: UNKNOWN
RHSA-2014:0343

Source: CCN
Type: RHSA-2014-0344
Moderate: Red Hat JBoss Enterprise Application Platform 6.2.2 update

Source: REDHAT
Type: UNKNOWN
RHSA-2014:0344

Source: REDHAT
Type: UNKNOWN
RHSA-2014:0345

Source: CCN
Type: RHSA-2014-0429
Moderate: tomcat6 security update

Source: CCN
Type: RHSA-2014-0525
Moderate: Red Hat JBoss Web Server 2.0.1 tomcat6 security update

Source: CCN
Type: RHSA-2014-0526
Moderate: Red Hat JBoss Web Server 2.0.1 tomcat7 security update

Source: CCN
Type: RHSA-2014-0686
Important: tomcat security update

Source: FULLDISC
Type: UNKNOWN
20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities

Source: SECUNIA
Type: UNKNOWN
57675

Source: SECUNIA
Type: UNKNOWN
59036

Source: SECUNIA
Type: UNKNOWN
59675

Source: SECUNIA
Type: UNKNOWN
59722

Source: SECUNIA
Type: UNKNOWN
59724

Source: SECUNIA
Type: UNKNOWN
59733

Source: SECUNIA
Type: UNKNOWN
59873

Source: CONFIRM
Type: UNKNOWN
http://svn.apache.org/viewvc?view=revision&revision=1521829

Source: CONFIRM
Type: UNKNOWN
http://svn.apache.org/viewvc?view=revision&revision=1521854

Source: CONFIRM
Type: UNKNOWN
http://svn.apache.org/viewvc?view=revision&revision=1552565

Source: CCN
Type: Apache Web site
Tomcat

Source: CONFIRM
Type: Vendor Advisory
http://tomcat.apache.org/security-6.html

Source: CONFIRM
Type: Vendor Advisory
http://tomcat.apache.org/security-7.html

Source: CONFIRM
Type: Vendor Advisory
http://tomcat.apache.org/security-8.html

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21667883

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21675886

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21677147

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21678113

Source: CONFIRM
Type: UNKNOWN
http://www-01.ibm.com/support/docview.wss?uid=swg21678231

Source: DEBIAN
Type: UNKNOWN
DSA-3530

Source: CCN
Type: IBM Security Bulletin 1667883
Rational Test Control Panel in Rational Test Workbench and Rational Test Virtualization Server affected by Apache Tomcat vulnerablity (CVE-2013-4286, CVE-2013-4322, CVE-2013-4590)

Source: CCN
Type: IBM Security Bulletin 1668856
Rational Build Forge Security Advisory (CVE-2013-4286)

Source: CCN
Type: IBM Security Bulletin 1669383
Apache Tomcat and FileUpload Vulnerabilities in IBM UrbanCode Deploy (CVE-2014-0050, CVE-2013-4286, CVE-2014-0033, CVE-2013-4322, CVE-2013-4590)

Source: CCN
Type: IBM Security Bulletin 1671330
Multiple Vulnerabilities in Apache Tomcat (CVE-2013-4286, CVE-2013-4322, CVE-2014-0050)

Source: CCN
Type: IBM Security Bulletin 1671862
IBM Initiate Master Data Service is affected by vulnerabilities in Apache Tomcat (CVE-2013-4286, CVE-2014-0033, CVE-2013-4322)

Source: CCN
Type: IBM Security Bulletin 1671934
Multiple security exposures in IBM Cognos Business Viewpoint (CVE-2014- 0411, CVE-2013-4286, CVE-2013-4322)

Source: CCN
Type: IBM Security Bulletin 1672321
Apache Tomcat and FileUpload Vulnerabilities in IBM UrbanCode Release (CVE-2014-0050, CVE-2013-4286, CVE-2014-0033, CVE-2013-4322, CVE-2013-4590)

Source: CCN
Type: IBM Security Bulletin 1673072
Rational Directory Server could be affected by vulnerabilities in Apache Tomcat server (CVE-2013-4286, CVE-2014-0033, CVE-2013-4322, and CVE-2013-4590)

Source: CCN
Type: IBM Security Bulletin 1675006
Multiple Apache Tomcat vulnerabilities in IBM Algo Audit and Compliance (CVE-2013-4286, CVE-2013-4322, CVE-2013-4590, CVE-2014-0033)

Source: CCN
Type: IBM Security Bulletin 1675886
IBM Rational Connector for SAP Solution Manager (CVE-2013-4286 CVE-2014-0033 CVE-2013-4322 CVE-2013-4590)

Source: CCN
Type: IBM Security Bulletin 1676186
Security vulnerabilities in Apache Tomcat affects multiple IBM Rational products based on IBM's Jazz technology (CVE-2013-4286, CVE-2014-0033, CVE-2013-4322, CVE-2013-4590)

Source: CCN
Type: IBM Security Bulletin 1677147
Multiple vulnerabilities in Apache Tomcat used by IBM QRadar Security Information and Event Manager 7.1 MR2, and 7.2 MR2. (CVE-2013-4286, CVE-2014-0033, CVE-2013-4322, CVE-2013-4590)

Source: CCN
Type: IBM Security Bulletin 1677448
IBM OpenPages GRC Platform, multiple vulnerabilities in bundled version of Apache Tomcat

Source: CCN
Type: IBM Security Bulletin 1678113
Multiple vulnerabilities exist in IMS Enterprise Suite SOAP Gateway (CVE-2014-0453, CVE-2013-4286, CVE-2013-4322)

Source: CCN
Type: IBM Security Bulletin 1678132
Open Source Apache Tomcat - 4 issues (CVE-2013-4286) for RAF

Source: CCN
Type: IBM Security Bulletin 1678231
Rational Lifecycle Adapter for HP ALM Apache Tomcat fix (CVE-2013-4286, CVE-2014-0033, CVE-2013-4322, CVE-2013-4590, CVE-2014-0075, CVE-2014-0095, CVE-2014-0096, CVE-2014-0099, CVE-2014-0119)

Source: CCN
Type: IBM Security Bulletin 1678892
Tivoli Application Dependency Discovery Manager - Open Source Tomcat issues reported between March - May 2014.

Source: CCN
Type: IBM Security Bulletin 1680754
Security vulnerabilities in Apache Tomcat for WebSphere Application Server Community Edition 2.1.1.6 and 3.0.0.4(CVE-2013-4286,CVE-2012-3544,CVE-2013-4322,CVE-2013-4590,CVE-2014-0033)

Source: CCN
Type: IBM Security Bulletin 1687761
IBM Algo One is affected by multiple Open Source Tomcat security vulnerabilities (CVE-2013-4444, CVE-2013-4286, CVE-2014-0033, CVE-2013-4322, CVE-2013-4590)

Source: MANDRIVA
Type: UNKNOWN
MDVSA-2015:052

Source: CCN
Type: Oracle CPUOct2016
Oracle Critical Patch Update Advisory - October 2016

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

Source: CCN
Type: Oracle Critical Patch Update - April 2015
Oracle Critical Patch Update - April 2015

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Source: CCN
Type: Oracle Critical Patch Update Advisory - January 2015
Oracle Critical Patch Update Advisory - January 2015

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

Source: CCN
Type: Oracle Critical Patch Update Advisory - July 2014
Oracle Critical Patch Update Advisory - July 2014

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Source: BUGTRAQ
Type: UNKNOWN
20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities

Source: BID
Type: UNKNOWN
65773

Source: CCN
Type: BID-65773
Apache Tomcat CVE-2013-4286 Security Bypass Vulnerability

Source: UBUNTU
Type: UNKNOWN
USN-2130-1

Source: CONFIRM
Type: UNKNOWN
http://www.vmware.com/security/advisories/VMSA-2014-0012.html

Source: CONFIRM
Type: UNKNOWN
https://bugzilla.redhat.com/show_bug.cgi?id=1069921

Source: XF
Type: UNKNOWN
tomcat-cve20134286-request-smuggling(91426)

Source: CONFIRM
Type: UNKNOWN
https://h20564.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c04851013

Source: MLIST
Type: UNKNOWN
[tomcat-dev] 20190413 svn commit: r1857494 [15/20] - in /tomcat/site/trunk: ./ docs/ xdocs/

Source: MLIST
Type: UNKNOWN
[tomcat-dev] 20190325 svn commit: r1856174 [21/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/

Source: MLIST
Type: UNKNOWN
[tomcat-dev] 20190415 svn commit: r1857582 [16/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/

Source: MLIST
Type: UNKNOWN
[tomcat-dev] 20190319 svn commit: r1855831 [23/30] - in /tomcat/site/trunk: ./ docs/ xdocs/

Source: MLIST
Type: UNKNOWN
[tomcat-dev] 20200203 svn commit: r1873527 [23/30] - /tomcat/site/trunk/docs/

Source: MLIST
Type: UNKNOWN
[tomcat-dev] 20200213 svn commit: r1873980 [26/34] - /tomcat/site/trunk/docs/

Source: REDHAT
Type: UNKNOWN
RHSA-2014:0686

Source: CCN
Type: IBM Security Bulletin 6496741 (Sterling B2B Integrator)
Apache Log4j Vulnerabilities Affect IBM Sterling B2B Integrator

Source: CCN
Type: IBM Security Bulletin 6595755 (Disconnected Log Collector)
IBM Disconnected Log Collector is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6858013 (Tivoli Application Dependency Discovery Manager)
TADDM affected by multiple vulnerabilities due to Apache Tomcat libraries

Source: CCN
Type: WhiteSource Vulnerability Database
CVE-2013-4286

Vulnerable Configuration:

Configuration 1:

cpe:/a:apache:tomcat:7.0.0:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.2:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.3:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.4:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.10:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.11:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.12:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.13:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.14:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.15:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.16:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.17:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.18:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.19:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.20:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.21:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.22:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.23:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.24:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.25:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.26:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.27:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.28:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.29:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.30:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.31:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.32:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.33:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.34:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.35:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.36:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.37:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.38:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.39:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.40:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.41:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.42:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.43:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.44:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.45:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:7.0.46:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*

Configuration 3:

cpe:/a:apache:tomcat:1.1.3:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.0:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.1.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.2:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.2.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.2.2:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.2.2:beta2:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.2.3:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.2.4:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.3:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.3.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.3.1a:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:3.3.2:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.0.0:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.0.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.0.4:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.0.5:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.0.6:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.1.0:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.1.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.1.2:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.1.3:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.1.3:beta:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.1.9:beta:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.1.10:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.1.12:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.1.15:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.1.24:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.1.28:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.1.29:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.1.31:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:4.1.36:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.0:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.2:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.3:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.4:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.5:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.6:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.7:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.8:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.9:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.10:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.11:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.12:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.13:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.14:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.15:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.16:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.17:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.18:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.19:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.21:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.22:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.23:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.24:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.25:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.26:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.27:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.28:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.29:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.0.30:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.0:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.2:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.3:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.4:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.5:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.6:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.7:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.8:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.9:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.10:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.11:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.12:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.13:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.14:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.15:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.16:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.17:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.18:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.19:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.20:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.21:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.22:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.23:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.24:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.25:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.26:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.27:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.28:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.29:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.30:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.31:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.32:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.33:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.34:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:5.5.35:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.0:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.0:alpha:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.1:alpha:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.2:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.2:alpha:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.2:beta:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.3:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.10:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.11:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.12:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.13:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.14:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.15:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.16:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.17:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.18:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.19:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.20:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.24:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.26:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.27:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.28:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.29:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.30:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.31:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.32:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.33:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.35:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.36:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:*:*:*:*:*:*:*:* (Version <= 6.0.37)

Configuration RedHat 1:

cpe:/o:redhat:enterprise_linux:6:*:*:*:*:*:*:*

Configuration RedHat 2:

cpe:/o:redhat:enterprise_linux:6::client:*:*:*:*:*

Configuration RedHat 3:

cpe:/o:redhat:enterprise_linux:6::computenode:*:*:*:*:*

Configuration RedHat 4:

cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

Configuration RedHat 5:

cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

Configuration RedHat 6:

cpe:/o:redhat:enterprise_linux:7:*:*:*:*:*:*:*

Configuration RedHat 7:

cpe:/o:redhat:enterprise_linux:7::client:*:*:*:*:*

Configuration RedHat 8:

cpe:/o:redhat:enterprise_linux:7::computenode:*:*:*:*:*

Configuration RedHat 9:

cpe:/o:redhat:enterprise_linux:7::server:*:*:*:*:*

Configuration RedHat 10:

cpe:/o:redhat:enterprise_linux:7::workstation:*:*:*:*:*

Configuration CCN 1:

cpe:/a:apache:tomcat:7:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.33:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:6.0.35:*:*:*:*:*:*:*

OR cpe:/a:apache:tomcat:8.0:*:*:*:*:*:*:*

AND

cpe:/o:redhat:enterprise_linux:5::client:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:6::server:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux:6::workstation:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_desktop:6:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_hpc_node:6:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_directory_server:5.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_message_broker:7.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_message_broker:8.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_directory_server:5.2.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_directory_server:5.2.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_directory_server:5.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_directory_server:5.1.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_build_forge:8.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_automation_framework:3.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_automation_framework:3.0.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:qradar_security_information_and_event_manager:7.2:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_hpc_node:7:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:ims_enterprise_suite:2.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:algo_audit_and_compliance:2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_business_viewpoint:10.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:cognos_business_viewpoint:10.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:initiate_master_data_service:10.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:initiate_master_data_service:10.1.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_build_forge:8.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode:6.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode:6.0.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode:6.0.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode:6.0.1.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:ims_enterprise_suite:2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_build_forge:7.1.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_build_forge:7.1.3.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_build_forge:7.1.3.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_build_forge:7.1.3.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_build_forge:7.1.3.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_build_forge:7.1.3.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.2.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.2.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:websphere_application_server:3.0.0.4:-:community:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:3.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:3.0.1.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_collaborative_lifecycle_management:4.0.6:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_automation_framework:3.0.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.0.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.0.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:urbancode_deploy:6.0.1.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_connector:4:*:*:*:sap_solution_manager:*:*:*

OR cpe:/a:ibm:openpages_grc_platform:6.0.1.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:openpages_grc_platform:6.1.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_test_workbench:8.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_test_workbench:8.0.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_test_workbench:8.0.0.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_test_workbench:8.0.0.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_test_workbench:8.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_test_workbench:8.0.1.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_test_workbench:8.0.1.2:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_test_workbench:8.0.1.3:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_test_workbench:8.0.1.4:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_test_workbench:8.5:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_test_workbench:8.5.0.1:*:*:*:*:*:*:*

OR cpe:/a:ibm:rational_test_workbench:8.5.0.2:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_desktop:7:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_server:7:*:*:*:*:*:*:*

OR cpe:/o:redhat:enterprise_linux_workstation:7:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:sterling_b2b_integrator:5.2.0.0:*:*:*:*:*:*:*

OR cpe:/a:ibm:tivoli_application_dependency_discovery_manager:7.3.0.0:*:*:*:*:*:*:*

Denotes that component is vulnerable

Oval Definitions

Definition ID	Class	Title	Last Modified
oval:org.cisecurity:def:585	P	DSA-3530-1 -- tomcat6 -- security update	2016-07-01
oval:org.mitre.oval:def:27148	P	ELSA-2014-0686 -- tomcat security update (important)	2014-12-15
oval:org.mitre.oval:def:26848	V	HP-UX Apache Server Suite running Apache Tomcat or PHP, Remote Denial of Service (DoS) and Other Vulnerabilities	2014-12-15
oval:org.mitre.oval:def:25020	P	RHSA-2014:0686: tomcat security update (Important)	2014-09-08
oval:org.mitre.oval:def:24843	P	ELSA-2014:0429: tomcat6 security update (Moderate)	2014-07-21
oval:org.mitre.oval:def:24488	P	RHSA-2014:0429: tomcat6 security update (Moderate)	2014-06-30
oval:org.mitre.oval:def:24367	P	USN-2130-1 -- tomcat6, tomcat7 vulnerabilities	2014-06-30
oval:com.redhat.rhsa:def:20140686	P	RHSA-2014:0686: tomcat security update (Important)	2014-06-10
oval:com.redhat.rhsa:def:20140429	P	RHSA-2014:0429: tomcat6 security update (Moderate)	2014-04-23
oval:com.ubuntu.xenial:def:20134286000	V	CVE-2013-4286 on Ubuntu 16.04 LTS (xenial) - medium.	2014-02-26
oval:com.ubuntu.xenial:def:201342860000000	V	CVE-2013-4286 on Ubuntu 16.04 LTS (xenial) - medium.	2014-02-26
oval:com.ubuntu.precise:def:20134286000	V	CVE-2013-4286 on Ubuntu 12.04 LTS (precise) - medium.	2014-02-26
oval:com.ubuntu.trusty:def:20134286000	V	CVE-2013-4286 on Ubuntu 14.04 LTS (trusty) - medium.	2014-02-26