Category Archives: CWE

Advisories, CWE, Education

The Most Dangerous Vulnerabilities in Apache Tomcat and How to Protect Against Them

Read Time:2 Minute, 19 Second

Apache Tomcat is an open-source web server and servlet container that is widely used in enterprise environments to run Java web applications. However, like any web server, it is also vulnerable to various security threats. In this article, we’ll explore some of the most dangerous vulnerabilities in Tomcat and provide tips on how to protect your server from potential attacks.

  1. CVE-2020-1938 (Ghostcat) CVE-2020-1938, also known as Ghostcat, is a vulnerability that allows attackers to view sensitive information on Tomcat servers. This vulnerability can be exploited by sending a specially crafted request to the server, allowing an attacker to view files and directories that are not intended to be public. Ghostcat affects Tomcat versions 7.x, 8.x, 9.x, and 10.x.

To protect against Ghostcat, users should ensure that their Tomcat servers are up-to-date with the latest security patches. Additionally, users should limit access to sensitive files and directories, and implement network security measures such as firewalls and VPNs.

  1. CVE-2017-12617 (Apache Tomcat Remote Code Execution) CVE-2017-12617 is a remote code execution vulnerability that allows attackers to execute arbitrary code on Tomcat servers. This vulnerability can be exploited by sending a specially crafted request to the server, allowing an attacker to execute commands on the server as the user running the Tomcat process.

To protect against this vulnerability, users should ensure that their Tomcat servers are up-to-date with the latest security patches. Additionally, users should follow best practices such as restricting access to the Tomcat server to trusted networks and disabling unnecessary features and services.

  1. CVE-2020-9484 (Apache Tomcat RCE) CVE-2020-9484 is a remote code execution vulnerability that allows attackers to execute arbitrary code on Tomcat servers. This vulnerability can be exploited by sending a specially crafted request to the server, allowing an attacker to execute commands on the server with the permissions of the user running the Tomcat process.

To protect against this vulnerability, users should ensure that their Tomcat servers are up-to-date with the latest security patches. Additionally, users should restrict access to the Tomcat server to trusted networks, implement network security measures such as firewalls and VPNs, and limit the use of default or weak passwords.


Apache Tomcat is a popular web server and servlet container that is widely used in enterprise environments. However, it is also vulnerable to various security threats. To protect against these threats, users should ensure that their Tomcat servers are up-to-date with the latest security patches, follow best practices such as restricting access to the server and implementing network security measures, and stay informed about emerging threats and vulnerabilities. By taking these steps, users can help safeguard their Tomcat servers and prevent potential attacks.

Advisories, CWE, Education

ZDI-CAN-18333: A Critical Zero-Day Vulnerability in Microsoft Windows

Read Time:1 Minute, 46 Second

Zero-day vulnerabilities are a serious threat to cybersecurity, as they can be exploited by malicious actors to gain unauthorized access to systems. One such vulnerability is ZDI-CAN-18333, a critical zero-day vulnerability that affects Microsoft Windows. In this article, we’ll take a closer look at what this vulnerability is, how it works, and what you can do to protect your systems.

What is ZDI-CAN-18333?

ZDI-CAN-18333 is a zero-day vulnerability that was discovered by researchers from the Zero Day Initiative (ZDI). The vulnerability affects Microsoft Windows, one of the most widely used operating systems in the world. ZDI-CAN-18333 is considered critical as it could allow attackers to execute arbitrary code on a victim’s system, potentially giving them access to sensitive information.

How does ZDI-CAN-18333 work?

The ZDI-CAN-18333 vulnerability is related to the way that Microsoft Windows processes certain types of user input. Specifically, the vulnerability is related to the way that the operating system handles the printing of documents. By exploiting this flaw, an attacker can execute arbitrary code on a victim’s system, potentially giving them access to sensitive information or allowing them to install other malware.

What can you do to protect your systems?

Microsoft has released a security patch to address the ZDI-CAN-18333 vulnerability, which should be installed as soon as possible. Additionally, users should ensure that their operating system is up to date with the latest version of Microsoft Windows, as older versions may not be eligible for security patches. It’s also recommended to follow standard security practices such as avoiding suspicious websites and downloads, using strong passwords, and enabling two-factor authentication.

Zero-day vulnerabilities like ZDI-CAN-18333 are a serious threat to cybersecurity, and it’s important to stay informed about emerging threats and take steps to protect your systems. By keeping your operating system up to date with the latest security patches and following standard security practices, you can help safeguard your system from potential attacks. Remember to stay vigilant and report any suspicious activity to your IT department or security provider.

CWE

CWE-669 – Incorrect Resource Transfer Between Spheres

Read Time:49 Second

Description

The product does not properly transfer a resource/behavior to another sphere, or improperly imports a resource/behavior from another sphere, in a manner that provides unintended control over that resource.

A “control sphere” is a set of resources and behaviors that are accessible to a single actor, or a group of actors. A product’s security model will typically define multiple spheres, possibly implicitly. For example, a server might define one sphere for “administrators” who can create new user accounts with subdirectories under /home/server/, and a second sphere might cover the set of users who can create or delete files within their own subdirectories. A third sphere might be “users who are authenticated to the operating system on which the product is installed.” Each sphere has different sets of actors and allowable behaviors.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-664

 

Consequences

Confidentiality, Integrity: Read Application Data, Modify Application Data, Unexpected State

 

Potential Mitigations

CVE References

CWE

CWE-67 – Improper Handling of Windows Device Names

Read Time:2 Minute, 22 Second

Description

The software constructs pathnames from user input, but it does not handle or incorrectly handles a pathname containing a Windows device name such as AUX or CON. This typically leads to denial of service or an information exposure when the application attempts to process the pathname as a regular file.

Not properly handling virtual filenames (e.g. AUX, CON, PRN, COM1, LPT1) can result in different types of vulnerabilities. In some cases an attacker can request a device via injection of a virtual filename in a URL, which may cause an error that leads to a denial of service or an error page that reveals sensitive information. A software system that allows device names to bypass filtering runs the risk of an attacker injecting malicious code in a file with the name of a device.

Historically, there was a bug in the Windows operating system that caused a blue screen of death. Even after that issue was fixed DOS device names continue to be a factor.

Modes of Introduction:

– Architecture and Design

 

Likelihood of Exploit: High

 

Related Weaknesses

CWE-66

 

Consequences

Availability, Confidentiality, Other: DoS: Crash, Exit, or Restart, Read Application Data, Other

 

Potential Mitigations

Phase: Implementation

Description: 

Be familiar with the device names in the operating system where your system is deployed. Check input for these device names.

CVE References

  • CVE-2002-0106
    • Server allows remote attackers to cause a denial of service via a series of requests to .JSP files that contain an MS-DOS device name.
  • CVE-2002-0200
    • Server allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.
  • CVE-2002-1052
    • Product allows remote attackers to use MS-DOS device names in HTTP requests to cause a denial of service or obtain the physical path of the server.
  • CVE-2001-0493
    • Server allows remote attackers to cause a denial of service via a URL that contains an MS-DOS device name.
  • CVE-2001-0558
    • Server allows a remote attacker to create a denial of service via a URL request which includes a MS-DOS device name.
  • CVE-2000-0168
    • Microsoft Windows 9x operating systems allow an attacker to cause a denial of service via a pathname that includes file device names, aka the “DOS Device in Path Name” vulnerability.
  • CVE-2001-0492
    • Server allows remote attackers to determine the physical path of the server via a URL containing MS-DOS device names.
  • CVE-2004-0552
    • Product does not properly handle files whose names contain reserved MS-DOS device names, which can allow malicious code to bypass detection when it is installed, copied, or executed.
  • CVE-2005-2195
    • Server allows remote attackers to cause a denial of service (application crash) via a URL with a filename containing a .cgi extension and an MS-DOS device name.
CWE

CWE-670 – Always-Incorrect Control Flow Implementation

Read Time:49 Second

Description

The code contains a control flow path that does not reflect the algorithm that the path is intended to implement, leading to incorrect behavior any time this path is navigated.

This weakness captures cases in which a particular code segment is always incorrect with respect to the algorithm that it is implementing. For example, if a C programmer intends to include multiple statements in a single block but does not include the enclosing braces (CWE-483), then the logic is always incorrect. This issue is in contrast to most weaknesses in which the code usually behaves correctly, except when it is externally manipulated in malicious ways.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-691

 

Consequences

Other: Other, Alter Execution Logic

 

Potential Mitigations

CVE References

  • CVE-2021-3011
    • virtual interrupt controller in a virtualization product allows crash of host by writing a certain invalid value to a register, which triggers a fatal error instead of returning an error code
CWE

CWE-671 – Lack of Administrator Control over Security

Read Time:39 Second

Description

The product uses security features in a way that prevents the product’s administrator from tailoring security settings to reflect the environment in which the product is being used. This introduces resultant weaknesses or prevents it from operating at a level of security that is desired by the administrator.

If the product’s administrator does not have the ability to manage security-related decisions at all times, then protecting the product from outside threats – including the product’s developer – can become impossible. For example, a hard-coded account name and password cannot be changed by the administrator, thus exposing that product to attacks that the administrator can not prevent.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-657

 

Consequences

Other: Varies by Context

 

Potential Mitigations

CVE References

CWE

CWE-672 – Operation on a Resource after Expiration or Release

Read Time:41 Second

Description

The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-666

 

Consequences

Integrity, Confidentiality: Modify Application Data, Read Application Data

If a released resource is subsequently reused or reallocated, then an attempt to use the original resource might allow access to sensitive data that is associated with a different user or entity.

Other, Availability: Other, DoS: Crash, Exit, or Restart

When a resource is released it might not be in an expected state, later attempts to access the resource may lead to resultant errors that may lead to a crash.

 

Potential Mitigations

CVE References

  • CVE-2009-3547
    • chain: race condition might allow resource to be released before operating on it, leading to NULL dereference
CWE

CWE-673 – External Influence of Sphere Definition

Read Time:22 Second

Description

The product does not prevent the definition of control spheres from external actors.

Typically, a product defines its control sphere within the code itself, or through configuration by the product’s administrator. In some cases, an external party can change the definition of the control sphere. This is typically a resultant weakness.

Modes of Introduction:

– Architecture and Design

 

 

Related Weaknesses

CWE-664

 

Consequences

Other: Other

 

Potential Mitigations

CVE References

CWE

CWE-674 – Uncontrolled Recursion

Read Time:1 Minute, 29 Second

Description

The product does not properly control the amount of recursion which takes place, consuming excessive resources, such as allocated memory or the program stack.

Modes of Introduction:

– Implementation

 

 

Related Weaknesses

CWE-691

 

Consequences

Availability: DoS: Resource Consumption (CPU), DoS: Resource Consumption (Memory)

Resources including CPU, memory, and stack memory could be rapidly consumed or exhausted, eventually leading to an exit or crash.

Confidentiality: Read Application Data

In some cases, an application’s interpreter might kill a process or thread that appears to be consuming too much resources, such as with PHP’s memory_limit setting. When the interpreter kills the process/thread, it might report an error containing detailed information such as the application’s installation path.

 

Potential Mitigations

Phase: Implementation

Effectiveness: Moderate

Description: 

Ensure an end condition will be reached under all logic conditions. The end condition may include testing against the depth of recursion and exiting with an error if the recursion goes too deep. The complexity of the end condition contributes to the effectiveness of this action.

Phase: Implementation

Effectiveness: Limited

Description: 

Increase the stack size.

Increasing the stack size might only be a temporary measure, since the stack typically is still not very large, and it might remain easy for attackers to cause an out-of-stack fault.

CVE References

  • CVE-2007-3409
    • Self-referencing pointers create infinite loop and resultant stack exhaustion.
  • CVE-2016-10707
    • Javascript application accidentally changes input in a way that prevents a recursive call from detecting an exit condition.
  • CVE-2016-3627
    • An attempt to recover a corrupted XML file infinite recursion protection counter was not always incremented missing the exit condition.
  • CVE-2019-15118
    • USB-audio driver’s descriptor code parsing allows unlimited recursion leading to stack exhaustion.