Knowledge Search


×
 

2013-11 Security Bulletin: Network and Security Manager: Apache Tomcat security update

  [JSA10600] Show Article Properties


Product Affected:
NSM3000 and NSMExpress with NSM releases 2010.3, 2011.4, 2012.1, 2012.2 and NSM software releases 2010.3, 2011.4, 2012.1, 2012.2
Problem:
Apache Tomcat server software included with Network and Security Manager is affected by multiple security vulnerabilities. The following may pose a security risk to NSM:

CVE CVSSv2 Base Score and Vector Summary
CVE-2012-0022 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) High CPU consumption denial of service vulnerability
CVE-2012-5568 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P) Denial of service vulnerability with partial requests
CVE-2012-5885 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N) Authentication bypass vulnerability in Apache Tomcat
CVE-2012-5886 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Authentication bypass vulnerability in Apache Tomcat
CVE-2012-5887 5.0 (AV:N/AC:L/Au:N/C:N/I:P/A:N) Authentication bypass vulnerability in Apache Tomcat
Solution:
Following NSM releases contain the fix:
NSM 2012.2R5 (released Oct 10, 2013) and later releases.

Apache Tomcat has been upgraded from 5.5.34 to 6.0.37 in NSM 2012.2R5 and later releases.
Workaround:
 Limit access to NSM only from trusted hosts.
Implementation:
 NSM software update can be obtained from:
http://www.juniper.net/support/downloads/?p=nsm#sw
Related Links:
CVSS Score:
5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
Severity Level:
Medium
Severity Assessment:
CVSSv2 Base score is based on Apache Tomcat vulnerability scores. These issues may allow a network based attacker to easily impact availability, confidentiality or availability of NSM's web service.
Acknowledgements: