ESB-2017.1892 - [RedHat] tomcat: Multiple vulnerabilities 2017-08-02

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1892
           Low: tomcat security, bug fix, and enhancement update
                               2 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           tomcat
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux WS/Desktop 7
Impact/Access:     Access Confidential Data -- Remote/Unauthenticated
                   Reduced Security         -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2016-6797 CVE-2016-6796 CVE-2016-6794
                   CVE-2016-5018 CVE-2016-0762 

Reference:         ASB-2017.0058
                   ESB-2017.1595
                   ESB-2016.2904
                   ESB-2016.2777
                   ESB-2016.2722
                   ESB-2016.2509

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2017:2247

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Low: tomcat security, bug fix, and enhancement update
Advisory ID:       RHSA-2017:2247-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:2247
Issue date:        2017-08-01
CVE Names:         CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 
                   CVE-2016-6796 CVE-2016-6797 
=====================================================================

1. Summary:

An update for tomcat is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Low. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - noarch
Red Hat Enterprise Linux Client Optional (v. 7) - noarch
Red Hat Enterprise Linux ComputeNode (v. 7) - noarch
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch
Red Hat Enterprise Linux Server (v. 7) - noarch
Red Hat Enterprise Linux Server Optional (v. 7) - noarch
Red Hat Enterprise Linux Workstation (v. 7) - noarch
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch

3. Description:

Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.

The following packages have been upgraded to a later upstream version:
tomcat (7.0.76). (BZ#1414895)

Security Fix(es):

* The Realm implementations did not process the supplied password if the
supplied user name did not exist. This made a timing attack possible to
determine valid user names. Note that the default configuration includes
the LockOutRealm which makes exploitation of this vulnerability harder.
(CVE-2016-0762)

* It was discovered that a malicious web application could bypass a
configured SecurityManager via a Tomcat utility method that was accessible
to web applications. (CVE-2016-5018)

* It was discovered that when a SecurityManager was configured, Tomcat's
system property replacement feature for configuration files could be used
by a malicious web application to bypass the SecurityManager and read
system properties that should not be visible. (CVE-2016-6794)

* It was discovered that a malicious web application could bypass a
configured SecurityManager via manipulation of the configuration parameters
for the JSP Servlet. (CVE-2016-6796)

* It was discovered that it was possible for a web application to access
any global JNDI resource whether an explicit ResourceLink had been
configured or not. (CVE-2016-6797)

Additional Changes:

For detailed information on changes in this release, see the Red Hat
Enterprise Linux 7.4 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1390493 - CVE-2016-6797 tomcat: unrestricted access to global resources
1390515 - CVE-2016-6796 tomcat: security manager bypass via JSP Servlet config parameters
1390520 - CVE-2016-6794 tomcat: system property disclosure
1390525 - CVE-2016-5018 tomcat: security manager bypass via IntrospectHelper utility function
1390526 - CVE-2016-0762 tomcat: timing attack in Realm implementation
1411738 - Please update tomcat to >= 7.0.70 to fix ASF Bugzilla â\x{128}\x{147} Bug 59619
1414895 - Rebase tomcat to the current release

6. Package List:

Red Hat Enterprise Linux Client (v. 7):

Source:
tomcat-7.0.76-2.el7.src.rpm

noarch:
tomcat-servlet-3.0-api-7.0.76-2.el7.noarch.rpm

Red Hat Enterprise Linux Client Optional (v. 7):

noarch:
tomcat-7.0.76-2.el7.noarch.rpm
tomcat-admin-webapps-7.0.76-2.el7.noarch.rpm
tomcat-docs-webapp-7.0.76-2.el7.noarch.rpm
tomcat-el-2.2-api-7.0.76-2.el7.noarch.rpm
tomcat-javadoc-7.0.76-2.el7.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-2.el7.noarch.rpm
tomcat-jsvc-7.0.76-2.el7.noarch.rpm
tomcat-lib-7.0.76-2.el7.noarch.rpm
tomcat-webapps-7.0.76-2.el7.noarch.rpm

Red Hat Enterprise Linux ComputeNode (v. 7):

Source:
tomcat-7.0.76-2.el7.src.rpm

noarch:
tomcat-servlet-3.0-api-7.0.76-2.el7.noarch.rpm

Red Hat Enterprise Linux ComputeNode Optional (v. 7):

noarch:
tomcat-7.0.76-2.el7.noarch.rpm
tomcat-admin-webapps-7.0.76-2.el7.noarch.rpm
tomcat-docs-webapp-7.0.76-2.el7.noarch.rpm
tomcat-el-2.2-api-7.0.76-2.el7.noarch.rpm
tomcat-javadoc-7.0.76-2.el7.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-2.el7.noarch.rpm
tomcat-jsvc-7.0.76-2.el7.noarch.rpm
tomcat-lib-7.0.76-2.el7.noarch.rpm
tomcat-webapps-7.0.76-2.el7.noarch.rpm

Red Hat Enterprise Linux Server (v. 7):

Source:
tomcat-7.0.76-2.el7.src.rpm

noarch:
tomcat-7.0.76-2.el7.noarch.rpm
tomcat-admin-webapps-7.0.76-2.el7.noarch.rpm
tomcat-el-2.2-api-7.0.76-2.el7.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-2.el7.noarch.rpm
tomcat-lib-7.0.76-2.el7.noarch.rpm
tomcat-servlet-3.0-api-7.0.76-2.el7.noarch.rpm
tomcat-webapps-7.0.76-2.el7.noarch.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
tomcat-7.0.76-2.el7.noarch.rpm
tomcat-admin-webapps-7.0.76-2.el7.noarch.rpm
tomcat-docs-webapp-7.0.76-2.el7.noarch.rpm
tomcat-el-2.2-api-7.0.76-2.el7.noarch.rpm
tomcat-javadoc-7.0.76-2.el7.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-2.el7.noarch.rpm
tomcat-jsvc-7.0.76-2.el7.noarch.rpm
tomcat-lib-7.0.76-2.el7.noarch.rpm
tomcat-webapps-7.0.76-2.el7.noarch.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
tomcat-7.0.76-2.el7.src.rpm

noarch:
tomcat-7.0.76-2.el7.noarch.rpm
tomcat-admin-webapps-7.0.76-2.el7.noarch.rpm
tomcat-el-2.2-api-7.0.76-2.el7.noarch.rpm
tomcat-jsp-2.2-api-7.0.76-2.el7.noarch.rpm
tomcat-lib-7.0.76-2.el7.noarch.rpm
tomcat-servlet-3.0-api-7.0.76-2.el7.noarch.rpm
tomcat-webapps-7.0.76-2.el7.noarch.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:
tomcat-docs-webapp-7.0.76-2.el7.noarch.rpm
tomcat-javadoc-7.0.76-2.el7.noarch.rpm
tomcat-jsvc-7.0.76-2.el7.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-0762
https://access.redhat.com/security/cve/CVE-2016-5018
https://access.redhat.com/security/cve/CVE-2016-6794
https://access.redhat.com/security/cve/CVE-2016-6796
https://access.redhat.com/security/cve/CVE-2016-6797
https://access.redhat.com/security/updates/classification/#low
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/7.4_Release_Notes/index.html

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFZgQy1XlSAg2UNWIIRAsPlAKCFfPeNpu37ntqagCDsVcfpT0bcNgCfTmRw
ZmVFcADTzJk4LdB//FF568E=
=ZUBj
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWYFUOIx+lLeg9Ub1AQjhKQ//TTPFjIaiyoaP2ppqbbhp5lEZwyXp2Xbf
buSmRVM2Cs1IJdpe18O/Kw276Gr6D19RFDRH1cq5Va2kveGy1IcaLIjlPE8//n2n
dJfNlz/xnDlONivq51PMPUkiyQ7a/23d/UN3b2aKKH2V8YtwfPQh9dnsrhokzKBg
DCiJy0xjhNFkaAcM0Mp10YMh/ZO+alNyvT5ATUzMeGxfhC+aFfchpJfsUXq260L6
XfuLiJeoi3a5Vq1y2PBvknvNZTXga7jToU+ealrfH3nC/2G8emLSA2rEoDK0R/HL
LL0DE3wMyVUgkY8tgV4PcQ3OBsE9mw0miv94XBG/4wF2uSGC/HD/gJhujb/TNXJf
1NIQwxgzSUlV7CKd0/Ie78BIzLdX+bc8f68FUq5SncqneytNHN6FoBP/TiSftczE
DJPodkO/5bdMQvjR4iXvw8K5mCfP9E5p3S6MRJKQelUxlZxtImzb39pCmzaYFHpR
ahh9j9cvpCqz8vE2eHOU1WCX5gH9AtRpuFzfJJ7iBtLSJ/XeMOyBXOTDj2XqWIcN
rR5Pn04mELS84yU5w+56p84klakycKwOME8PA9KWJkHVTRNIlpOuuN+6t0dUUmBR
IfoKVLNPGdQB2zK5qUCk6K+GQ/SVR1ITm7JdqFtH7dGVWRb65y07DEPsp9XrdMel
VGSlXMKSDrk=
=PYjZ
-----END PGP SIGNATURE-----

« Back to bulletins