Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2017.0958
Moderate: tomcat security update
13 April 2017
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: tomcat
Publisher: Red Hat
Operating System: Red Hat Enterprise Linux Server 7
Red Hat Enterprise Linux WS/Desktop 7
Impact/Access: Provide Misleading Information -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-8745 CVE-2016-6816
Reference: ESB-2017.0705
Original Bulletin:
https://access.redhat.com/errata/RHSA-2017:0935
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: tomcat security update
Advisory ID: RHSA-2017:0935-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2017:0935
Issue date: 2017-04-12
CVE Names: CVE-2016-6816 CVE-2016-8745
=====================================================================
1. Summary:
An update for tomcat is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.
2. Relevant releases/architectures:
Red Hat Enterprise Linux Client (v. 7) - noarch
Red Hat Enterprise Linux Client Optional (v. 7) - noarch
Red Hat Enterprise Linux ComputeNode (v. 7) - noarch
Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch
Red Hat Enterprise Linux Server (v. 7) - noarch
Red Hat Enterprise Linux Server Optional (v. 7) - noarch
Red Hat Enterprise Linux Workstation (v. 7) - noarch
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch
3. Description:
Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.
Security Fix(es):
* It was discovered that the code that parsed the HTTP request line
permitted invalid characters. This could be exploited, in conjunction with
a proxy that also permitted the invalid characters but with a different
interpretation, to inject data into the HTTP response. By manipulating the
HTTP response the attacker could poison a web-cache, perform an XSS attack,
or obtain sensitive information from requests other then their own.
(CVE-2016-6816)
Note: This fix causes Tomcat to respond with an HTTP 400 Bad Request error
when request contains characters that are not permitted by the HTTP
specification to appear not encoded, even though they were previously
accepted. The newly introduced system property
tomcat.util.http.parser.HttpParser.requestTargetAllow can be used to
configure Tomcat to accept curly braces ({ and }) and the pipe symbol (|)
in not encoded form, as these are often used in URLs without being properly
encoded.
* A bug was discovered in the error handling of the send file code for the
NIO HTTP connector. This led to the current Processor object being added to
the Processor cache multiple times allowing information leakage between
requests including, and not limited to, session ID and the response body.
(CVE-2016-8745)
4. Solution:
For details on how to apply this update, which includes the changes
described in this advisory, refer to:
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1397484 - CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests
1403824 - CVE-2016-8745 tomcat: information disclosure due to incorrect Processor sharing
6. Package List:
Red Hat Enterprise Linux Client (v. 7):
Source:
tomcat-7.0.69-11.el7_3.src.rpm
noarch:
tomcat-servlet-3.0-api-7.0.69-11.el7_3.noarch.rpm
Red Hat Enterprise Linux Client Optional (v. 7):
noarch:
tomcat-7.0.69-11.el7_3.noarch.rpm
tomcat-admin-webapps-7.0.69-11.el7_3.noarch.rpm
tomcat-docs-webapp-7.0.69-11.el7_3.noarch.rpm
tomcat-el-2.2-api-7.0.69-11.el7_3.noarch.rpm
tomcat-javadoc-7.0.69-11.el7_3.noarch.rpm
tomcat-jsp-2.2-api-7.0.69-11.el7_3.noarch.rpm
tomcat-jsvc-7.0.69-11.el7_3.noarch.rpm
tomcat-lib-7.0.69-11.el7_3.noarch.rpm
tomcat-webapps-7.0.69-11.el7_3.noarch.rpm
Red Hat Enterprise Linux ComputeNode (v. 7):
Source:
tomcat-7.0.69-11.el7_3.src.rpm
noarch:
tomcat-servlet-3.0-api-7.0.69-11.el7_3.noarch.rpm
Red Hat Enterprise Linux ComputeNode Optional (v. 7):
noarch:
tomcat-7.0.69-11.el7_3.noarch.rpm
tomcat-admin-webapps-7.0.69-11.el7_3.noarch.rpm
tomcat-docs-webapp-7.0.69-11.el7_3.noarch.rpm
tomcat-el-2.2-api-7.0.69-11.el7_3.noarch.rpm
tomcat-javadoc-7.0.69-11.el7_3.noarch.rpm
tomcat-jsp-2.2-api-7.0.69-11.el7_3.noarch.rpm
tomcat-jsvc-7.0.69-11.el7_3.noarch.rpm
tomcat-lib-7.0.69-11.el7_3.noarch.rpm
tomcat-webapps-7.0.69-11.el7_3.noarch.rpm
Red Hat Enterprise Linux Server (v. 7):
Source:
tomcat-7.0.69-11.el7_3.src.rpm
noarch:
tomcat-7.0.69-11.el7_3.noarch.rpm
tomcat-admin-webapps-7.0.69-11.el7_3.noarch.rpm
tomcat-el-2.2-api-7.0.69-11.el7_3.noarch.rpm
tomcat-jsp-2.2-api-7.0.69-11.el7_3.noarch.rpm
tomcat-lib-7.0.69-11.el7_3.noarch.rpm
tomcat-servlet-3.0-api-7.0.69-11.el7_3.noarch.rpm
tomcat-webapps-7.0.69-11.el7_3.noarch.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
noarch:
tomcat-7.0.69-11.el7_3.noarch.rpm
tomcat-admin-webapps-7.0.69-11.el7_3.noarch.rpm
tomcat-docs-webapp-7.0.69-11.el7_3.noarch.rpm
tomcat-el-2.2-api-7.0.69-11.el7_3.noarch.rpm
tomcat-javadoc-7.0.69-11.el7_3.noarch.rpm
tomcat-jsp-2.2-api-7.0.69-11.el7_3.noarch.rpm
tomcat-jsvc-7.0.69-11.el7_3.noarch.rpm
tomcat-lib-7.0.69-11.el7_3.noarch.rpm
tomcat-webapps-7.0.69-11.el7_3.noarch.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source:
tomcat-7.0.69-11.el7_3.src.rpm
noarch:
tomcat-7.0.69-11.el7_3.noarch.rpm
tomcat-admin-webapps-7.0.69-11.el7_3.noarch.rpm
tomcat-el-2.2-api-7.0.69-11.el7_3.noarch.rpm
tomcat-jsp-2.2-api-7.0.69-11.el7_3.noarch.rpm
tomcat-lib-7.0.69-11.el7_3.noarch.rpm
tomcat-servlet-3.0-api-7.0.69-11.el7_3.noarch.rpm
tomcat-webapps-7.0.69-11.el7_3.noarch.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch:
tomcat-docs-webapp-7.0.69-11.el7_3.noarch.rpm
tomcat-javadoc-7.0.69-11.el7_3.noarch.rpm
tomcat-jsvc-7.0.69-11.el7_3.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2016-6816
https://access.redhat.com/security/cve/CVE-2016-8745
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2017 Red Hat, Inc.
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFY7n94XlSAg2UNWIIRAmjPAJ9bk8IBbgSqjZoV7R+WBZNUGHOKfwCcCZBj
I6oGMjVT1JjlWEBHS/2zKeI=
=EWzy
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIUAwUBWO7irIx+lLeg9Ub1AQiwXw/4vnz+S25DVYv76FRb8Hf9SlAGTpbOCZyG
1Ql+774pQxEH0ITKKsj9KkGuX/4XfDTFSXyFdLZPAvUQGa0Df05Ygw0ynG67VH9E
9G6X8dDDGfopKOFdiW1J8kWZwPsSARGC9BXoUEkRVXf25VUo8lsXPVAFtFCQDN57
PZm/lZgnICOeRa2pz//tXy7ILuS7ICgSvcOJ8qFs6UmbLHVkMt7S2X93ItG+cwjA
6VZFZVIfZ5Pbz5OZG7nB9yh1ArXhzLrDUW4uIC+ccmsg+7/x+0FhCQIgwtEecMi8
bcHtZKbzzAR/oQpWPIyF9HKqqMIwuLUQVl+hasmsZs6OKl8/SaOxbjBQ+JCyexxw
O4FzORqlIggG6mxOkCJbMc/jqz52J2Wb6K9hHnVVfun2OS55boFTqmjepBgopvxb
UY34osyyDMnJGjZD/IxMyBsgq8OAgrDmTgEgyRl9JBXIvBOiabQOoSzno41z53nj
8YZpl28fM5vKBFRgjaVRiGJc9efLXuB3fhuvWG2X2hiAj5v6Cq0zeE85ylY+JOBw
PDdrdrTwoyzDbgF1aDiczls5iYnXjf17pE2g74DZzO7xjttEJ/0LPOst6KZ0Fvt9
9rFYCrp+1IKp49ONkwRaW9Z6FRzR/AgcFX48BbgBWSVnI+rbF28X+idmjVPkeuiZ
3t2blEdgoA==
=wVrf
-----END PGP SIGNATURE-----