An update is now available for Red Hat JBoss Enterprise Web Server 2 for RHEL 6and Red Hat JBoss Enterprise Web Server 2 for RHEL 7.Red Hat Product Security has rated this update as having a security impact ofImportant.

A Common Vulnerability Scoring System (CVSS) base score, which givesa detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages(JSP) technologies.This release of Red Hat JBoss Web Server 2.1.2 serves as a replacement for RedHat JBoss Web Server 2.1.1.
It contains security fixes for the Tomcat 7component. Only users of the Tomcat 7 component in JBoss Web Server need toapply the fixes delivered in this release.Security Fix(es):* A CSRF flaw was found in Tomcat’s the index pages for the Manager and HostManager applications.

These applications included a valid CSRF token whenissuing a redirect as a result of an unauthenticated request to the root of theweb application.

This token could then be used by an attacker to perform a CSRFattack. (CVE-2015-5351)* It was found that several Tomcat session persistence mechanisms could allow aremote, authenticated user to bypass intended SecurityManager restrictions andexecute arbitrary code in a privileged context via a web application that placeda crafted object in a session. (CVE-2016-0714)* A security manager bypass flaw was found in Tomcat that could allow remote,authenticated users to access arbitrary application data, potentially resultingin a denial of service. (CVE-2016-0763)* A denial of service vulnerability was identified in Commons FileUpload thatoccurred when the length of the multipart boundary was just below the size ofthe buffer (4096 bytes) used to read the uploaded file if the boundary was thetypical tens of bytes long. (CVE-2016-3092)* A session fixation flaw was found in the way Tomcat recycled therequestedSessionSSL field.
If at least one web application was configured to usethe SSL session ID as the HTTP session ID, an attacker could reuse a previouslyused session ID for further requests. (CVE-2015-5346)* It was found that Tomcat allowed the StatusManagerServlet to be loaded by aweb application when a security manager was configured.

This allowed a webapplication to list all deployed web applications and expose sensitiveinformation such as session IDs. (CVE-2016-0706)
Before applying the update, back up your existing Red Hat JBoss Web Serverinstallation (including all applications and configuration files).For details on how to apply this update, which includes the changes described inthis advisory, refer to:https://access.redhat.com/articles/11258JBoss Enterprise Web Server v2 EL6

SRPMS:
tomcat7-7.0.54-23_patch_05.ep6.el6.src.rpm
    MD5: 95e00c66b94714eec99c38e2194c1a0bSHA-256: c0e3e66ba11ecd2204f4612548fe1b00abe8f2049fecca4e594841ce445e86cc
 
IA-32:
tomcat7-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: 9302ab6aef757b70b84781c726758a0dSHA-256: 91dece641d64b97085722bdd738dece9da95367c7b2c385cfdcd94384831e872
tomcat7-admin-webapps-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: b481a39a9fad87a7ca62ee137b19f3eeSHA-256: 5ac04a420f277df602a1d08b117827f16d7db8fc1261dc992099e7b397ab5ef6
tomcat7-docs-webapp-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: e6e884a472b9e9b42f2da01c3927979cSHA-256: 04d35b58186c60b62bab9124d7234dcdbac50458e904187ce6293a334c228551
tomcat7-el-2.2-api-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: 73aa99d82ab27b6244b70108f6a6ea3aSHA-256: 5718f9109a6d7e5e2ddbaaeade9e410a935ff065e461f9202c12a238b1e41de6
tomcat7-javadoc-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: db8f7c93706f9108b9b57eae4eeb3ebbSHA-256: 23764d283a1a3b235a41845aa9fcd9f0642c604ea8715828e61e676ccc070416
tomcat7-jsp-2.2-api-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: aac36228b875f4246297de4df43686b9SHA-256: 98385e1bf436c2555ffb0cce8617c623d7a43881f549f8b80c6276323ecb689a
tomcat7-lib-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: e8e415c76bd98676b7f7118c3ea090bbSHA-256: 8e5f9bf37e91e116c31c12b72d74e9b99643feadb9d662e7322bd13d48bebcdb
tomcat7-log4j-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: 79a14496cef85f64fae89c89856247bfSHA-256: 00731baeba3eb0819302068c453552492916ff0d36f478c98336cbe05232ae5f
tomcat7-maven-devel-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: f40034976633444fe9006befa528db13SHA-256: caea84bbf24812dcc8e48a7ac8f63cfa4f262bb7b461314ca191e8a1bd251cd0
tomcat7-servlet-3.0-api-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: f33e2c9b118726647834db765c8fe31cSHA-256: 8729b4c7cb3c2f8dee4f79dea389843ee9a87785e11b9a7b91ed121f08eb4c7a
tomcat7-webapps-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: dea94132a90a9da3f4bc8c5edb62ce92SHA-256: b121b561ffc4ee44f5f8e1dd1a01a564c377a4a567411bac933c316aab8f51bb
 
x86_64:
tomcat7-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: 9302ab6aef757b70b84781c726758a0dSHA-256: 91dece641d64b97085722bdd738dece9da95367c7b2c385cfdcd94384831e872
tomcat7-admin-webapps-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: b481a39a9fad87a7ca62ee137b19f3eeSHA-256: 5ac04a420f277df602a1d08b117827f16d7db8fc1261dc992099e7b397ab5ef6
tomcat7-docs-webapp-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: e6e884a472b9e9b42f2da01c3927979cSHA-256: 04d35b58186c60b62bab9124d7234dcdbac50458e904187ce6293a334c228551
tomcat7-el-2.2-api-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: 73aa99d82ab27b6244b70108f6a6ea3aSHA-256: 5718f9109a6d7e5e2ddbaaeade9e410a935ff065e461f9202c12a238b1e41de6
tomcat7-javadoc-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: db8f7c93706f9108b9b57eae4eeb3ebbSHA-256: 23764d283a1a3b235a41845aa9fcd9f0642c604ea8715828e61e676ccc070416
tomcat7-jsp-2.2-api-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: aac36228b875f4246297de4df43686b9SHA-256: 98385e1bf436c2555ffb0cce8617c623d7a43881f549f8b80c6276323ecb689a
tomcat7-lib-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: e8e415c76bd98676b7f7118c3ea090bbSHA-256: 8e5f9bf37e91e116c31c12b72d74e9b99643feadb9d662e7322bd13d48bebcdb
tomcat7-log4j-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: 79a14496cef85f64fae89c89856247bfSHA-256: 00731baeba3eb0819302068c453552492916ff0d36f478c98336cbe05232ae5f
tomcat7-maven-devel-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: f40034976633444fe9006befa528db13SHA-256: caea84bbf24812dcc8e48a7ac8f63cfa4f262bb7b461314ca191e8a1bd251cd0
tomcat7-servlet-3.0-api-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: f33e2c9b118726647834db765c8fe31cSHA-256: 8729b4c7cb3c2f8dee4f79dea389843ee9a87785e11b9a7b91ed121f08eb4c7a
tomcat7-webapps-7.0.54-23_patch_05.ep6.el6.noarch.rpm
    MD5: dea94132a90a9da3f4bc8c5edb62ce92SHA-256: b121b561ffc4ee44f5f8e1dd1a01a564c377a4a567411bac933c316aab8f51bb
 
(The unlinked packages above are only available from the Red Hat Network)

1311076 – CVE-2015-5351 tomcat: CSRF token leak1311082 – CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms1311085 – CVE-2015-5346 tomcat: Session fixation1311087 – CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet1311093 – CVE-2016-0763 tomcat: security manager bypass via setGlobalContext()1349468 – CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:

Leave a Reply