ESB-2017.2091 - [RedHat] Red Hat JBoss Web Server 2: Multiple vulnerabilities 2017-08-22

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2091
           Important: Red Hat JBoss Web Server 2 security update
                              22 August 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Red Hat JBoss Web Server 2
Publisher:         Red Hat
Operating System:  Red Hat Enterprise Linux Server 7
                   Red Hat Enterprise Linux Server 6
Impact/Access:     Denial of Service              -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
                   Access Confidential Data       -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-5664 CVE-2017-5647 CVE-2016-8610
                   CVE-2016-6304  

Reference:         ASB-2017.0115
                   ASB-2017.0109
                   ESB-2017.2081
                   ESB-2017.2080

Original Bulletin: 
   https://access.redhat.com/errata/RHSA-2017:2493
   https://access.redhat.com/errata/RHSA-2017:2494

Comment: This bulletin contains two (2) Red Hat security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Web Server 2 security update
Advisory ID:       RHSA-2017:2493-01
Product:           Red Hat JBoss Web Server
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:2493
Issue date:        2017-08-21
CVE Names:         CVE-2016-6304 CVE-2016-8610 CVE-2017-5647 
                   CVE-2017-5664 
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Enterprise Web Server 2.1.2
for Red Hat Enterprise Linux 6 and Red Hat JBoss Enterprise Web Server
2.1.2 for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server - i386, noarch, x86_64
Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server - noarch, x86_64

3. Description:

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) protocols, as well as a full-strength
general-purpose cryptography library.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.

This release provides an update to OpenSSL and Tomcat 6/7 for Red Hat JBoss
Web Server 2.1.2. The updates are documented in the Release Notes document
linked to in the References.

Users of Red Hat JBoss Web Server 2.1.2 should upgrade to these updated
packages, which resolve several security issues.

Security Fix(es):

* A memory leak flaw was found in the way OpenSSL handled TLS status
request extension data during session renegotiation. A remote attacker
could cause a TLS server using OpenSSL to consume an excessive amount of
memory and, possibly, exit unexpectedly after exhausting all available
memory, if it enabled OCSP stapling support. (CVE-2016-6304)

* A vulnerability was discovered in tomcat's handling of pipelined requests
when "Sendfile" was used. If sendfile processing completed quickly, it was
possible for the Processor to be added to the processor cache twice. This
could lead to invalid responses or information disclosure. (CVE-2017-5647)

* A vulnerability was discovered in the error page mechanism in Tomcat's
DefaultServlet implementation. A crafted HTTP request could cause undesired
side effects, possibly including the removal or replacement of the custom
error page. (CVE-2017-5664)

* A denial of service flaw was found in the way the TLS/SSL protocol
defined processing of ALERT packets during a connection handshake. A remote
attacker could use this flaw to make a TLS/SSL server consume an excessive
amount of CPU and fail to accept connections from other clients.
(CVE-2016-8610)

Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304
and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610.
Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original
reporter of CVE-2016-6304.

4. Solution:

Before applying the update, back up your existing Red Hat JBoss Web Server
installation (including all applications and configuration files).

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library
must be restarted, or the system rebooted. After installing the updated
packages, the httpd daemon will be restarted automatically.

5. Bugs fixed (https://bugzilla.redhat.com/):

1377600 - CVE-2016-6304 openssl: OCSP Status Request extension unbounded memory growth
1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS
1441205 - CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used
1459158 - CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism

6. Package List:

Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Server:

Source:
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.src.rpm
tomcat6-6.0.41-17_patch_04.ep6.el6.src.rpm
tomcat7-7.0.54-25_patch_05.ep6.el6.src.rpm

i386:
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.i686.rpm
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.i686.rpm
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.i686.rpm
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.i686.rpm
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.i686.rpm
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.i686.rpm

noarch:
tomcat6-6.0.41-17_patch_04.ep6.el6.noarch.rpm
tomcat6-admin-webapps-6.0.41-17_patch_04.ep6.el6.noarch.rpm
tomcat6-docs-webapp-6.0.41-17_patch_04.ep6.el6.noarch.rpm
tomcat6-el-2.1-api-6.0.41-17_patch_04.ep6.el6.noarch.rpm
tomcat6-javadoc-6.0.41-17_patch_04.ep6.el6.noarch.rpm
tomcat6-jsp-2.1-api-6.0.41-17_patch_04.ep6.el6.noarch.rpm
tomcat6-lib-6.0.41-17_patch_04.ep6.el6.noarch.rpm
tomcat6-log4j-6.0.41-17_patch_04.ep6.el6.noarch.rpm
tomcat6-maven-devel-6.0.41-17_patch_04.ep6.el6.noarch.rpm
tomcat6-servlet-2.5-api-6.0.41-17_patch_04.ep6.el6.noarch.rpm
tomcat6-webapps-6.0.41-17_patch_04.ep6.el6.noarch.rpm
tomcat7-7.0.54-25_patch_05.ep6.el6.noarch.rpm
tomcat7-admin-webapps-7.0.54-25_patch_05.ep6.el6.noarch.rpm
tomcat7-docs-webapp-7.0.54-25_patch_05.ep6.el6.noarch.rpm
tomcat7-el-2.2-api-7.0.54-25_patch_05.ep6.el6.noarch.rpm
tomcat7-javadoc-7.0.54-25_patch_05.ep6.el6.noarch.rpm
tomcat7-jsp-2.2-api-7.0.54-25_patch_05.ep6.el6.noarch.rpm
tomcat7-lib-7.0.54-25_patch_05.ep6.el6.noarch.rpm
tomcat7-log4j-7.0.54-25_patch_05.ep6.el6.noarch.rpm
tomcat7-maven-devel-7.0.54-25_patch_05.ep6.el6.noarch.rpm
tomcat7-servlet-3.0-api-7.0.54-25_patch_05.ep6.el6.noarch.rpm
tomcat7-webapps-7.0.54-25_patch_05.ep6.el6.noarch.rpm

x86_64:
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el6.x86_64.rpm
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el6.x86_64.rpm
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el6.x86_64.rpm
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el6.x86_64.rpm
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el6.x86_64.rpm
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el6.x86_64.rpm

Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Server:

Source:
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.src.rpm
tomcat6-6.0.41-17_patch_04.ep6.el7.src.rpm
tomcat7-7.0.54-25_patch_05.ep6.el7.src.rpm

noarch:
tomcat6-6.0.41-17_patch_04.ep6.el7.noarch.rpm
tomcat6-admin-webapps-6.0.41-17_patch_04.ep6.el7.noarch.rpm
tomcat6-docs-webapp-6.0.41-17_patch_04.ep6.el7.noarch.rpm
tomcat6-el-2.1-api-6.0.41-17_patch_04.ep6.el7.noarch.rpm
tomcat6-javadoc-6.0.41-17_patch_04.ep6.el7.noarch.rpm
tomcat6-jsp-2.1-api-6.0.41-17_patch_04.ep6.el7.noarch.rpm
tomcat6-lib-6.0.41-17_patch_04.ep6.el7.noarch.rpm
tomcat6-log4j-6.0.41-17_patch_04.ep6.el7.noarch.rpm
tomcat6-maven-devel-6.0.41-17_patch_04.ep6.el7.noarch.rpm
tomcat6-servlet-2.5-api-6.0.41-17_patch_04.ep6.el7.noarch.rpm
tomcat6-webapps-6.0.41-17_patch_04.ep6.el7.noarch.rpm
tomcat7-7.0.54-25_patch_05.ep6.el7.noarch.rpm
tomcat7-admin-webapps-7.0.54-25_patch_05.ep6.el7.noarch.rpm
tomcat7-docs-webapp-7.0.54-25_patch_05.ep6.el7.noarch.rpm
tomcat7-el-2.2-api-7.0.54-25_patch_05.ep6.el7.noarch.rpm
tomcat7-javadoc-7.0.54-25_patch_05.ep6.el7.noarch.rpm
tomcat7-jsp-2.2-api-7.0.54-25_patch_05.ep6.el7.noarch.rpm
tomcat7-lib-7.0.54-25_patch_05.ep6.el7.noarch.rpm
tomcat7-log4j-7.0.54-25_patch_05.ep6.el7.noarch.rpm
tomcat7-maven-devel-7.0.54-25_patch_05.ep6.el7.noarch.rpm
tomcat7-servlet-3.0-api-7.0.54-25_patch_05.ep6.el7.noarch.rpm
tomcat7-webapps-7.0.54-25_patch_05.ep6.el7.noarch.rpm

x86_64:
jbcs-httpd24-openssl-1.0.2h-13.jbcs.el7.x86_64.rpm
jbcs-httpd24-openssl-debuginfo-1.0.2h-13.jbcs.el7.x86_64.rpm
jbcs-httpd24-openssl-devel-1.0.2h-13.jbcs.el7.x86_64.rpm
jbcs-httpd24-openssl-libs-1.0.2h-13.jbcs.el7.x86_64.rpm
jbcs-httpd24-openssl-perl-1.0.2h-13.jbcs.el7.x86_64.rpm
jbcs-httpd24-openssl-static-1.0.2h-13.jbcs.el7.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2016-6304
https://access.redhat.com/security/cve/CVE-2016-8610
https://access.redhat.com/security/cve/CVE-2017-5647
https://access.redhat.com/security/cve/CVE-2017-5664
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/articles/3155411

8. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFZmv6+XlSAg2UNWIIRAnfkAKCXeBF/SRuTjBPWP1kPzZI9k5sZbwCfQnpQ
Fnzv/F9hzl2vEOAMvBOv7WE=
=hnQZ
- -----END PGP SIGNATURE-----

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: Red Hat JBoss Web Server 2 security update
Advisory ID:       RHSA-2017:2494-01
Product:           Red Hat JBoss Web Server
Advisory URL:      https://access.redhat.com/errata/RHSA-2017:2494
Issue date:        2017-08-21
CVE Names:         CVE-2016-6304 CVE-2016-8610 CVE-2017-5647 
                   CVE-2017-5664 
=====================================================================

1. Summary:

An update is now available for Red Hat JBoss Web Server 2.1.2.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Description:

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) protocols, as well as a full-strength
general-purpose cryptography library.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.

This release provides an update to OpenSSL and Tomcat 6/7 for Red Hat JBoss
Web Server 2.1.2. The updates are documented in the Release Notes document
linked to in the References.

Users of Red Hat JBoss Web Server 2.1.2 should upgrade to these updated
packages, which resolve several security issues.

Security Fix(es):

* A memory leak flaw was found in the way OpenSSL handled TLS status
request extension data during session renegotiation. A remote attacker
could cause a TLS server using OpenSSL to consume an excessive amount of
memory and, possibly, exit unexpectedly after exhausting all available
memory, if it enabled OCSP stapling support. (CVE-2016-6304)

* A vulnerability was discovered in tomcat's handling of pipelined requests
when "Sendfile" was used. If sendfile processing completed quickly, it was
possible for the Processor to be added to the processor cache twice. This
could lead to invalid responses or information disclosure. (CVE-2017-5647)

* A vulnerability was discovered in the error page mechanism in Tomcat's
DefaultServlet implementation. A crafted HTTP request could cause undesired
side effects, possibly including the removal or replacement of the custom
error page. (CVE-2017-5664)

* A denial of service flaw was found in the way the TLS/SSL protocol
defined processing of ALERT packets during a connection handshake. A remote
attacker could use this flaw to make a TLS/SSL server consume an excessive
amount of CPU and fail to accept connections from other clients.
(CVE-2016-8610)

Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304
and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610.
Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original
reporter of CVE-2016-6304.

3. Solution:

Before applying the update, back up your existing Red Hat JBoss Web Server
installation (including all applications and configuration files).

The References section of this erratum contains a download link (you must
log in to download the update).

4. Bugs fixed (https://bugzilla.redhat.com/):

1377600 - CVE-2016-6304 openssl: OCSP Status Request extension unbounded memory growth
1384743 - CVE-2016-8610 SSL/TLS: Malformed plain-text ALERT packets could cause remote DoS
1441205 - CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used
1459158 - CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism

5. References:

https://access.redhat.com/security/cve/CVE-2016-6304
https://access.redhat.com/security/cve/CVE-2016-8610
https://access.redhat.com/security/cve/CVE-2017-5647
https://access.redhat.com/security/cve/CVE-2017-5664
https://access.redhat.com/security/updates/classification/#important
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=webserver&downloadType=securityPatches&version=2.1.2
https://access.redhat.com/articles/3155411

6. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2017 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iD8DBQFZmvwpXlSAg2UNWIIRAnwSAJ9vqil03864I7lOzg4eaasIX7q2gwCgr/WR
xnBdUPVHVXbSNo/CuhDN3qs=
=0s4E
- -----END PGP SIGNATURE-----

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWZt7y4x+lLeg9Ub1AQixiA/7B6KD5Qb6zEin5EcUoolJhxyuS+qRE44E
EuHjBdZqDgpalVLxZBnHotFcYdG4vnrM2JMtE5bJXyKZazhZkKDp/+AGSYbQeWgO
PP38BxQRAyhSOpf07A6i9bXORk1BpQT1O9y3sCtK+2Pj+sy3cgkVqE1aCMdVfbLn
f2f8oXvB9yqnQuCfIZJxffiSDtRHwv27I6EtRPvB5PgSJOgPpW1EcFrlRJJU0RmP
4jxjgDL8VQwmmM10Bt02XX2JxDf2eqB6UDraaemC8NMPO9xzEH27/xWXyMCTM+fY
E9NUdcayHenqoXIt81zIRbq56RTtvi139eYWvsjURQ0KLcwwlmbCnibwfsK0hJzG
DdeWlhvCIrfaSdzcb8lnzZTFuVOiBds/KsDVprAnVLdzPierxB9mPeBtGQ76y4bZ
cIk5fBJHlz1+ZXoocuAueVZlkcHhFibl16zSIHGnlEcpkKdZ2rGDUHqUaZJBzBOO
vzS6O+AyKHlQJSKiH5kmUO2asyMccvUC0oWWHNPpC8DX7Vnk2GzjflCiIih9OKjF
r5XPrwLbUUthnMi6kJ7XaaOXggqZU9txKJPxm6067mTAp73K/ot0hQ6fo1ZJTI6A
Rt57VfO+iYmGVr/SA0Ahtv3z/waZaWAV21GvPw776fTInnX89m6iODKtGmuE5pFJ
AZdUFDGKULU=
=l68k
-----END PGP SIGNATURE-----

« Back to bulletins