Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2019.3098 [SECURITY] [DLA 1883-1] tomcat8 security update 14 August 2019 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: tomcat8 Publisher: Debian Operating System: Debian GNU/Linux 8 Impact/Access: Cross-site Scripting -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2019-0221 CVE-2018-8014 CVE-2016-5388 Reference: ASB-2018.0258 ESB-2019.2975 ESB-2019.2720 ESB-2016.1992 ESB-2016.1765 ESB-2016.1764 Original Bulletin: https://lists.debian.org/debian-lts-announce/2019/08/msg00015.html - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Package : tomcat8 Version : 8.0.14-1+deb8u15 CVE ID : CVE-2016-5388 CVE-2018-8014 CVE-2019-0221 Debian Bug : 929895 898935 Several minor issues have been fixed in tomcat8, a Java Servlet and JSP engine. CVE-2016-5388 Apache Tomcat, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. The 'cgi' servlet now has a 'envHttpHeaders' parameter to filter environment variables. CVE-2018-8014 The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. CVE-2019-0221 The SSI printenv command in Apache Tomcat echoes user provided data without escaping and is, therefore, vulnerable to XSS. SSI is disabled by default. The printenv command is intended for debugging and is unlikely to be present in a production website. For Debian 8 "Jessie", these problems have been fixed in version 8.0.14-1+deb8u15. We recommend that you upgrade your tomcat8 packages. Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS - -----BEGIN PGP SIGNATURE----- iQEzBAEBCgAdFiEEQic8GuN/xDR88HkSj/HLbo2JBZ8FAl1TATsACgkQj/HLbo2J BZ81XggAirEezVJhu43Xzgx6tIfoH9eSRw+hFqODGlr64aRjbuE1+SeWiyceporc fM83uPbm4rOxZVjAYkqs6tJJVlvJ4C7NC+/4U8tM1QNXJC9Ee1oraV0mIBLN+QA1 mUVsJI/yCSbDdO/RoVwXwD7t6nhTF7cshWDNxzchhpdWBgR/Qez3KgOHg+eAmoRm /3NPm5+ZcXS2TN1CtvKdohQxN8Ak8tMxdGAbRBOMySBq/wHvyPlffRxq1aGNO3Ic 8mGFeJXOo0/y1URg2/S1i6MUpH4tVtRwcb+4/glMynTcWTbvlGR43Wo5moSh1zh4 g6N2lrOxvSduMEKW++bZxwdw/0TFhw== =FGrR - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBXVNclGaOgq3Tt24GAQiK9RAAolonENxQaW6KnKkTI8DHDFSf30jRHGnE AE8r2cFn8XIMC1DrEsDjPe5sG8spMIcrHhc21hABFqGVWweCUDt1kAxmFGY/Qktg pY31IN7kxro51m/FeHSuRUgwSLAhV2vqQVGEnOYo4jwijVsRksjgrVsSkX0ZUu8u jl/HFd5vJpm8Bx2RfSLzs+WcJD897BHfzHpJ3w/v8uBir7HJMlfhwy4GsISEGWK6 ZCNwVB5bWqha6NmKEqV21mNp2It0/4Zah/8hV+p+2c9LtsdgucpBrzYprQXMZ9/5 XImQMO/WLnnIyApfNBOEXr6qES6G4MwMM3YHbQU56+yvTh0Sg4K1W9AUvShhzFo4 iDOig9E3zGhBWkqiBLLDav9zS7FHZOVR/XyR0dktUeO4vZfXz9nuKwx5HKlLPFPN Pmr+KEqjTGB9YJZZJQWp0Kk6W+8QD84GTgFfoapsvCUZfOb2B2TlyLg5vX1d7Bzq NL3yZZwQ1jU1MWC9VeAjdbpK6KWN9XnllIH9rZrkJGdib54KU2y2PSSPtKpGA21W 3YR0Tw2rTMG1BgfUVwkH7udza4sO8/yjm3F6+vhXfWkZwKlXbUY/QlLS3+Op8KLK i8LACnLuVzVqhkR8sd8Ff35fxnicOMIwjo5RrtJ7LNKLyzs4nIr+QQg/9/4RqXjW Uw6Uik+4HuY= =Xh0W -----END PGP SIGNATURE-----