Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title tomcat security, bug fix, and enhancement update
Informations
Name RHSA-2016:2599 First vendor Publication 2016-11-03
Vendor RedHat Last vendor Modification 2016-11-03
Severity (Vendor) N/A Revision 02

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Cvss Base Score 7.8 Attack Range Network
Cvss Impact Score 6.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

An update for tomcat is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Client (v. 7) - noarch Red Hat Enterprise Linux Client Optional (v. 7) - noarch Red Hat Enterprise Linux ComputeNode (v. 7) - noarch Red Hat Enterprise Linux ComputeNode Optional (v. 7) - noarch Red Hat Enterprise Linux Server (v. 7) - noarch Red Hat Enterprise Linux Server Optional (v. 7) - noarch Red Hat Enterprise Linux Workstation (v. 7) - noarch Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch

3. Description:

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

The following packages have been upgraded to a newer upstream version: tomcat (7.0.69). (BZ#1287928)

Security Fix(es):

* A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351)

* It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714)

* A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763)

* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)

* A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call. (CVE-2015-5174)

* It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345)

* It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.

4. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1133070 - Need to include full implementation of tomcat-juli.jar and tomcat-juli-adapters.jar 1201409 - Fix the broken tomcat-jsvc service unit 1208402 - Mark web.xml in tomcat-admin-webapps as config file 1221896 - tomcat.service loads /etc/sysconfig/tomcat without shell expansion 1229476 - Tomcat startup ONLY options 1240279 - The command tomcat-digest doesn't work with RHEL 7 1265698 - CVE-2015-5174 tomcat: URL Normalization issue 1277197 - tomcat user has non-existing default shell set 1287928 - Rebase tomcat to 7.0.69 or backport features 1311076 - CVE-2015-5351 tomcat: CSRF token leak 1311082 - CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms 1311087 - CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet 1311089 - CVE-2015-5345 tomcat: directory disclosure 1311093 - CVE-2016-0763 tomcat: security manager bypass via setGlobalContext() 1311622 - Getting NoSuchElementException while handling attributes with empty string value in tomcat 7.0.54 1320853 - Add HSTS support 1327326 - rpm -V tomcat fails on /var/log/tomcat/catalina.out 1347774 - The security manager doesn't work correctly (JSPs cannot be compiled) 1347860 - The systemd service unit does not allow tomcat to shut down gracefully 1349468 - CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2016-2599.html

CWE : Common Weakness Enumeration

% Id Name
29 % CWE-264 Permissions, Privileges, and Access Controls
29 % CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)
14 % CWE-352 Cross-Site Request Forgery (CSRF) (CWE/SANS Top 25)
14 % CWE-200 Information Exposure
14 % CWE-20 Improper Input Validation

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 8
Application 117
Application 1
Application 1
Os 4
Os 2

Snort® IPS/IDS

Date Description
2016-09-20 Apache Tomcat Commons FileUpload library denial of service attempt
RuleID : 39908 - Revision : 5 - Type : SERVER-APACHE

Nessus® Vulnerability Scanner

Date Description
2018-08-30 Name : A web application running on the remote host is affected by multiple vulnerab...
File : activemq_5_15_5.nasl - Type : ACT_GATHER_INFO
2018-03-21 Name : The remote device is affected by multiple vulnerabilities.
File : juniper_space_jsa_10838.nasl - Type : ACT_GATHER_INFO
2018-03-06 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL58084500.nasl - Type : ACT_GATHER_INFO
2018-03-06 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL34341852.nasl - Type : ACT_GATHER_INFO
2018-03-06 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL18174924.nasl - Type : ACT_GATHER_INFO
2017-10-19 Name : The remote web server is affected by multiple vulnerabilities.
File : glassfish_cpu_oct_2017.nasl - Type : ACT_GATHER_INFO
2017-07-20 Name : An enterprise management application installed on the remote host is affected...
File : oracle_enterprise_manager_jul_2017_cpu.nasl - Type : ACT_GATHER_INFO
2017-05-18 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201705-09.nasl - Type : ACT_GATHER_INFO
2017-05-01 Name : The remote EulerOS host is missing multiple security updates.
File : EulerOS_SA-2016-1054.nasl - Type : ACT_GATHER_INFO
2017-04-21 Name : An enterprise management application installed on the remote host is affected...
File : oracle_enterprise_manager_apr_2017_cpu.nasl - Type : ACT_GATHER_INFO
2017-04-21 Name : A web application running on the remote host is affected by multiple vulnerab...
File : mysql_enterprise_monitor_3_3_3_1199.nasl - Type : ACT_GATHER_INFO
2017-03-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2017-0456.nasl - Type : ACT_GATHER_INFO
2017-03-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2017-0455.nasl - Type : ACT_GATHER_INFO
2017-02-28 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL30971148.nasl - Type : ACT_GATHER_INFO
2017-01-25 Name : A web application running on the remote host is affected by multiple vulnerab...
File : mysql_enterprise_monitor_3_1_5_7958.nasl - Type : ACT_GATHER_INFO
2017-01-25 Name : A web application running on the remote host is affected by multiple vulnerab...
File : mysql_enterprise_monitor_3_2_2_1075.nasl - Type : ACT_GATHER_INFO
2016-12-20 Name : The remote Debian host is missing a security update.
File : debian_DLA-753.nasl - Type : ACT_GATHER_INFO
2016-12-15 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20161103_tomcat_on_SL7_x.nasl - Type : ACT_GATHER_INFO
2016-12-15 Name : A business collaboration application running on the remote host is affected b...
File : domino_swg21992835.nasl - Type : ACT_GATHER_INFO
2016-11-28 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2016-2599.nasl - Type : ACT_GATHER_INFO
2016-11-21 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-2807.nasl - Type : ACT_GATHER_INFO
2016-11-15 Name : The remote Fedora host is missing a security update.
File : fedora_2016-f4a443888b.nasl - Type : ACT_GATHER_INFO
2016-11-11 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2016-2599.nasl - Type : ACT_GATHER_INFO
2016-11-04 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-2599.nasl - Type : ACT_GATHER_INFO
2016-10-18 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-2072.nasl - Type : ACT_GATHER_INFO
2016-10-12 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20161010_tomcat6_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2016-10-12 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2016-2045.nasl - Type : ACT_GATHER_INFO
2016-10-11 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-2045.nasl - Type : ACT_GATHER_INFO
2016-10-11 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2016-2045.nasl - Type : ACT_GATHER_INFO
2016-09-08 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-1056.nasl - Type : ACT_GATHER_INFO
2016-09-02 Name : The remote Fedora host is missing a security update.
File : fedora_2016-2b0c16fd82.nasl - Type : ACT_GATHER_INFO
2016-09-02 Name : The remote Fedora host is missing a security update.
File : fedora_2016-0a4dccdd23.nasl - Type : ACT_GATHER_INFO
2016-08-18 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2016-736.nasl - Type : ACT_GATHER_INFO
2016-07-20 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-1433.nasl - Type : ACT_GATHER_INFO
2016-07-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-1432.nasl - Type : ACT_GATHER_INFO
2016-07-18 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_61b8c3594aab11e6a7bd14dae9d210b8.nasl - Type : ACT_GATHER_INFO
2016-07-07 Name : The remote Ubuntu host is missing a security-related patch.
File : ubuntu_USN-3027-1.nasl - Type : ACT_GATHER_INFO
2016-07-06 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-3024-1.nasl - Type : ACT_GATHER_INFO
2016-07-05 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3614.nasl - Type : ACT_GATHER_INFO
2016-07-01 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3611.nasl - Type : ACT_GATHER_INFO
2016-07-01 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3609.nasl - Type : ACT_GATHER_INFO
2016-06-27 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_cbceeb493bc711e68e82002590263bf5.nasl - Type : ACT_GATHER_INFO
2016-06-27 Name : The remote Debian host is missing a security update.
File : debian_DLA-529.nasl - Type : ACT_GATHER_INFO
2016-06-27 Name : The remote Debian host is missing a security update.
File : debian_DLA-528.nasl - Type : ACT_GATHER_INFO
2016-05-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-1088.nasl - Type : ACT_GATHER_INFO
2016-05-19 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2016-1087.nasl - Type : ACT_GATHER_INFO
2016-04-18 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3552.nasl - Type : ACT_GATHER_INFO
2016-04-05 Name : The remote Apache Tomcat server is affected by an information disclosure vuln...
File : tomcat_xsrf_token_disclosure.nasl - Type : ACT_GATHER_INFO
2016-04-01 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2016-681.nasl - Type : ACT_GATHER_INFO
2016-04-01 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2016-680.nasl - Type : ACT_GATHER_INFO
2016-04-01 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2016-679.nasl - Type : ACT_GATHER_INFO
2016-03-28 Name : The remote Fedora host is missing a security update.
File : fedora_2016-e6651efbaf.nasl - Type : ACT_GATHER_INFO
2016-03-28 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3530.nasl - Type : ACT_GATHER_INFO
2016-03-24 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2016-384.nasl - Type : ACT_GATHER_INFO
2016-03-11 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2016-658.nasl - Type : ACT_GATHER_INFO
2016-03-11 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2016-657.nasl - Type : ACT_GATHER_INFO
2016-02-29 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_7bbc3016de6311e58fa814dae9d210b8.nasl - Type : ACT_GATHER_INFO
2016-02-29 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_1f1124fede5c11e58fa814dae9d210b8.nasl - Type : ACT_GATHER_INFO
2016-02-29 Name : The remote Debian host is missing a security update.
File : debian_DLA-435.nasl - Type : ACT_GATHER_INFO
2016-02-24 Name : The remote Apache Tomcat server is affected by multiple vulnerabilities.
File : tomcat_8_0_32.nasl - Type : ACT_GATHER_INFO
2016-02-24 Name : The remote Apache Tomcat server is affected by multiple vulnerabilities.
File : tomcat_7_0_68.nasl - Type : ACT_GATHER_INFO
2016-02-24 Name : The remote Apache Tomcat server is affected by multiple vulnerabilities.
File : tomcat_6_0_45.nasl - Type : ACT_GATHER_INFO
2015-12-17 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2015-2659.nasl - Type : ACT_GATHER_INFO
2015-12-17 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2015-2660.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2016-11-29 13:23:41
  • Multiple Updates
2016-11-12 13:25:32
  • Multiple Updates
2016-11-05 13:24:39
  • Multiple Updates
2016-11-03 13:22:42
  • First insertion