[security-announce] SUSE-SU-2016:0769-1: important: Security update for tomcat

[news 28]

SUSE Security Update: Security update for tomcat

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2016:0769-1

Rating: important

References: #967812 #967814 #967815 #967964 #967965 #967966

#967967

Cross-References: CVE-2015-5174 CVE-2015-5345 CVE-2015-5346

CVE-2015-5351 CVE-2016-0706 CVE-2016-0714

CVE-2016-0763

Affected Products:

SUSE Linux Enterprise Server 12-SP1

______________________________________________________________________________

 

An update that fixes 7 vulnerabilities is now available.

 

Description:

 

 

This update for tomcat fixes the following issues:

 

Tomcat 8 was updated from 8.0.23 to 8.0.32, to fix bugs and security

issues.

 

Fixed security issues:

 

* CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java in

Apache Tomcat allowed remote authenticated users to bypass intended

SecurityManager restrictions and list a parent directory via a /..

(slash dot dot) in a pathname used by a web application in a

getResource, getResourceAsStream, or getResourcePaths call, as

demonstrated by the $CATALINA_BASE/webapps directory. (bsc#967967)

* CVE-2015-5346: Session fixation vulnerability in Apache Tomcat when

different session settings are used for deployments of multiple versions

of the same web application, might have allowed remote attackers to

hijack web sessions by leveraging use of a requestedSessionSSL field

for an unintended request, related to CoyoteAdapter.java and

Request.java. (bsc#967814)

* CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects

before considering security constraints and Filters, which allowed

remote attackers to determine the existence of a directory via a URL

that lacks a trailing / (slash) character. (bsc#967965)

* CVE-2015-5351: The (1) Manager and (2) Host Manager applications in

Apache Tomcat established sessions and send CSRF tokens for arbitrary

new requests, which allowed remote attackers to bypass a CSRF protection

mechanism by using a token. (bsc#967812)

* CVE-2016-0706: Apache Tomcat did not place

org.apache.catalina.manager.StatusManagerServlet on the

org/apache/catalina/core/RestrictedServlets.properties list, which

allowed remote authenticated users to bypass intended SecurityManager

restrictions and read arbitrary HTTP requests, and consequently

discover session ID values, via a crafted web application. (bsc#967815)

* CVE-2016-0714: The session-persistence implementation in Apache Tomcat

mishandled session attributes, which allowed remote authenticated users

to bypass intended SecurityManager restrictions and execute arbitrary

code in a privileged context via a web application that places a crafted

object in a session. (bsc#967964)

* CVE-2016-0763: The setGlobalContext method in

org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat did

not consider whether ResourceLinkFactory.setGlobalContext callers are

authorized, which allowed remote authenticated users to bypass intended

SecurityManager restrictions and read or write to arbitrary application

data, or cause a denial of service (application disruption), via a web

application that sets a crafted global context. (bsc#967966)

 

The full changes can be read on:

http://tomcat.apache.org/tomcat-8.0-doc/changelog.html

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Linux Enterprise Server 12-SP1:

 

zypper in -t patch SUSE-SLE-SERVER-12-SP1-2016-448=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Linux Enterprise Server 12-SP1 (noarch):

 

tomcat-8.0.32-3.1

tomcat-admin-webapps-8.0.32-3.1

tomcat-docs-webapp-8.0.32-3.1

tomcat-el-3_0-api-8.0.32-3.1

tomcat-javadoc-8.0.32-3.1

tomcat-jsp-2_3-api-8.0.32-3.1

tomcat-lib-8.0.32-3.1

tomcat-servlet-3_1-api-8.0.32-3.1

tomcat-webapps-8.0.32-3.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2015-5174.html

https://www.suse.com/security/cve/CVE-2015-5345.html

https://www.suse.com/security/cve/CVE-2015-5346.html

https://www.suse.com/security/cve/CVE-2015-5351.html

https://www.suse.com/security/cve/CVE-2016-0706.html

https://www.suse.com/security/cve/CVE-2016-0714.html

https://www.suse.com/security/cve/CVE-2016-0763.html

https://bugzilla.suse.com/967812

https://bugzilla.suse.com/967814

https://bugzilla.suse.com/967815

https://bugzilla.suse.com/967964

https://bugzilla.suse.com/967965

https://bugzilla.suse.com/967966

https://bugzilla.suse.com/967967

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org