copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login





 

ESB-2016.0765 - [SUSE] tomcat: Multiple vulnerabilities

Date: 23 March 2016
References: ESB-2016.0440  ESB-2016.0769  ESB-2016.0776  ESB-2016.1261  ESB-2016.1768  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2016.0765
                        Security updates for tomcat
                               23 March 2016

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:          tomcat
Publisher:        SUSE
Operating System: SUSE
Impact/Access:    Execute Arbitrary Code/Commands -- Existing Account            
                  Modify Arbitrary Files          -- Existing Account            
                  Cross-site Request Forgery      -- Remote with User Interaction
                  Denial of Service               -- Existing Account            
                  Access Confidential Data        -- Remote/Unauthenticated      
                  Reduced Security                -- Remote/Unauthenticated      
Resolution:       Patch/Upgrade
CVE Names:        CVE-2016-0763 CVE-2016-0714 CVE-2016-0706
                  CVE-2015-5351 CVE-2015-5346 CVE-2015-5345
                  CVE-2015-5174  

Reference:        ESB-2016.0440

Comment: This bulletin contains two (2) SUSE security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

   SUSE Security Update: Security update for tomcat
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:0822-1
Rating:             important
References:         #967812 #967814 #967815 #967964 #967965 #967966 
                    #967967 
Cross-References:   CVE-2015-5174 CVE-2015-5345 CVE-2015-5346
                    CVE-2015-5351 CVE-2016-0706 CVE-2016-0714
                    CVE-2016-0763
Affected Products:
                    SUSE Linux Enterprise Server 12
______________________________________________________________________________

   An update that fixes 7 vulnerabilities is now available.

Description:


   This update for tomcat fixes the following security issues.

   Tomcat has been updated from 7.0.55 to 7.0.68.

   * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java in
     Apache Tomcat allowed remote authenticated users to bypass intended
     SecurityManager restrictions and list a parent directory via a /..
     (slash dot dot) in a pathname used by a web application in a
     getResource, getResourceAsStream, or getResourcePaths call, as
     demonstrated by the $CATALINA_BASE/webapps directory.  (bsc#967967)
   * CVE-2015-5346: Session fixation vulnerability in Apache Tomcat when
     different session settings are used for deployments of multiple versions
     of the same web application, might have allowed remote attackers to
      hijack web sessions by leveraging use of a requestedSessionSSL field
      for an unintended request, related to CoyoteAdapter.java and
      Request.java. (bsc#967814)
   * CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects
     before considering security constraints and Filters, which allowed
     remote attackers to determine the existence of a directory via a URL
     that lacks a trailing / (slash) character. (bsc#967965)
   * CVE-2015-5351: The (1) Manager and (2) Host Manager applications in
     Apache Tomcat established sessions and send CSRF tokens for arbitrary
     new requests, which allowed remote attackers to bypass a CSRF protection
     mechanism by using a token. (bsc#967812)
   * CVE-2016-0706: Apache Tomcat did not place
     org.apache.catalina.manager.StatusManagerServlet on the
     org/apache/catalina/core/RestrictedServlets.properties list, which
      allowed remote authenticated users to bypass intended SecurityManager
      restrictions and read arbitrary HTTP requests, and consequently
      discover session ID values, via a crafted web application.  (bsc#967815)
   * CVE-2016-0714: The session-persistence implementation in Apache Tomcat
     mishandled session attributes, which allowed remote authenticated users
     to bypass intended SecurityManager restrictions and execute arbitrary
     code in a privileged context via a web application that places a crafted
     object in a session. (bsc#967964)
   * CVE-2016-0763: The setGlobalContext method in
     org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat did
      not consider whether ResourceLinkFactory.setGlobalContext callers are
      authorized, which allowed remote authenticated users to bypass intended
      SecurityManager restrictions and read or write to arbitrary application
      data, or cause a denial of service (application disruption), via a web
      application that sets a crafted global context.  (bsc#967966)

   See https://tomcat.apache.org/tomcat-7.0-doc/changelog.html for other
   fixes since 7.0.55


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 12:

      zypper in -t patch SUSE-SLE-SERVER-12-2016-478=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 12 (noarch):

      tomcat-7.0.68-7.6.1
      tomcat-admin-webapps-7.0.68-7.6.1
      tomcat-docs-webapp-7.0.68-7.6.1
      tomcat-el-2_2-api-7.0.68-7.6.1
      tomcat-javadoc-7.0.68-7.6.1
      tomcat-jsp-2_2-api-7.0.68-7.6.1
      tomcat-lib-7.0.68-7.6.1
      tomcat-servlet-3_0-api-7.0.68-7.6.1
      tomcat-webapps-7.0.68-7.6.1


References:

   https://www.suse.com/security/cve/CVE-2015-5174.html
   https://www.suse.com/security/cve/CVE-2015-5345.html
   https://www.suse.com/security/cve/CVE-2015-5346.html
   https://www.suse.com/security/cve/CVE-2015-5351.html
   https://www.suse.com/security/cve/CVE-2016-0706.html
   https://www.suse.com/security/cve/CVE-2016-0714.html
   https://www.suse.com/security/cve/CVE-2016-0763.html
   https://bugzilla.suse.com/967812
   https://bugzilla.suse.com/967814
   https://bugzilla.suse.com/967815
   https://bugzilla.suse.com/967964
   https://bugzilla.suse.com/967965
   https://bugzilla.suse.com/967966
   https://bugzilla.suse.com/967967

  SUSE Security Update: Security update for tomcat6
______________________________________________________________________________

Announcement ID:    SUSE-SU-2016:0839-1
Rating:             important
References:         #934219 #967815 #967964 #967965 #967967 
Cross-References:   CVE-2015-5174 CVE-2015-5345 CVE-2016-0706
                    CVE-2016-0714
Affected Products:
                    SUSE Linux Enterprise Server 11-SP4
______________________________________________________________________________

   An update that solves four vulnerabilities and has one
   errata is now available.

Description:


   This update for tomcat6 fixes the following issues:

   The version was updated from 6.0.41 to 6.0.45.

   Security issues fixed:

   * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java in
     Apache Tomcat allowed remote authenticated users to bypass intended
     SecurityManager restrictions and list a parent directory via a /..
     (slash dot dot) in a pathname used by a web application in a
     getResource, getResourceAsStream, or getResourcePaths call, as
     demonstrated by the $CATALINA_BASE/webapps directory.  (bsc#967967)
   * CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects
     before considering security constraints and Filters, which allowed
     remote attackers to determine the existence of a directory via a URL
     that lacks a trailing / (slash) character. (bsc#967965)
   * CVE-2016-0706: Apache Tomcat did not place
     org.apache.catalina.manager.StatusManagerServlet on the
     org/apache/catalina/core/RestrictedServlets.properties list, which
      allowed remote authenticated users to bypass intended SecurityManager
      restrictions and read arbitrary HTTP requests, and consequently
      discover session ID values, via a crafted web application.  (bsc#967815)
   * CVE-2016-0714: The session-persistence implementation in Apache Tomcat
     mishandled session attributes, which allowed remote authenticated users
     to bypass intended SecurityManager restrictions and execute arbitrary
     code in a privileged context via a web application that places a crafted
     object in a session. (bsc#967964)


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Server 11-SP4:

      zypper in -t patch slessp4-tomcat6-12465=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Linux Enterprise Server 11-SP4 (noarch):

      tomcat6-6.0.45-0.50.1
      tomcat6-admin-webapps-6.0.45-0.50.1
      tomcat6-docs-webapp-6.0.45-0.50.1
      tomcat6-javadoc-6.0.45-0.50.1
      tomcat6-jsp-2_1-api-6.0.45-0.50.1
      tomcat6-lib-6.0.45-0.50.1
      tomcat6-servlet-2_5-api-6.0.45-0.50.1
      tomcat6-webapps-6.0.45-0.50.1


References:

   https://www.suse.com/security/cve/CVE-2015-5174.html
   https://www.suse.com/security/cve/CVE-2015-5345.html
   https://www.suse.com/security/cve/CVE-2016-0706.html
   https://www.suse.com/security/cve/CVE-2016-0714.html
   https://bugzilla.suse.com/934219
   https://bugzilla.suse.com/967815
   https://bugzilla.suse.com/967964
   https://bugzilla.suse.com/967965
   https://bugzilla.suse.com/967967

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVvH4uX6ZAP0PgtI9AQJ4SA//ckC7N2VVFrlhpTbGM9gmst4kUQeGTcNU
aKBF1K9Owuu3xk+Bz2ada88w+WNto7NH7Bpn6FqsARbY/D4wsQRXbKTDXupiT7Mv
KRpznpvJE0zrvtkZ3Fmn3VY8R7iQGo8r51e1ZgNEF4M0yL2nDGnllY1Ct/CWLHke
QL2CbC6zuzdG71yMRzqbb8xRl7a5Vr/53c9MlvXvu2yzWG9OVACxKXSOtD83SlGq
CP8FlYsR7wyFqz4yLYgT7OXsgvj84MG0u8JE5BmMIU7dF6E8piHmA1OpbO47asgs
zVG+yRbkoSOhVv0451OH7J6Zq73EN3NRdmTjLc2rMpflnK8BrzcXJ1OQVe0eFmd7
+DohD9B0HS+lBtDnFVFVGkwAgXYjk30imjWATV9AxnkHV+1RujgTEuLetTCoFBLy
JfWdOkRBlVtRBu9//HGhJmmVLBFdGzvvjUs0SF2QgTHldmGOBfbvOIFZEElfL1E2
igjgRHs54s1tw63O1a1G6eQZ2HpkjRlG7g+1ro7r9IzsXVw6J+JX29l+OX2CfakY
UJ6XcNaR3ZfwRmYsRdFbEkVoMLUYyM6yda4nf6mvA8PfIxrgaelB06wKy93HdFoR
ZDulrw0YUHGNVvCPKbRcc6WouOiJ/gxNQClgoI/1s9IT0BaOq/Is+/PbogQIzSWt
OZwnNwxf4WQ=
=3m2W
-----END PGP SIGNATURE-----