Описание
Security update for tomcat
Apache Tomcat was updated to 7.0.82 adding features, fixing bugs and security issues.
This is another bugfix release, for full details see:
Fixed security issues:
- CVE-2017-5664: A problem in handling error pages was fixed, to avoid potential file overwrites during error page handling. (bsc#1042910).
- CVE-2017-7674: A CORS Filter issue could lead to client and server side cache poisoning (bsc#1053352)
- CVE-2017-12617: A remote code execution possibility via JSP Upload was fixed (bsc#1059554)
- CVE-2017-12616: An information disclosure when using VirtualDirContext was fixed (bsc#1059551)
- CVE-2017-12615: A Remote Code Execution via JSP Upload was fixed (bsc#1059554)
Non-security issues fixed:
- Fix tomcat-digest classpath error (bsc#977410)
Список пакетов
SUSE Linux Enterprise Server 12-LTSS
Ссылки
- Link for SUSE-SU-2017:3059-1
- E-Mail link for SUSE-SU-2017:3059-1
- SUSE Security Ratings
- SUSE Bug 1042910
- SUSE Bug 1053352
- SUSE Bug 1059551
- SUSE Bug 1059554
- SUSE Bug 977410
- SUSE CVE CVE-2017-12615 page
- SUSE CVE CVE-2017-12616 page
- SUSE CVE CVE-2017-12617 page
- SUSE CVE CVE-2017-5664 page
- SUSE CVE CVE-2017-7674 page
Описание
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Затронутые продукты
Ссылки
- CVE-2017-12615
- SUSE Bug 1059554
- SUSE Bug 1180947
Описание
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
Затронутые продукты
Ссылки
- CVE-2017-12616
- SUSE Bug 1059551
Описание
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Затронутые продукты
Ссылки
- CVE-2017-12617
- SUSE Bug 1059554
- SUSE Bug 1062607
- SUSE Bug 1180947
- SUSE Bug 1189861
Описание
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.
Затронутые продукты
Ссылки
- CVE-2017-5664
- SUSE Bug 1042910
Описание
The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
Затронутые продукты
Ссылки
- CVE-2017-7674
- SUSE Bug 1053352