Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2019.3098
[SECURITY] [DLA 1883-1] tomcat8 security update
14 August 2019
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: tomcat8
Publisher: Debian
Operating System: Debian GNU/Linux 8
Impact/Access: Cross-site Scripting -- Remote with User Interaction
Provide Misleading Information -- Remote with User Interaction
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2019-0221 CVE-2018-8014 CVE-2016-5388
Reference: ASB-2018.0258
ESB-2019.2975
ESB-2019.2720
ESB-2016.1992
ESB-2016.1765
ESB-2016.1764
Original Bulletin:
https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Package : tomcat8
Version : 8.0.14-1+deb8u15
CVE ID : CVE-2016-5388 CVE-2018-8014 CVE-2019-0221
Debian Bug : 929895 898935
Several minor issues have been fixed in tomcat8, a Java Servlet and
JSP engine.
CVE-2016-5388
Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875
section 4.1.18 and therefore does not protect applications from
the presence of untrusted client data in the HTTP_PROXY
environment variable, which might allow remote attackers to
redirect an application's outbound HTTP traffic to an arbitrary
proxy server via a crafted Proxy header in an HTTP request, aka an
"httpoxy" issue. The 'cgi' servlet now has a 'envHttpHeaders'
parameter to filter environment variables.
CVE-2018-8014
The defaults settings for the CORS filter provided in Apache
Tomcat are insecure and enable 'supportsCredentials' for all
origins. It is expected that users of the CORS filter will have
configured it appropriately for their environment rather than
using it in the default configuration. Therefore, it is expected
that most users will not be impacted by this issue.
CVE-2019-0221
The SSI printenv command in Apache Tomcat echoes user provided
data without escaping and is, therefore, vulnerable to XSS. SSI is
disabled by default. The printenv command is intended for
debugging and is unlikely to be present in a production website.
For Debian 8 "Jessie", these problems have been fixed in version
8.0.14-1+deb8u15.
We recommend that you upgrade your tomcat8 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
- -----BEGIN PGP SIGNATURE-----
iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl1TATsACgkQj/HLbo2J
BZ81XggAirEezVJhu43Xzgx6tIfoH9eSRw+hFqODGlr64aRjbuE1+SeWiyceporc
fM83uPbm4rOxZVjAYkqs6tJJVlvJ4C7NC+/4U8tM1QNXJC9Ee1oraV0mIBLN+QA1
mUVsJI/yCSbDdO/RoVwXwD7t6nhTF7cshWDNxzchhpdWBgR/Qez3KgOHg+eAmoRm
/3NPm5+ZcXS2TN1CtvKdohQxN8Ak8tMxdGAbRBOMySBq/wHvyPlffRxq1aGNO3Ic
8mGFeJXOo0/y1URg2/S1i6MUpH4tVtRwcb+4/glMynTcWTbvlGR43Wo5moSh1zh4
g6N2lrOxvSduMEKW++bZxwdw/0TFhw==
=FGrR
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
https://www.auscert.org.au/bulletins/
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBXVNclGaOgq3Tt24GAQiK9RAAolonENxQaW6KnKkTI8DHDFSf30jRHGnE
AE8r2cFn8XIMC1DrEsDjPe5sG8spMIcrHhc21hABFqGVWweCUDt1kAxmFGY/Qktg
pY31IN7kxro51m/FeHSuRUgwSLAhV2vqQVGEnOYo4jwijVsRksjgrVsSkX0ZUu8u
jl/HFd5vJpm8Bx2RfSLzs+WcJD897BHfzHpJ3w/v8uBir7HJMlfhwy4GsISEGWK6
ZCNwVB5bWqha6NmKEqV21mNp2It0/4Zah/8hV+p+2c9LtsdgucpBrzYprQXMZ9/5
XImQMO/WLnnIyApfNBOEXr6qES6G4MwMM3YHbQU56+yvTh0Sg4K1W9AUvShhzFo4
iDOig9E3zGhBWkqiBLLDav9zS7FHZOVR/XyR0dktUeO4vZfXz9nuKwx5HKlLPFPN
Pmr+KEqjTGB9YJZZJQWp0Kk6W+8QD84GTgFfoapsvCUZfOb2B2TlyLg5vX1d7Bzq
NL3yZZwQ1jU1MWC9VeAjdbpK6KWN9XnllIH9rZrkJGdib54KU2y2PSSPtKpGA21W
3YR0Tw2rTMG1BgfUVwkH7udza4sO8/yjm3F6+vhXfWkZwKlXbUY/QlLS3+Op8KLK
i8LACnLuVzVqhkR8sd8Ff35fxnicOMIwjo5RrtJ7LNKLyzs4nIr+QQg/9/4RqXjW
Uw6Uik+4HuY=
=Xh0W
-----END PGP SIGNATURE-----