Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2017.0958 Moderate: tomcat security update 13 April 2017 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: tomcat Publisher: Red Hat Operating System: Red Hat Enterprise Linux Server 7 Red Hat Enterprise Linux WS/Desktop 7 Impact/Access: Provide Misleading Information -- Remote with User Interaction Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-8745 CVE-2016-6816 Reference: ESB-2017.0705 Original Bulletin: https://access.redhat.com/errata/RHSA-2017:0935 - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: tomcat security update Advisory ID: RHSA-2017:0935-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2017:0935 Issue date: 2017-04-12 CVE Names: CVE-2016-6816 CVE-2016-8745 ===================================================================== 1. Summary: An update for tomcat is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Client (v. 7) - noarch Red Hat Enterprise Linux Client Optional (v. 7) - noarch Red Hat Enterprise Linux ComputeNode (v. 7) - noarch Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Server Optional (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch 3. Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. Security Fix(es): * It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816) Note: This fix causes Tomcat to respond with an HTTP 400 Bad Request error when request contains characters that are not permitted by the HTTP specification to appear not encoded, even though they were previously accepted. The newly introduced system property tomcat.util.http.parser.HttpParser.requestTargetAllow can be used to configure Tomcat to accept curly braces ({ and }) and the pipe symbol (|) in not encoded form, as these are often used in URLs without being properly encoded. * A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Bugs fixed (https://bugzilla.redhat.com/): 1397484 - CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests 1403824 - CVE-2016-8745 tomcat: information disclosure due to incorrect Processor sharing 6. Package List: Red Hat Enterprise Linux Client (v. 7): Source: tomcat-7.0.69-11.el7_3.src.rpm noarch: tomcat-servlet-3.0-api-7.0.69-11.el7_3.noarch.rpm Red Hat Enterprise Linux Client Optional (v. 7): noarch: tomcat-7.0.69-11.el7_3.noarch.rpm tomcat-admin-webapps-7.0.69-11.el7_3.noarch.rpm tomcat-docs-webapp-7.0.69-11.el7_3.noarch.rpm tomcat-el-2.2-api-7.0.69-11.el7_3.noarch.rpm tomcat-javadoc-7.0.69-11.el7_3.noarch.rpm tomcat-jsp-2.2-api-7.0.69-11.el7_3.noarch.rpm tomcat-jsvc-7.0.69-11.el7_3.noarch.rpm tomcat-lib-7.0.69-11.el7_3.noarch.rpm tomcat-webapps-7.0.69-11.el7_3.noarch.rpm Red Hat Enterprise Linux ComputeNode (v. 7): Source: tomcat-7.0.69-11.el7_3.src.rpm noarch: tomcat-servlet-3.0-api-7.0.69-11.el7_3.noarch.rpm Red Hat Enterprise Linux ComputeNode Optional (v. 7): noarch: tomcat-7.0.69-11.el7_3.noarch.rpm tomcat-admin-webapps-7.0.69-11.el7_3.noarch.rpm tomcat-docs-webapp-7.0.69-11.el7_3.noarch.rpm tomcat-el-2.2-api-7.0.69-11.el7_3.noarch.rpm tomcat-javadoc-7.0.69-11.el7_3.noarch.rpm tomcat-jsp-2.2-api-7.0.69-11.el7_3.noarch.rpm tomcat-jsvc-7.0.69-11.el7_3.noarch.rpm tomcat-lib-7.0.69-11.el7_3.noarch.rpm tomcat-webapps-7.0.69-11.el7_3.noarch.rpm Red Hat Enterprise Linux Server (v. 7): Source: tomcat-7.0.69-11.el7_3.src.rpm noarch: tomcat-7.0.69-11.el7_3.noarch.rpm tomcat-admin-webapps-7.0.69-11.el7_3.noarch.rpm tomcat-el-2.2-api-7.0.69-11.el7_3.noarch.rpm tomcat-jsp-2.2-api-7.0.69-11.el7_3.noarch.rpm tomcat-lib-7.0.69-11.el7_3.noarch.rpm tomcat-servlet-3.0-api-7.0.69-11.el7_3.noarch.rpm tomcat-webapps-7.0.69-11.el7_3.noarch.rpm Red Hat Enterprise Linux Server Optional (v. 7): noarch: tomcat-7.0.69-11.el7_3.noarch.rpm tomcat-admin-webapps-7.0.69-11.el7_3.noarch.rpm tomcat-docs-webapp-7.0.69-11.el7_3.noarch.rpm tomcat-el-2.2-api-7.0.69-11.el7_3.noarch.rpm tomcat-javadoc-7.0.69-11.el7_3.noarch.rpm tomcat-jsp-2.2-api-7.0.69-11.el7_3.noarch.rpm tomcat-jsvc-7.0.69-11.el7_3.noarch.rpm tomcat-lib-7.0.69-11.el7_3.noarch.rpm tomcat-webapps-7.0.69-11.el7_3.noarch.rpm Red Hat Enterprise Linux Workstation (v. 7): Source: tomcat-7.0.69-11.el7_3.src.rpm noarch: tomcat-7.0.69-11.el7_3.noarch.rpm tomcat-admin-webapps-7.0.69-11.el7_3.noarch.rpm tomcat-el-2.2-api-7.0.69-11.el7_3.noarch.rpm tomcat-jsp-2.2-api-7.0.69-11.el7_3.noarch.rpm tomcat-lib-7.0.69-11.el7_3.noarch.rpm tomcat-servlet-3.0-api-7.0.69-11.el7_3.noarch.rpm tomcat-webapps-7.0.69-11.el7_3.noarch.rpm Red Hat Enterprise Linux Workstation Optional (v. 7): noarch: tomcat-docs-webapp-7.0.69-11.el7_3.noarch.rpm tomcat-javadoc-7.0.69-11.el7_3.noarch.rpm tomcat-jsvc-7.0.69-11.el7_3.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-6816 https://access.redhat.com/security/cve/CVE-2016-8745 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. - -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFY7n94XlSAg2UNWIIRAmjPAJ9bk8IBbgSqjZoV7R+WBZNUGHOKfwCcCZBj I6oGMjVT1JjlWEBHS/2zKeI= =EWzy - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIUAwUBWO7irIx+lLeg9Ub1AQiwXw/4vnz+S25DVYv76FRb8Hf9SlAGTpbOCZyG 1Ql+774pQxEH0ITKKsj9KkGuX/4XfDTFSXyFdLZPAvUQGa0Df05Ygw0ynG67VH9E 9G6X8dDDGfopKOFdiW1J8kWZwPsSARGC9BXoUEkRVXf25VUo8lsXPVAFtFCQDN57 PZm/lZgnICOeRa2pz//tXy7ILuS7ICgSvcOJ8qFs6UmbLHVkMt7S2X93ItG+cwjA 6VZFZVIfZ5Pbz5OZG7nB9yh1ArXhzLrDUW4uIC+ccmsg+7/x+0FhCQIgwtEecMi8 bcHtZKbzzAR/oQpWPIyF9HKqqMIwuLUQVl+hasmsZs6OKl8/SaOxbjBQ+JCyexxw O4FzORqlIggG6mxOkCJbMc/jqz52J2Wb6K9hHnVVfun2OS55boFTqmjepBgopvxb UY34osyyDMnJGjZD/IxMyBsgq8OAgrDmTgEgyRl9JBXIvBOiabQOoSzno41z53nj 8YZpl28fM5vKBFRgjaVRiGJc9efLXuB3fhuvWG2X2hiAj5v6Cq0zeE85ylY+JOBw PDdrdrTwoyzDbgF1aDiczls5iYnXjf17pE2g74DZzO7xjttEJ/0LPOst6KZ0Fvt9 9rFYCrp+1IKp49ONkwRaW9Z6FRzR/AgcFX48BbgBWSVnI+rbF28X+idmjVPkeuiZ 3t2blEdgoA== =wVrf -----END PGP SIGNATURE-----