Action not permitted
Modal body text goes here.
Modal Title
Modal Body
cve-2016-6325
Vulnerability from cvelistv5
Published
2016-10-13 14:00
Modified
2024-08-06 01:29
Severity ?
EPSS score ?
Summary
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
References
{ containers: { adp: [ { providerMetadata: { dateUpdated: "2024-08-06T01:29:18.293Z", orgId: "af854a3a-2127-422b-91ae-364da2661108", shortName: "CVE", }, references: [ { name: "93478", tags: [ "vdb-entry", "x_refsource_BID", "x_transferred", ], url: "http://www.securityfocus.com/bid/93478", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html", }, { name: "RHSA-2016:2045", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2045.html", }, { name: "RHSA-2016:2046", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2046.html", }, { name: "RHSA-2017:0457", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "http://rhn.redhat.com/errata/RHSA-2017-0457.html", }, { name: "RHSA-2017:0455", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:0455", }, { tags: [ "x_refsource_CONFIRM", "x_transferred", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { name: "RHSA-2017:0456", tags: [ "vendor-advisory", "x_refsource_REDHAT", "x_transferred", ], url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], title: "CVE Program Container", }, ], cna: { affected: [ { product: "n/a", vendor: "n/a", versions: [ { status: "affected", version: "n/a", }, ], }, ], datePublic: "2016-10-10T00:00:00", descriptions: [ { lang: "en", value: "The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.", }, ], problemTypes: [ { descriptions: [ { description: "n/a", lang: "en", type: "text", }, ], }, ], providerMetadata: { dateUpdated: "2018-01-04T19:57:01", orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", shortName: "redhat", }, references: [ { name: "93478", tags: [ "vdb-entry", "x_refsource_BID", ], url: "http://www.securityfocus.com/bid/93478", }, { tags: [ "x_refsource_CONFIRM", ], url: "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html", }, { name: "RHSA-2016:2045", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2045.html", }, { name: "RHSA-2016:2046", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2046.html", }, { name: "RHSA-2017:0457", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "http://rhn.redhat.com/errata/RHSA-2017-0457.html", }, { name: "RHSA-2017:0455", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:0455", }, { tags: [ "x_refsource_CONFIRM", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { name: "RHSA-2017:0456", tags: [ "vendor-advisory", "x_refsource_REDHAT", ], url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], }, }, cveMetadata: { assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749", assignerShortName: "redhat", cveId: "CVE-2016-6325", datePublished: "2016-10-13T14:00:00", dateReserved: "2016-07-26T00:00:00", dateUpdated: "2024-08-06T01:29:18.293Z", state: "PUBLISHED", }, dataType: "CVE_RECORD", dataVersion: "5.1", "vulnerability-lookup:meta": { fkie_nvd: { configurations: "[{\"operator\": \"AND\", \"nodes\": [{\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": true, \"criteria\": \"cpe:2.3:a:apache:tomcat:-:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"DB5FCB11-3FCA-4EB4-8FA6-87B356B80739\"}]}, {\"operator\": \"OR\", \"negate\": false, \"cpeMatch\": [{\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"681173DF-537E-4A64-8FC7-75F439CCAD0D\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:a:redhat:jboss_web_server:3.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"54EB07A0-FB38-4F17-9C8D-DB629967F07B\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1D8B549B-E57B-4DFE-8A13-CAB06B5356B3\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"33C068A4-3780-4EAB-A937-6082DF847564\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"C2FAC325-6EEB-466D-9EBA-8ED4DBC9CFBF\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"3C84489B-B08C-4854-8A12-D01B6E45CF79\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"39A901D6-0874-46A4-92A8-5F72C7A89E85\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"9BBCD86A-E6C7-4444-9D74-F861084090F0\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"51EF4996-72F4-4FA4-814F-F5991E7A8318\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"1C8D871B-AEA1-4407-AEE3-47EC782250FF\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"44B067C7-735E-43C9-9188-7E1522A02491\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"E5ED5807-55B7-47C5-97A6-03233F4FBC3A\"}, {\"vulnerable\": false, \"criteria\": \"cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*\", \"matchCriteriaId\": \"825ECE2D-E232-46E0-A047-074B34DB1E97\"}]}]}]", descriptions: "[{\"lang\": \"en\", \"value\": \"The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.\"}, {\"lang\": \"es\", \"value\": \"El paquete Tomcat en Red Hat Enterprise Linux (RHEL) 5 hasta la versi\\u00f3n 7, JBoss Web Server 3.0 y JBoss EWS 2 utiliza permisos d\\u00e9biles para (1) /etc/sysconfig/tomcat y (2) /etc/tomcat/tomcat.conf, lo que permite a usuarios locales obtener privilegios aprovechando su pertenencia al grupo tomcat.\"}]", id: "CVE-2016-6325", lastModified: "2024-11-21T02:55:54.337", metrics: "{\"cvssMetricV30\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"3.0\", \"vectorString\": \"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"baseScore\": 7.8, \"baseSeverity\": \"HIGH\", \"attackVector\": \"LOCAL\", \"attackComplexity\": \"LOW\", \"privilegesRequired\": \"LOW\", \"userInteraction\": \"NONE\", \"scope\": \"UNCHANGED\", \"confidentialityImpact\": \"HIGH\", \"integrityImpact\": \"HIGH\", \"availabilityImpact\": \"HIGH\"}, \"exploitabilityScore\": 1.8, \"impactScore\": 5.9}], \"cvssMetricV2\": [{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"cvssData\": {\"version\": \"2.0\", \"vectorString\": \"AV:L/AC:L/Au:N/C:C/I:C/A:C\", \"baseScore\": 7.2, \"accessVector\": \"LOCAL\", \"accessComplexity\": \"LOW\", \"authentication\": \"NONE\", \"confidentialityImpact\": \"COMPLETE\", \"integrityImpact\": \"COMPLETE\", \"availabilityImpact\": \"COMPLETE\"}, \"baseSeverity\": \"HIGH\", \"exploitabilityScore\": 3.9, \"impactScore\": 10.0, \"acInsufInfo\": false, \"obtainAllPrivilege\": false, \"obtainUserPrivilege\": false, \"obtainOtherPrivilege\": false, \"userInteractionRequired\": false}]}", published: "2016-10-13T14:59:09.127", references: "[{\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2045.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2046.html\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2017-0457.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"http://www.securityfocus.com/bid/93478\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:0455\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:0456\", \"source\": \"secalert@redhat.com\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1367447\", \"source\": \"secalert@redhat.com\", \"tags\": [\"Issue Tracking\", \"VDB Entry\", \"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2045.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2016-2046.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Vendor Advisory\"]}, {\"url\": \"http://rhn.redhat.com/errata/RHSA-2017-0457.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"http://www.securityfocus.com/bid/93478\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:0455\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://access.redhat.com/errata/RHSA-2017:0456\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\"}, {\"url\": \"https://bugzilla.redhat.com/show_bug.cgi?id=1367447\", \"source\": \"af854a3a-2127-422b-91ae-364da2661108\", \"tags\": [\"Issue Tracking\", \"VDB Entry\", \"Vendor Advisory\"]}]", sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: "[{\"source\": \"nvd@nist.gov\", \"type\": \"Primary\", \"description\": [{\"lang\": \"en\", \"value\": \"CWE-264\"}]}]", }, nvd: "{\"cve\":{\"id\":\"CVE-2016-6325\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2016-10-13T14:59:09.127\",\"lastModified\":\"2024-11-21T02:55:54.337\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.\"},{\"lang\":\"es\",\"value\":\"El paquete Tomcat en Red Hat Enterprise Linux (RHEL) 5 hasta la versión 7, JBoss Web Server 3.0 y JBoss EWS 2 utiliza permisos débiles para (1) /etc/sysconfig/tomcat y (2) /etc/tomcat/tomcat.conf, lo que permite a usuarios locales obtener privilegios aprovechando su pertenencia al grupo tomcat.\"}],\"metrics\":{\"cvssMetricV30\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.0\",\"vectorString\":\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}],\"cvssMetricV2\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"2.0\",\"vectorString\":\"AV:L/AC:L/Au:N/C:C/I:C/A:C\",\"baseScore\":7.2,\"accessVector\":\"LOCAL\",\"accessComplexity\":\"LOW\",\"authentication\":\"NONE\",\"confidentialityImpact\":\"COMPLETE\",\"integrityImpact\":\"COMPLETE\",\"availabilityImpact\":\"COMPLETE\"},\"baseSeverity\":\"HIGH\",\"exploitabilityScore\":3.9,\"impactScore\":10.0,\"acInsufInfo\":false,\"obtainAllPrivilege\":false,\"obtainUserPrivilege\":false,\"obtainOtherPrivilege\":false,\"userInteractionRequired\":false}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-264\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:apache:tomcat:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"DB5FCB11-3FCA-4EB4-8FA6-87B356B80739\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"681173DF-537E-4A64-8FC7-75F439CCAD0D\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:a:redhat:jboss_web_server:3.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"54EB07A0-FB38-4F17-9C8D-DB629967F07B\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1D8B549B-E57B-4DFE-8A13-CAB06B5356B3\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"142AD0DD-4CF3-4D74-9442-459CE3347E3A\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"33C068A4-3780-4EAB-A937-6082DF847564\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"C2FAC325-6EEB-466D-9EBA-8ED4DBC9CFBF\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3C84489B-B08C-4854-8A12-D01B6E45CF79\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"39A901D6-0874-46A4-92A8-5F72C7A89E85\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"9BBCD86A-E6C7-4444-9D74-F861084090F0\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"51EF4996-72F4-4FA4-814F-F5991E7A8318\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"1C8D871B-AEA1-4407-AEE3-47EC782250FF\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"44B067C7-735E-43C9-9188-7E1522A02491\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"E5ED5807-55B7-47C5-97A6-03233F4FBC3A\"},{\"vulnerable\":false,\"criteria\":\"cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"825ECE2D-E232-46E0-A047-074B34DB1E97\"}]}]}],\"references\":[{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2045.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2046.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2017-0457.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html\",\"source\":\"secalert@redhat.com\"},{\"url\":\"http://www.securityfocus.com/bid/93478\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:0455\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:0456\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1367447\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"VDB Entry\",\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2045.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2016-2046.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"http://rhn.redhat.com/errata/RHSA-2017-0457.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"http://www.securityfocus.com/bid/93478\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:0455\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://access.redhat.com/errata/RHSA-2017:0456\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=1367447\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"VDB Entry\",\"Vendor Advisory\"]}]}}", }, }
RHSA-2016:2045
Vulnerability from csaf_redhat
Published
2016-10-10 20:38
Modified
2025-03-19 14:14
Summary
Red Hat Security Advisory: tomcat6 security and bug fix update
Notes
Topic
An update for tomcat6 is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714)
* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)
* A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174)
* It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345)
* It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)
Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.
Bug Fix(es):
* Due to a bug in the tomcat6 spec file, the catalina.out file's md5sum, size, and mtime attributes were compared to the file's attributes at installation time. Because these attributes change after the service is started, the "rpm -V" command previously failed. With this update, the attributes mentioned above are ignored in the RPM verification and the catalina.out file now passes the verification check. (BZ#1357123)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for tomcat6 is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714)\n\n* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)\n\n* A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174)\n\n* It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345)\n\n* It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)\n\nRed Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nBug Fix(es):\n\n* Due to a bug in the tomcat6 spec file, the catalina.out file's md5sum, size, and mtime attributes were compared to the file's attributes at installation time. Because these attributes change after the service is started, the \"rpm -V\" command previously failed. With this update, the attributes mentioned above are ignored in the RPM verification and the catalina.out file now passes the verification check. (BZ#1357123)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2016:2045", url: "https://access.redhat.com/errata/RHSA-2016:2045", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.45", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.45", }, { category: "external", summary: "1265698", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1265698", }, { category: "external", summary: "1311082", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311082", }, { category: "external", summary: "1311087", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311087", }, { category: "external", summary: "1311089", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311089", }, { category: "external", summary: "1353809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1353809", }, { category: "external", summary: "1357123", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1357123", }, { category: "external", summary: "1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2045.json", }, ], title: "Red Hat Security Advisory: tomcat6 security and bug fix update", tracking: { current_release_date: "2025-03-19T14:14:44+00:00", generator: { date: "2025-03-19T14:14:44+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2016:2045", initial_release_date: "2016-10-10T20:38:52+00:00", revision_history: [ { date: "2016-10-10T20:38:52+00:00", number: "1", summary: "Initial version", }, { date: "2016-10-10T20:38:52+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-19T14:14:44+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux Desktop (v. 6)", product: { name: "Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:6::client", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux HPC Node (v. 6)", product: { name: "Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:6::computenode", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Server (v. 6)", product: { name: "Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:6::server", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Workstation (v. 6)", product: { name: "Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:6::workstation", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-javadoc@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-admin-webapps@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-servlet-2.5-api@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-lib@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-el-2.1-api@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-docs-webapp@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-jsp-2.1-api@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-webapps@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6@6.0.24-98.el6_8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "tomcat6-0:6.0.24-98.el6_8.src", product: { name: "tomcat6-0:6.0.24-98.el6_8.src", product_id: "tomcat6-0:6.0.24-98.el6_8.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6@6.0.24-98.el6_8?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.src as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.src", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.src as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.src", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.src as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.src", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.src as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.src", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, ], }, vulnerabilities: [ { cve: "CVE-2015-5174", discovery_date: "2015-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1265698", }, ], notes: [ { category: "description", text: "A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: URL Normalization issue", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5174", }, { category: "external", summary: "RHBZ#1265698", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1265698", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5174", url: "https://www.cve.org/CVERecord?id=CVE-2015-5174", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5174", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5174", }, { category: "external", summary: "http://seclists.org/bugtraq/2016/Feb/149", url: "http://seclists.org/bugtraq/2016/Feb/149", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: URL Normalization issue", }, { cve: "CVE-2015-5345", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2016-02-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1311089", }, ], notes: [ { category: "description", text: "It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: directory disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5345", }, { category: "external", summary: "RHBZ#1311089", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311089", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5345", url: "https://www.cve.org/CVERecord?id=CVE-2015-5345", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5345", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5345", }, { category: "external", summary: "http://seclists.org/bugtraq/2016/Feb/146", url: "http://seclists.org/bugtraq/2016/Feb/146", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: directory disclosure", }, { cve: "CVE-2016-0706", cwe: { id: "CWE-287", name: "Improper Authentication", }, discovery_date: "2016-02-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1311087", }, ], notes: [ { category: "description", text: "It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via StatusManagerServlet", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-0706", }, { category: "external", summary: "RHBZ#1311087", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311087", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-0706", url: "https://www.cve.org/CVERecord?id=CVE-2016-0706", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-0706", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-0706", }, { category: "external", summary: "http://seclists.org/bugtraq/2016/Feb/144", url: "http://seclists.org/bugtraq/2016/Feb/144", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "ADJACENT_NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.9, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:A/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via StatusManagerServlet", }, { cve: "CVE-2016-0714", cwe: { id: "CWE-290", name: "Authentication Bypass by Spoofing", }, discovery_date: "2016-02-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1311082", }, ], notes: [ { category: "description", text: "It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Security Manager bypass via persistence mechanisms", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-0714", }, { category: "external", summary: "RHBZ#1311082", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311082", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-0714", url: "https://www.cve.org/CVERecord?id=CVE-2016-0714", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-0714", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-0714", }, { category: "external", summary: "http://seclists.org/bugtraq/2016/Feb/145", url: "http://seclists.org/bugtraq/2016/Feb/145", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: Security Manager bypass via persistence mechanisms", }, { acknowledgments: [ { names: [ "Scott Geary", ], organization: "VendHQ", }, ], cve: "CVE-2016-5388", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-07-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1353809", }, ], notes: [ { category: "description", text: "It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.", title: "Vulnerability description", }, { category: "summary", text: "Tomcat: CGI sets environmental variable based on user supplied Proxy request header", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5388", }, { category: "external", summary: "RHBZ#1353809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1353809", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5388", url: "https://www.cve.org/CVERecord?id=CVE-2016-5388", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5388", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5388", }, ], release_date: "2016-07-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:N/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.5, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Tomcat: CGI sets environmental variable based on user supplied Proxy request header", }, { acknowledgments: [ { summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-6325", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1367447", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: tomcat writable config files allow privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6325", }, { category: "external", summary: "RHBZ#1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6325", url: "https://www.cve.org/CVERecord?id=CVE-2016-6325", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: tomcat writable config files allow privilege escalation", }, ], }
RHSA-2016:2046
Vulnerability from csaf_redhat
Published
2016-10-10 20:38
Modified
2024-11-22 10:10
Summary
Red Hat Security Advisory: tomcat security update
Notes
Topic
An update for tomcat is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
* It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425)
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)
* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)
* A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)
Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for tomcat is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)\n\n* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)\n\n* A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)\n\nRed Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2016:2046", url: "https://access.redhat.com/errata/RHSA-2016:2046", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59", }, { category: "external", summary: "1222573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1222573", }, { category: "external", summary: "1311085", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311085", }, { category: "external", summary: "1353809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1353809", }, { category: "external", summary: "1362545", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1362545", }, { category: "external", summary: "1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2046.json", }, ], title: "Red Hat Security Advisory: tomcat security update", tracking: { current_release_date: "2024-11-22T10:10:37+00:00", generator: { date: "2024-11-22T10:10:37+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2016:2046", initial_release_date: "2016-10-10T20:38:43+00:00", revision_history: [ { date: "2016-10-10T20:38:43+00:00", number: "1", summary: "Initial version", }, { date: "2016-10-10T20:38:43+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T10:10:37+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux Client (v. 7)", product: { name: "Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::client", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Client Optional (v. 7)", product: { name: "Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::client", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux ComputeNode (v. 7)", product: { name: "Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::computenode", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product: { name: "Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::computenode", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Server (v. 7)", product: { name: "Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::server", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Server Optional (v. 7)", product: { name: "Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::server", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Workstation (v. 7)", product: { name: "Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::workstation", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Workstation Optional (v. 7)", product: { name: "Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::workstation", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-jsp-2.2-api@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-servlet-3.0-api@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-webapps@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-el-2.2-api@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-admin-webapps@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-lib-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-lib-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-lib@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-docs-webapp@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-javadoc@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-jsvc@7.0.54-8.el7_2?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "tomcat-0:7.0.54-8.el7_2.src", product: { name: "tomcat-0:7.0.54-8.el7_2.src", product_id: "tomcat-0:7.0.54-8.el7_2.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat@7.0.54-8.el7_2?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, ], }, vulnerabilities: [ { cve: "CVE-2014-7810", discovery_date: "2015-05-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1222573", }, ], notes: [ { category: "description", text: "It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections.", title: "Vulnerability description", }, { category: "summary", text: "Tomcat/JbossWeb: security manager bypass via EL expressions", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-7810", }, { category: "external", summary: "RHBZ#1222573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1222573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-7810", url: "https://www.cve.org/CVERecord?id=CVE-2014-7810", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-7810", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-7810", }, { category: "external", summary: "http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44", url: "http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44", }, { category: "external", summary: "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59", url: "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59", }, { category: "external", summary: "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.17", url: "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.17", }, ], release_date: "2015-05-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:43+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2046", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Tomcat/JbossWeb: security manager bypass via EL expressions", }, { cve: "CVE-2015-5346", discovery_date: "2014-06-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1311085", }, ], notes: [ { category: "description", text: "A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Session fixation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5346", }, { category: "external", summary: "RHBZ#1311085", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311085", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5346", url: "https://www.cve.org/CVERecord?id=CVE-2015-5346", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5346", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5346", }, { category: "external", summary: "http://seclists.org/bugtraq/2016/Feb/143", url: "http://seclists.org/bugtraq/2016/Feb/143", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:43+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2046", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: Session fixation", }, { acknowledgments: [ { names: [ "Scott Geary", ], organization: "VendHQ", }, ], cve: "CVE-2016-5388", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-07-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1353809", }, ], notes: [ { category: "description", text: "It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.", title: "Vulnerability description", }, { category: "summary", text: "Tomcat: CGI sets environmental variable based on user supplied Proxy request header", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5388", }, { category: "external", summary: "RHBZ#1353809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1353809", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5388", url: "https://www.cve.org/CVERecord?id=CVE-2016-5388", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5388", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5388", }, ], release_date: "2016-07-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:43+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2046", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:N/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.5, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", version: "3.0", }, products: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Tomcat: CGI sets environmental variable based on user supplied Proxy request header", }, { acknowledgments: [ { names: [ "Dawid Golunski", ], organization: "http://legalhackers.com", }, ], cve: "CVE-2016-5425", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-07-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1362545", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Local privilege escalation via systemd-tmpfiles service", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5425", }, { category: "external", summary: "RHBZ#1362545", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1362545", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5425", url: "https://www.cve.org/CVERecord?id=CVE-2016-5425", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5425", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5425", }, { category: "external", summary: "http://legalhackers.com/advisories/Tomcat-RedHat-based-Root-Privilege-Escalation-Exploit.txt", url: "http://legalhackers.com/advisories/Tomcat-RedHat-based-Root-Privilege-Escalation-Exploit.txt", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:43+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2046", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: Local privilege escalation via systemd-tmpfiles service", }, { acknowledgments: [ { summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-6325", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1367447", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: tomcat writable config files allow privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6325", }, { category: "external", summary: "RHBZ#1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6325", url: "https://www.cve.org/CVERecord?id=CVE-2016-6325", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:43+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2046", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 1.9, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 3.3, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: tomcat writable config files allow privilege escalation", }, ], }
rhsa-2017_0456
Vulnerability from csaf_redhat
Published
2017-03-07 19:06
Modified
2024-12-15 18:44
Summary
Red Hat Security Advisory: Red Hat JBoss Web Server 3.1.0 security and enhancement update
Notes
Topic
An update is now available for Red Hat JBoss Web Server 3 for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.
Security Fix(es):
* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)
* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)
* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)
* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)
* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)
* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)
* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)
* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)
* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)
The CVE-2016-6325 issue was discovered by Red Hat Product Security.
Enhancement(s):
* This enhancement update adds the Red Hat JBoss Web Server 3.1.0 packages to Red Hat Enterprise Linux 7. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-268)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Web Server 3 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.\n\nSecurity Fix(es):\n\n* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)\n\n* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)\n\n* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)\n\n* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)\n\n* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)\n\n* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)\n\n* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)\n\nThe CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nEnhancement(s):\n\n* This enhancement update adds the Red Hat JBoss Web Server 3.1.0 packages to Red Hat Enterprise Linux 7. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-268)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:0456", url: "https://access.redhat.com/errata/RHSA-2017:0456", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "external", summary: "JWS-268", url: "https://issues.redhat.com/browse/JWS-268", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_0456.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1.0 security and enhancement update", tracking: { current_release_date: "2024-12-15T18:44:39+00:00", generator: { date: "2024-12-15T18:44:39+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2017:0456", initial_release_date: "2017-03-07T19:06:06+00:00", revision_history: [ { date: "2017-03-07T19:06:06+00:00", number: "1", summary: "Initial version", }, { date: "2017-03-07T19:06:06+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-15T18:44:39+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Web Server 3.1 for RHEL 7", product: { name: "Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Web Server", }, { branches: [ { category: "product_version", name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_id: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product: { name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_id: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-envers-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product: { name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_id: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-c3p0-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product: { name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_id: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-core-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product: { name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_id: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-entitymanager-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_id: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster@1.3.5-2.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product: { name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_id: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster-tomcat8@1.3.5-2.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product: { name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_id: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster-tomcat7@1.3.5-2.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", product: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", product_id: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon@1.0.15-1.redhat_2.1.jbcs.el7?arch=noarch", }, }, }, { category: "product_version", name: "jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", product: { name: "jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", product_id: "jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-runtime@1-3.jbcs.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", product: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", product_id: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-vault@1.0.8-9.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-selinux@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-jsvc@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-docs-webapp@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-servlet-3.0-api@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-el-2.2-api@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-admin-webapps@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-webapps@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-jsp-2.2-api@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-javadoc@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-lib@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-log4j@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-log4j@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-admin-webapps@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-jsvc@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-servlet-3.1-api@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-el-2.2-api@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-docs-webapp@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-selinux@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-jsp-2.3-api@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-webapps@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-lib@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-javadoc@8.0.36-17.ep7.el7?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", product: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", product_id: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc@1.0.15-17.redhat_2.jbcs.el7?arch=src&epoch=1", }, }, }, { category: "product_version", name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", product: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", product_id: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster@1.3.5-2.Final_redhat_2.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", product: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", product_id: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon@1.0.15-1.redhat_2.1.jbcs.el7?arch=src", }, }, }, { category: "product_version", name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", product: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", product_id: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-vault@1.0.8-9.Final_redhat_2.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "tomcat7-0:7.0.70-16.ep7.el7.src", product: { name: "tomcat7-0:7.0.70-16.ep7.el7.src", product_id: "tomcat7-0:7.0.70-16.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7@7.0.70-16.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "tomcat8-0:8.0.36-17.ep7.el7.src", product: { name: "tomcat8-0:8.0.36-17.ep7.el7.src", product_id: "tomcat8-0:8.0.36-17.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8@8.0.36-17.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", product: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", product_id: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native@1.2.8-9.redhat_9.ep7.el7?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo@1.0.15-17.redhat_2.jbcs.el7?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc@1.0.15-17.redhat_2.jbcs.el7?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product_id: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native@1.2.8-9.redhat_9.ep7.el7?arch=x86_64", }, }, }, { category: "product_version", name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product_id: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.8-9.redhat_9.ep7.el7?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", }, product_reference: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", }, product_reference: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", }, product_reference: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", }, product_reference: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", }, product_reference: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", }, product_reference: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", }, product_reference: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", }, product_reference: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", }, product_reference: "jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", }, product_reference: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", }, product_reference: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", }, product_reference: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", }, product_reference: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", }, product_reference: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-0:7.0.70-16.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", }, product_reference: "tomcat7-0:7.0.70-16.ep7.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-lib-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-0:8.0.36-17.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", }, product_reference: "tomcat8-0:8.0.36-17.ep7.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-lib-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, ], }, vulnerabilities: [ { cve: "CVE-2016-0762", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390526", }, ], notes: [ { category: "description", text: "The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: timing attack in Realm implementation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-0762", }, { category: "external", summary: "RHBZ#1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-0762", url: "https://www.cve.org/CVERecord?id=CVE-2016-0762", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: timing attack in Realm implementation", }, { cve: "CVE-2016-1240", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-09-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1376712", }, ], notes: [ { category: "description", text: "It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1240", }, { category: "external", summary: "RHBZ#1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1240", url: "https://www.cve.org/CVERecord?id=CVE-2016-1240", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", }, { category: "external", summary: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", url: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", }, ], release_date: "2016-09-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", }, { cve: "CVE-2016-3092", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-06-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1349468", }, ], notes: [ { category: "description", text: "A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-3092", }, { category: "external", summary: "RHBZ#1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-3092", url: "https://www.cve.org/CVERecord?id=CVE-2016-3092", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", }, { category: "external", summary: "http://tomcat.apache.org/security-7.html", url: "http://tomcat.apache.org/security-7.html", }, { category: "external", summary: "http://tomcat.apache.org/security-8.html", url: "http://tomcat.apache.org/security-8.html", }, ], release_date: "2016-06-21T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", }, { cve: "CVE-2016-5018", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390525", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via IntrospectHelper utility function", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5018", }, { category: "external", summary: "RHBZ#1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5018", url: "https://www.cve.org/CVERecord?id=CVE-2016-5018", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via IntrospectHelper utility function", }, { acknowledgments: [ { summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-6325", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1367447", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: tomcat writable config files allow privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6325", }, { category: "external", summary: "RHBZ#1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6325", url: "https://www.cve.org/CVERecord?id=CVE-2016-6325", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: tomcat writable config files allow privilege escalation", }, { cve: "CVE-2016-6794", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390520", }, ], notes: [ { category: "description", text: "It was discovered that when a SecurityManager was configured, Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: system property disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6794", }, { category: "external", summary: "RHBZ#1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6794", url: "https://www.cve.org/CVERecord?id=CVE-2016-6794", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: system property disclosure", }, { cve: "CVE-2016-6796", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390515", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via JSP Servlet config parameters", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6796", }, { category: "external", summary: "RHBZ#1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6796", url: "https://www.cve.org/CVERecord?id=CVE-2016-6796", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via JSP Servlet config parameters", }, { cve: "CVE-2016-6797", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390493", }, ], notes: [ { category: "description", text: "It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unrestricted access to global resources", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6797", }, { category: "external", summary: "RHBZ#1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6797", url: "https://www.cve.org/CVERecord?id=CVE-2016-6797", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: unrestricted access to global resources", }, { cve: "CVE-2016-6816", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397484", }, ], notes: [ { category: "description", text: "It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", title: "Vulnerability summary", }, { category: "other", text: "Applying the fix provided to mitigate this issue may cause Tomcat to return 400 status after updating. For more information, refer to https://access.redhat.com/solutions/2891171", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6816", }, { category: "external", summary: "RHBZ#1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6816", url: "https://www.cve.org/CVERecord?id=CVE-2016-6816", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", }, { category: "external", summary: "https://access.redhat.com/articles/2991951", url: "https://access.redhat.com/articles/2991951", }, { category: "external", summary: "https://access.redhat.com/solutions/2891171", url: "https://access.redhat.com/solutions/2891171", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", }, { cve: "CVE-2016-8735", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397485", }, ], notes: [ { category: "description", text: "The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8735", }, { category: "external", summary: "RHBZ#1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8735", url: "https://www.cve.org/CVERecord?id=CVE-2016-8735", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "exploit_status", date: "2023-05-12T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", }, { cve: "CVE-2016-8745", discovery_date: "2016-12-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1403824", }, ], notes: [ { category: "description", text: "A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: information disclosure due to incorrect Processor sharing", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8745", }, { category: "external", summary: "RHBZ#1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8745", url: "https://www.cve.org/CVERecord?id=CVE-2016-8745", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", }, ], release_date: "2016-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: information disclosure due to incorrect Processor sharing", }, ], }
rhsa-2016:2046
Vulnerability from csaf_redhat
Published
2016-10-10 20:38
Modified
2024-11-22 10:10
Summary
Red Hat Security Advisory: tomcat security update
Notes
Topic
An update for tomcat is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
* It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425)
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)
* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)
* A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)
Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for tomcat is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)\n\n* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)\n\n* A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)\n\nRed Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2016:2046", url: "https://access.redhat.com/errata/RHSA-2016:2046", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59", }, { category: "external", summary: "1222573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1222573", }, { category: "external", summary: "1311085", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311085", }, { category: "external", summary: "1353809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1353809", }, { category: "external", summary: "1362545", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1362545", }, { category: "external", summary: "1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2046.json", }, ], title: "Red Hat Security Advisory: tomcat security update", tracking: { current_release_date: "2024-11-22T10:10:37+00:00", generator: { date: "2024-11-22T10:10:37+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2016:2046", initial_release_date: "2016-10-10T20:38:43+00:00", revision_history: [ { date: "2016-10-10T20:38:43+00:00", number: "1", summary: "Initial version", }, { date: "2016-10-10T20:38:43+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T10:10:37+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux Client (v. 7)", product: { name: "Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::client", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Client Optional (v. 7)", product: { name: "Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::client", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux ComputeNode (v. 7)", product: { name: "Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::computenode", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product: { name: "Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::computenode", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Server (v. 7)", product: { name: "Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::server", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Server Optional (v. 7)", product: { name: "Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::server", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Workstation (v. 7)", product: { name: "Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::workstation", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Workstation Optional (v. 7)", product: { name: "Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::workstation", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-jsp-2.2-api@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-servlet-3.0-api@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-webapps@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-el-2.2-api@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-admin-webapps@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-lib-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-lib-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-lib@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-docs-webapp@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-javadoc@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-jsvc@7.0.54-8.el7_2?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "tomcat-0:7.0.54-8.el7_2.src", product: { name: "tomcat-0:7.0.54-8.el7_2.src", product_id: "tomcat-0:7.0.54-8.el7_2.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat@7.0.54-8.el7_2?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, ], }, vulnerabilities: [ { cve: "CVE-2014-7810", discovery_date: "2015-05-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1222573", }, ], notes: [ { category: "description", text: "It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections.", title: "Vulnerability description", }, { category: "summary", text: "Tomcat/JbossWeb: security manager bypass via EL expressions", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-7810", }, { category: "external", summary: "RHBZ#1222573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1222573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-7810", url: "https://www.cve.org/CVERecord?id=CVE-2014-7810", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-7810", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-7810", }, { category: "external", summary: "http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44", url: "http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44", }, { category: "external", summary: "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59", url: "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59", }, { category: "external", summary: "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.17", url: "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.17", }, ], release_date: "2015-05-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:43+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2046", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Tomcat/JbossWeb: security manager bypass via EL expressions", }, { cve: "CVE-2015-5346", discovery_date: "2014-06-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1311085", }, ], notes: [ { category: "description", text: "A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Session fixation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5346", }, { category: "external", summary: "RHBZ#1311085", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311085", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5346", url: "https://www.cve.org/CVERecord?id=CVE-2015-5346", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5346", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5346", }, { category: "external", summary: "http://seclists.org/bugtraq/2016/Feb/143", url: "http://seclists.org/bugtraq/2016/Feb/143", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:43+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2046", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: Session fixation", }, { acknowledgments: [ { names: [ "Scott Geary", ], organization: "VendHQ", }, ], cve: "CVE-2016-5388", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-07-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1353809", }, ], notes: [ { category: "description", text: "It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.", title: "Vulnerability description", }, { category: "summary", text: "Tomcat: CGI sets environmental variable based on user supplied Proxy request header", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5388", }, { category: "external", summary: "RHBZ#1353809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1353809", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5388", url: "https://www.cve.org/CVERecord?id=CVE-2016-5388", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5388", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5388", }, ], release_date: "2016-07-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:43+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2046", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:N/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.5, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", version: "3.0", }, products: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Tomcat: CGI sets environmental variable based on user supplied Proxy request header", }, { acknowledgments: [ { names: [ "Dawid Golunski", ], organization: "http://legalhackers.com", }, ], cve: "CVE-2016-5425", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-07-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1362545", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Local privilege escalation via systemd-tmpfiles service", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5425", }, { category: "external", summary: "RHBZ#1362545", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1362545", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5425", url: "https://www.cve.org/CVERecord?id=CVE-2016-5425", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5425", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5425", }, { category: "external", summary: "http://legalhackers.com/advisories/Tomcat-RedHat-based-Root-Privilege-Escalation-Exploit.txt", url: "http://legalhackers.com/advisories/Tomcat-RedHat-based-Root-Privilege-Escalation-Exploit.txt", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:43+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2046", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: Local privilege escalation via systemd-tmpfiles service", }, { acknowledgments: [ { summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-6325", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1367447", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: tomcat writable config files allow privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6325", }, { category: "external", summary: "RHBZ#1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6325", url: "https://www.cve.org/CVERecord?id=CVE-2016-6325", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:43+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2046", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 1.9, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 3.3, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: tomcat writable config files allow privilege escalation", }, ], }
rhsa-2017:0455
Vulnerability from csaf_redhat
Published
2017-03-07 19:06
Modified
2025-02-02 19:59
Summary
Red Hat Security Advisory: Red Hat JBoss Web Server 3.1.0 security and enhancement update
Notes
Topic
An update is now available for Red Hat JBoss Web Server 3 for RHEL 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.
Security Fix(es):
* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)
* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)
* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)
* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)
* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)
* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)
* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)
* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)
* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)
The CVE-2016-6325 issue was discovered by Red Hat Product Security.
Enhancement(s):
This enhancement update adds the Red Hat JBoss Web Server 3.1.0 packages to Red Hat Enterprise Linux 6. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-267)
Users of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Web Server 3 for RHEL 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.\n\nSecurity Fix(es):\n\n* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)\n\n* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)\n\n* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)\n\n* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)\n\n* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)\n\n* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)\n\n* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)\n\nThe CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nEnhancement(s):\n\nThis enhancement update adds the Red Hat JBoss Web Server 3.1.0 packages to Red Hat Enterprise Linux 6. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-267)\n\nUsers of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:0455", url: "https://access.redhat.com/errata/RHSA-2017:0455", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "external", summary: "JWS-267", url: "https://issues.redhat.com/browse/JWS-267", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_0455.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1.0 security and enhancement update", tracking: { current_release_date: "2025-02-02T19:59:09+00:00", generator: { date: "2025-02-02T19:59:09+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2017:0455", initial_release_date: "2017-03-07T19:06:40+00:00", revision_history: [ { date: "2017-03-07T19:06:40+00:00", number: "1", summary: "Initial version", }, { date: "2017-03-07T19:06:40+00:00", number: "2", summary: "Last updated version", }, { date: "2025-02-02T19:59:09+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Web Server 3.1 for RHEL 6", product: { name: "Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", }, }, }, ], category: "product_family", name: "Red Hat JBoss Web Server", }, { branches: [ { category: "product_version", name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product: { name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_id: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-envers-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product: { name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_id: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-c3p0-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product: { name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_id: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-core-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_id: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product: { name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_id: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-entitymanager-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_id: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster@1.3.5-2.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product: { name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_id: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster-tomcat7@1.3.5-2.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product: { name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_id: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster-tomcat8@1.3.5-2.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", product: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", product_id: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon@1.0.15-1.redhat_2.1.jbcs.el6?arch=noarch", }, }, }, { category: "product_version", name: "jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", product: { name: "jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", product_id: "jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-runtime@1-3.jbcs.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", product: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", product_id: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-vault@1.0.8-9.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-jsvc@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-selinux@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-docs-webapp@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-servlet-3.0-api@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-el-2.2-api@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-admin-webapps@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-jsp-2.2-api@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-javadoc@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-lib@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-log4j@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-webapps@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-log4j@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-admin-webapps@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-jsvc@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-el-2.2-api@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-docs-webapp@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-servlet-3.1-api@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-webapps@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-selinux@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-jsp-2.3-api@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-lib@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-javadoc@8.0.36-17.ep7.el6?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", product: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", product_id: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc@1.0.15-17.redhat_2.jbcs.el6?arch=src&epoch=1", }, }, }, { category: "product_version", name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", product: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", product_id: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster@1.3.5-2.Final_redhat_2.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", product: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", product_id: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon@1.0.15-1.redhat_2.1.jbcs.el6?arch=src", }, }, }, { category: "product_version", name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", product: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", product_id: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-vault@1.0.8-9.Final_redhat_2.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "tomcat7-0:7.0.70-16.ep7.el6.src", product: { name: "tomcat7-0:7.0.70-16.ep7.el6.src", product_id: "tomcat7-0:7.0.70-16.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7@7.0.70-16.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "tomcat8-0:8.0.36-17.ep7.el6.src", product: { name: "tomcat8-0:8.0.36-17.ep7.el6.src", product_id: "tomcat8-0:8.0.36-17.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8@8.0.36-17.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", product: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", product_id: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native@1.2.8-9.redhat_9.ep7.el6?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo@1.0.15-17.redhat_2.jbcs.el6?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc@1.0.15-17.redhat_2.jbcs.el6?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product_id: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.8-9.redhat_9.ep7.el6?arch=x86_64", }, }, }, { category: "product_version", name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product_id: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native@1.2.8-9.redhat_9.ep7.el6?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo@1.0.15-17.redhat_2.jbcs.el6?arch=i686&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc@1.0.15-17.redhat_2.jbcs.el6?arch=i686&epoch=1", }, }, }, { category: "product_version", name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", product: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", product_id: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.8-9.redhat_9.ep7.el6?arch=i686", }, }, }, { category: "product_version", name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", product: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", product_id: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native@1.2.8-9.redhat_9.ep7.el6?arch=i686", }, }, }, ], category: "architecture", name: "i686", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", }, product_reference: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", }, product_reference: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", }, product_reference: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", }, product_reference: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", }, product_reference: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", }, product_reference: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", }, product_reference: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", }, product_reference: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", }, product_reference: "jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", }, product_reference: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", }, product_reference: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", }, product_reference: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", }, product_reference: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", }, product_reference: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", }, product_reference: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", }, product_reference: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-0:7.0.70-16.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", }, product_reference: "tomcat7-0:7.0.70-16.ep7.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-lib-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-0:8.0.36-17.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", }, product_reference: "tomcat8-0:8.0.36-17.ep7.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-lib-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, ], }, vulnerabilities: [ { cve: "CVE-2016-0762", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390526", }, ], notes: [ { category: "description", text: "The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: timing attack in Realm implementation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-0762", }, { category: "external", summary: "RHBZ#1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-0762", url: "https://www.cve.org/CVERecord?id=CVE-2016-0762", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: timing attack in Realm implementation", }, { cve: "CVE-2016-1240", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-09-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1376712", }, ], notes: [ { category: "description", text: "It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1240", }, { category: "external", summary: "RHBZ#1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1240", url: "https://www.cve.org/CVERecord?id=CVE-2016-1240", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", }, { category: "external", summary: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", url: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", }, ], release_date: "2016-09-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", }, { cve: "CVE-2016-3092", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-06-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1349468", }, ], notes: [ { category: "description", text: "A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-3092", }, { category: "external", summary: "RHBZ#1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-3092", url: "https://www.cve.org/CVERecord?id=CVE-2016-3092", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", }, { category: "external", summary: "http://tomcat.apache.org/security-7.html", url: "http://tomcat.apache.org/security-7.html", }, { category: "external", summary: "http://tomcat.apache.org/security-8.html", url: "http://tomcat.apache.org/security-8.html", }, ], release_date: "2016-06-21T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", }, { cve: "CVE-2016-5018", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390525", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via IntrospectHelper utility function", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5018", }, { category: "external", summary: "RHBZ#1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5018", url: "https://www.cve.org/CVERecord?id=CVE-2016-5018", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via IntrospectHelper utility function", }, { acknowledgments: [ { summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-6325", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1367447", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: tomcat writable config files allow privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6325", }, { category: "external", summary: "RHBZ#1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6325", url: "https://www.cve.org/CVERecord?id=CVE-2016-6325", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: tomcat writable config files allow privilege escalation", }, { cve: "CVE-2016-6794", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390520", }, ], notes: [ { category: "description", text: "It was discovered that when a SecurityManager was configured, Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: system property disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6794", }, { category: "external", summary: "RHBZ#1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6794", url: "https://www.cve.org/CVERecord?id=CVE-2016-6794", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: system property disclosure", }, { cve: "CVE-2016-6796", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390515", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via JSP Servlet config parameters", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6796", }, { category: "external", summary: "RHBZ#1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6796", url: "https://www.cve.org/CVERecord?id=CVE-2016-6796", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via JSP Servlet config parameters", }, { cve: "CVE-2016-6797", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390493", }, ], notes: [ { category: "description", text: "It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unrestricted access to global resources", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6797", }, { category: "external", summary: "RHBZ#1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6797", url: "https://www.cve.org/CVERecord?id=CVE-2016-6797", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: unrestricted access to global resources", }, { cve: "CVE-2016-6816", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397484", }, ], notes: [ { category: "description", text: "It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", title: "Vulnerability summary", }, { category: "other", text: "Applying the fix provided to mitigate this issue may cause Tomcat to return 400 status after updating. For more information, refer to https://access.redhat.com/solutions/2891171", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6816", }, { category: "external", summary: "RHBZ#1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6816", url: "https://www.cve.org/CVERecord?id=CVE-2016-6816", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", }, { category: "external", summary: "https://access.redhat.com/articles/2991951", url: "https://access.redhat.com/articles/2991951", }, { category: "external", summary: "https://access.redhat.com/solutions/2891171", url: "https://access.redhat.com/solutions/2891171", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", }, { cve: "CVE-2016-8735", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397485", }, ], notes: [ { category: "description", text: "The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8735", }, { category: "external", summary: "RHBZ#1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8735", url: "https://www.cve.org/CVERecord?id=CVE-2016-8735", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "exploit_status", date: "2023-05-12T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", }, { cve: "CVE-2016-8745", discovery_date: "2016-12-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1403824", }, ], notes: [ { category: "description", text: "A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: information disclosure due to incorrect Processor sharing", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8745", }, { category: "external", summary: "RHBZ#1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8745", url: "https://www.cve.org/CVERecord?id=CVE-2016-8745", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", }, ], release_date: "2016-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: information disclosure due to incorrect Processor sharing", }, ], }
rhsa-2016:2045
Vulnerability from csaf_redhat
Published
2016-10-10 20:38
Modified
2025-03-19 14:14
Summary
Red Hat Security Advisory: tomcat6 security and bug fix update
Notes
Topic
An update for tomcat6 is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714)
* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)
* A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174)
* It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345)
* It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)
Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.
Bug Fix(es):
* Due to a bug in the tomcat6 spec file, the catalina.out file's md5sum, size, and mtime attributes were compared to the file's attributes at installation time. Because these attributes change after the service is started, the "rpm -V" command previously failed. With this update, the attributes mentioned above are ignored in the RPM verification and the catalina.out file now passes the verification check. (BZ#1357123)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for tomcat6 is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714)\n\n* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)\n\n* A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174)\n\n* It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345)\n\n* It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)\n\nRed Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nBug Fix(es):\n\n* Due to a bug in the tomcat6 spec file, the catalina.out file's md5sum, size, and mtime attributes were compared to the file's attributes at installation time. Because these attributes change after the service is started, the \"rpm -V\" command previously failed. With this update, the attributes mentioned above are ignored in the RPM verification and the catalina.out file now passes the verification check. (BZ#1357123)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2016:2045", url: "https://access.redhat.com/errata/RHSA-2016:2045", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.45", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.45", }, { category: "external", summary: "1265698", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1265698", }, { category: "external", summary: "1311082", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311082", }, { category: "external", summary: "1311087", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311087", }, { category: "external", summary: "1311089", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311089", }, { category: "external", summary: "1353809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1353809", }, { category: "external", summary: "1357123", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1357123", }, { category: "external", summary: "1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2045.json", }, ], title: "Red Hat Security Advisory: tomcat6 security and bug fix update", tracking: { current_release_date: "2025-03-19T14:14:44+00:00", generator: { date: "2025-03-19T14:14:44+00:00", engine: { name: "Red Hat SDEngine", version: "4.4.1", }, }, id: "RHSA-2016:2045", initial_release_date: "2016-10-10T20:38:52+00:00", revision_history: [ { date: "2016-10-10T20:38:52+00:00", number: "1", summary: "Initial version", }, { date: "2016-10-10T20:38:52+00:00", number: "2", summary: "Last updated version", }, { date: "2025-03-19T14:14:44+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux Desktop (v. 6)", product: { name: "Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:6::client", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux HPC Node (v. 6)", product: { name: "Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:6::computenode", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Server (v. 6)", product: { name: "Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:6::server", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Workstation (v. 6)", product: { name: "Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:6::workstation", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-javadoc@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-admin-webapps@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-servlet-2.5-api@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-lib@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-el-2.1-api@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-docs-webapp@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-jsp-2.1-api@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-webapps@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6@6.0.24-98.el6_8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "tomcat6-0:6.0.24-98.el6_8.src", product: { name: "tomcat6-0:6.0.24-98.el6_8.src", product_id: "tomcat6-0:6.0.24-98.el6_8.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6@6.0.24-98.el6_8?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.src as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.src", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.src as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.src", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.src as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.src", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.src as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.src", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, ], }, vulnerabilities: [ { cve: "CVE-2015-5174", discovery_date: "2015-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1265698", }, ], notes: [ { category: "description", text: "A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: URL Normalization issue", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5174", }, { category: "external", summary: "RHBZ#1265698", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1265698", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5174", url: "https://www.cve.org/CVERecord?id=CVE-2015-5174", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5174", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5174", }, { category: "external", summary: "http://seclists.org/bugtraq/2016/Feb/149", url: "http://seclists.org/bugtraq/2016/Feb/149", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: URL Normalization issue", }, { cve: "CVE-2015-5345", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2016-02-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1311089", }, ], notes: [ { category: "description", text: "It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: directory disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5345", }, { category: "external", summary: "RHBZ#1311089", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311089", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5345", url: "https://www.cve.org/CVERecord?id=CVE-2015-5345", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5345", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5345", }, { category: "external", summary: "http://seclists.org/bugtraq/2016/Feb/146", url: "http://seclists.org/bugtraq/2016/Feb/146", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: directory disclosure", }, { cve: "CVE-2016-0706", cwe: { id: "CWE-287", name: "Improper Authentication", }, discovery_date: "2016-02-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1311087", }, ], notes: [ { category: "description", text: "It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via StatusManagerServlet", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-0706", }, { category: "external", summary: "RHBZ#1311087", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311087", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-0706", url: "https://www.cve.org/CVERecord?id=CVE-2016-0706", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-0706", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-0706", }, { category: "external", summary: "http://seclists.org/bugtraq/2016/Feb/144", url: "http://seclists.org/bugtraq/2016/Feb/144", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "ADJACENT_NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.9, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:A/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via StatusManagerServlet", }, { cve: "CVE-2016-0714", cwe: { id: "CWE-290", name: "Authentication Bypass by Spoofing", }, discovery_date: "2016-02-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1311082", }, ], notes: [ { category: "description", text: "It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Security Manager bypass via persistence mechanisms", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-0714", }, { category: "external", summary: "RHBZ#1311082", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311082", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-0714", url: "https://www.cve.org/CVERecord?id=CVE-2016-0714", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-0714", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-0714", }, { category: "external", summary: "http://seclists.org/bugtraq/2016/Feb/145", url: "http://seclists.org/bugtraq/2016/Feb/145", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: Security Manager bypass via persistence mechanisms", }, { acknowledgments: [ { names: [ "Scott Geary", ], organization: "VendHQ", }, ], cve: "CVE-2016-5388", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-07-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1353809", }, ], notes: [ { category: "description", text: "It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.", title: "Vulnerability description", }, { category: "summary", text: "Tomcat: CGI sets environmental variable based on user supplied Proxy request header", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5388", }, { category: "external", summary: "RHBZ#1353809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1353809", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5388", url: "https://www.cve.org/CVERecord?id=CVE-2016-5388", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5388", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5388", }, ], release_date: "2016-07-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:N/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.5, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Tomcat: CGI sets environmental variable based on user supplied Proxy request header", }, { acknowledgments: [ { summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-6325", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1367447", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: tomcat writable config files allow privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6325", }, { category: "external", summary: "RHBZ#1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6325", url: "https://www.cve.org/CVERecord?id=CVE-2016-6325", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: tomcat writable config files allow privilege escalation", }, ], }
rhsa-2017:0457
Vulnerability from csaf_redhat
Published
2017-03-07 19:05
Modified
2025-02-02 19:59
Summary
Red Hat Security Advisory: Red Hat JBoss Web Server security and enhancement update
Notes
Topic
An update is now available for Red Hat JBoss Web Server.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.
Security Fix(es):
* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)
* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)
* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)
* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)
* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)
* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)
* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)
* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)
* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)
The CVE-2016-6325 issue was discovered by Red Hat Product Security.
Enhancement(s):
* This enhancement update adds the Red Hat JBoss Web Server 3.1.0. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server.
Users of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Web Server.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.\n\nSecurity Fix(es):\n\n* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)\n\n* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)\n\n* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)\n\n* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)\n\n* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)\n\n* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)\n\n* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)\n\nThe CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nEnhancement(s):\n\n* This enhancement update adds the Red Hat JBoss Web Server 3.1.0. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server.\n\nUsers of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:0457", url: "https://access.redhat.com/errata/RHSA-2017:0457", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=webserver&version=3.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=webserver&version=3.1.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.1_Release_Notes/index.html", url: "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.1_Release_Notes/index.html", }, { category: "external", summary: "https://access.redhat.com/security/vulnerabilities/httpoxy", url: "https://access.redhat.com/security/vulnerabilities/httpoxy", }, { category: "external", summary: "https://access.redhat.com/solutions/2435491", url: "https://access.redhat.com/solutions/2435491", }, { category: "external", summary: "1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_0457.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Web Server security and enhancement update", tracking: { current_release_date: "2025-02-02T19:59:20+00:00", generator: { date: "2025-02-02T19:59:20+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2017:0457", initial_release_date: "2017-03-07T19:05:59+00:00", revision_history: [ { date: "2017-03-07T19:05:59+00:00", number: "1", summary: "Initial version", }, { date: "2017-03-07T19:05:59+00:00", number: "2", summary: "Last updated version", }, { date: "2025-02-02T19:59:20+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Web Server 3.1", product: { name: "Red Hat JBoss Web Server 3.1", product_id: "Red Hat JBoss Web Server 3.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_web_server:3.1", }, }, }, ], category: "product_family", name: "Red Hat JBoss Web Server", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2016-0762", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390526", }, ], notes: [ { category: "description", text: "The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: timing attack in Realm implementation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-0762", }, { category: "external", summary: "RHBZ#1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-0762", url: "https://www.cve.org/CVERecord?id=CVE-2016-0762", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: timing attack in Realm implementation", }, { cve: "CVE-2016-1240", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-09-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1376712", }, ], notes: [ { category: "description", text: "It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1240", }, { category: "external", summary: "RHBZ#1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1240", url: "https://www.cve.org/CVERecord?id=CVE-2016-1240", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", }, { category: "external", summary: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", url: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", }, ], release_date: "2016-09-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", }, { cve: "CVE-2016-3092", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-06-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1349468", }, ], notes: [ { category: "description", text: "A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-3092", }, { category: "external", summary: "RHBZ#1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-3092", url: "https://www.cve.org/CVERecord?id=CVE-2016-3092", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", }, { category: "external", summary: "http://tomcat.apache.org/security-7.html", url: "http://tomcat.apache.org/security-7.html", }, { category: "external", summary: "http://tomcat.apache.org/security-8.html", url: "http://tomcat.apache.org/security-8.html", }, ], release_date: "2016-06-21T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", }, { cve: "CVE-2016-5018", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390525", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via IntrospectHelper utility function", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5018", }, { category: "external", summary: "RHBZ#1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5018", url: "https://www.cve.org/CVERecord?id=CVE-2016-5018", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via IntrospectHelper utility function", }, { acknowledgments: [ { summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-6325", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1367447", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: tomcat writable config files allow privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6325", }, { category: "external", summary: "RHBZ#1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6325", url: "https://www.cve.org/CVERecord?id=CVE-2016-6325", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: tomcat writable config files allow privilege escalation", }, { cve: "CVE-2016-6794", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390520", }, ], notes: [ { category: "description", text: "It was discovered that when a SecurityManager was configured, Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: system property disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6794", }, { category: "external", summary: "RHBZ#1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6794", url: "https://www.cve.org/CVERecord?id=CVE-2016-6794", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: system property disclosure", }, { cve: "CVE-2016-6796", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390515", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via JSP Servlet config parameters", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6796", }, { category: "external", summary: "RHBZ#1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6796", url: "https://www.cve.org/CVERecord?id=CVE-2016-6796", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via JSP Servlet config parameters", }, { cve: "CVE-2016-6797", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390493", }, ], notes: [ { category: "description", text: "It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unrestricted access to global resources", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6797", }, { category: "external", summary: "RHBZ#1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6797", url: "https://www.cve.org/CVERecord?id=CVE-2016-6797", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: unrestricted access to global resources", }, { cve: "CVE-2016-6816", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397484", }, ], notes: [ { category: "description", text: "It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", title: "Vulnerability summary", }, { category: "other", text: "Applying the fix provided to mitigate this issue may cause Tomcat to return 400 status after updating. For more information, refer to https://access.redhat.com/solutions/2891171", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6816", }, { category: "external", summary: "RHBZ#1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6816", url: "https://www.cve.org/CVERecord?id=CVE-2016-6816", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", }, { category: "external", summary: "https://access.redhat.com/articles/2991951", url: "https://access.redhat.com/articles/2991951", }, { category: "external", summary: "https://access.redhat.com/solutions/2891171", url: "https://access.redhat.com/solutions/2891171", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", }, { cve: "CVE-2016-8735", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397485", }, ], notes: [ { category: "description", text: "The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8735", }, { category: "external", summary: "RHBZ#1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8735", url: "https://www.cve.org/CVERecord?id=CVE-2016-8735", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "exploit_status", date: "2023-05-12T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", }, { cve: "CVE-2016-8745", discovery_date: "2016-12-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1403824", }, ], notes: [ { category: "description", text: "A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: information disclosure due to incorrect Processor sharing", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8745", }, { category: "external", summary: "RHBZ#1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8745", url: "https://www.cve.org/CVERecord?id=CVE-2016-8745", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", }, ], release_date: "2016-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: information disclosure due to incorrect Processor sharing", }, ], }
rhsa-2016_2045
Vulnerability from csaf_redhat
Published
2016-10-10 20:38
Modified
2024-12-15 18:44
Summary
Red Hat Security Advisory: tomcat6 security and bug fix update
Notes
Topic
An update for tomcat6 is now available for Red Hat Enterprise Linux 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714)
* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)
* A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174)
* It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345)
* It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)
Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.
Bug Fix(es):
* Due to a bug in the tomcat6 spec file, the catalina.out file's md5sum, size, and mtime attributes were compared to the file's attributes at installation time. Because these attributes change after the service is started, the "rpm -V" command previously failed. With this update, the attributes mentioned above are ignored in the RPM verification and the catalina.out file now passes the verification check. (BZ#1357123)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for tomcat6 is now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714)\n\n* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)\n\n* A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174)\n\n* It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345)\n\n* It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)\n\nRed Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nBug Fix(es):\n\n* Due to a bug in the tomcat6 spec file, the catalina.out file's md5sum, size, and mtime attributes were compared to the file's attributes at installation time. Because these attributes change after the service is started, the \"rpm -V\" command previously failed. With this update, the attributes mentioned above are ignored in the RPM verification and the catalina.out file now passes the verification check. (BZ#1357123)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2016:2045", url: "https://access.redhat.com/errata/RHSA-2016:2045", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.45", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.45", }, { category: "external", summary: "1265698", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1265698", }, { category: "external", summary: "1311082", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311082", }, { category: "external", summary: "1311087", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311087", }, { category: "external", summary: "1311089", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311089", }, { category: "external", summary: "1353809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1353809", }, { category: "external", summary: "1357123", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1357123", }, { category: "external", summary: "1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2045.json", }, ], title: "Red Hat Security Advisory: tomcat6 security and bug fix update", tracking: { current_release_date: "2024-12-15T18:44:53+00:00", generator: { date: "2024-12-15T18:44:53+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2016:2045", initial_release_date: "2016-10-10T20:38:52+00:00", revision_history: [ { date: "2016-10-10T20:38:52+00:00", number: "1", summary: "Initial version", }, { date: "2016-10-10T20:38:52+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-15T18:44:53+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux Desktop (v. 6)", product: { name: "Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:6::client", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux HPC Node (v. 6)", product: { name: "Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:6::computenode", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Server (v. 6)", product: { name: "Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:6::server", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Workstation (v. 6)", product: { name: "Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:6::workstation", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-javadoc@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-admin-webapps@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-servlet-2.5-api@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-lib@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-el-2.1-api@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-docs-webapp@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-jsp-2.1-api@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6-webapps@6.0.24-98.el6_8?arch=noarch", }, }, }, { category: "product_version", name: "tomcat6-0:6.0.24-98.el6_8.noarch", product: { name: "tomcat6-0:6.0.24-98.el6_8.noarch", product_id: "tomcat6-0:6.0.24-98.el6_8.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6@6.0.24-98.el6_8?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "tomcat6-0:6.0.24-98.el6_8.src", product: { name: "tomcat6-0:6.0.24-98.el6_8.src", product_id: "tomcat6-0:6.0.24-98.el6_8.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat6@6.0.24-98.el6_8?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.src as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.src", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Desktop (v. 6)", product_id: "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Client-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.src as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.src", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux HPC Node (v. 6)", product_id: "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6ComputeNode-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.src as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.src", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Server (v. 6)", product_id: "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Server-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-0:6.0.24-98.el6_8.src as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", }, product_reference: "tomcat6-0:6.0.24-98.el6_8.src", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-lib-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-lib-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, { category: "default_component_of", full_product_name: { name: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch as a component of Red Hat Enterprise Linux Workstation (v. 6)", product_id: "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", }, product_reference: "tomcat6-webapps-0:6.0.24-98.el6_8.noarch", relates_to_product_reference: "6Workstation-6.8.z", }, ], }, vulnerabilities: [ { cve: "CVE-2015-5174", discovery_date: "2015-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1265698", }, ], notes: [ { category: "description", text: "A directory traversal flaw was found in Tomcat's RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a '/..' in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: URL Normalization issue", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5174", }, { category: "external", summary: "RHBZ#1265698", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1265698", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5174", url: "https://www.cve.org/CVERecord?id=CVE-2015-5174", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5174", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5174", }, { category: "external", summary: "http://seclists.org/bugtraq/2016/Feb/149", url: "http://seclists.org/bugtraq/2016/Feb/149", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "SINGLE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:S/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: URL Normalization issue", }, { cve: "CVE-2015-5345", cwe: { id: "CWE-552", name: "Files or Directories Accessible to External Parties", }, discovery_date: "2016-02-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1311089", }, ], notes: [ { category: "description", text: "It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: directory disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5345", }, { category: "external", summary: "RHBZ#1311089", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311089", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5345", url: "https://www.cve.org/CVERecord?id=CVE-2015-5345", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5345", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5345", }, { category: "external", summary: "http://seclists.org/bugtraq/2016/Feb/146", url: "http://seclists.org/bugtraq/2016/Feb/146", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "LOW", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:L/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 5.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: directory disclosure", }, { cve: "CVE-2016-0706", cwe: { id: "CWE-287", name: "Improper Authentication", }, discovery_date: "2016-02-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1311087", }, ], notes: [ { category: "description", text: "It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via StatusManagerServlet", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-0706", }, { category: "external", summary: "RHBZ#1311087", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311087", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-0706", url: "https://www.cve.org/CVERecord?id=CVE-2016-0706", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-0706", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-0706", }, { category: "external", summary: "http://seclists.org/bugtraq/2016/Feb/144", url: "http://seclists.org/bugtraq/2016/Feb/144", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "ADJACENT_NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.9, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:A/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.3, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via StatusManagerServlet", }, { cve: "CVE-2016-0714", cwe: { id: "CWE-290", name: "Authentication Bypass by Spoofing", }, discovery_date: "2016-02-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1311082", }, ], notes: [ { category: "description", text: "It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Security Manager bypass via persistence mechanisms", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-0714", }, { category: "external", summary: "RHBZ#1311082", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311082", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-0714", url: "https://www.cve.org/CVERecord?id=CVE-2016-0714", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-0714", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-0714", }, { category: "external", summary: "http://seclists.org/bugtraq/2016/Feb/145", url: "http://seclists.org/bugtraq/2016/Feb/145", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: Security Manager bypass via persistence mechanisms", }, { acknowledgments: [ { names: [ "Scott Geary", ], organization: "VendHQ", }, ], cve: "CVE-2016-5388", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-07-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1353809", }, ], notes: [ { category: "description", text: "It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.", title: "Vulnerability description", }, { category: "summary", text: "Tomcat: CGI sets environmental variable based on user supplied Proxy request header", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5388", }, { category: "external", summary: "RHBZ#1353809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1353809", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5388", url: "https://www.cve.org/CVERecord?id=CVE-2016-5388", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5388", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5388", }, ], release_date: "2016-07-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:N/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.5, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Tomcat: CGI sets environmental variable based on user supplied Proxy request header", }, { acknowledgments: [ { summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-6325", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1367447", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: tomcat writable config files allow privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6325", }, { category: "external", summary: "RHBZ#1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6325", url: "https://www.cve.org/CVERecord?id=CVE-2016-6325", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:52+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2045", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Client-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Client-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6ComputeNode-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6ComputeNode-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Server-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Server-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-0:6.0.24-98.el6_8.src", "6Workstation-6.8.z:tomcat6-admin-webapps-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-docs-webapp-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-el-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-javadoc-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-jsp-2.1-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-lib-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-servlet-2.5-api-0:6.0.24-98.el6_8.noarch", "6Workstation-6.8.z:tomcat6-webapps-0:6.0.24-98.el6_8.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: tomcat writable config files allow privilege escalation", }, ], }
RHSA-2017:0457
Vulnerability from csaf_redhat
Published
2017-03-07 19:05
Modified
2025-02-02 19:59
Summary
Red Hat Security Advisory: Red Hat JBoss Web Server security and enhancement update
Notes
Topic
An update is now available for Red Hat JBoss Web Server.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.
Security Fix(es):
* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)
* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)
* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)
* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)
* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)
* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)
* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)
* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)
* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)
The CVE-2016-6325 issue was discovered by Red Hat Product Security.
Enhancement(s):
* This enhancement update adds the Red Hat JBoss Web Server 3.1.0. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server.
Users of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Web Server.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.\n\nSecurity Fix(es):\n\n* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)\n\n* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)\n\n* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)\n\n* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)\n\n* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)\n\n* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)\n\n* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)\n\nThe CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nEnhancement(s):\n\n* This enhancement update adds the Red Hat JBoss Web Server 3.1.0. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server.\n\nUsers of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:0457", url: "https://access.redhat.com/errata/RHSA-2017:0457", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=webserver&version=3.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=webserver&version=3.1.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.1_Release_Notes/index.html", url: "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.1_Release_Notes/index.html", }, { category: "external", summary: "https://access.redhat.com/security/vulnerabilities/httpoxy", url: "https://access.redhat.com/security/vulnerabilities/httpoxy", }, { category: "external", summary: "https://access.redhat.com/solutions/2435491", url: "https://access.redhat.com/solutions/2435491", }, { category: "external", summary: "1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_0457.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Web Server security and enhancement update", tracking: { current_release_date: "2025-02-02T19:59:20+00:00", generator: { date: "2025-02-02T19:59:20+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2017:0457", initial_release_date: "2017-03-07T19:05:59+00:00", revision_history: [ { date: "2017-03-07T19:05:59+00:00", number: "1", summary: "Initial version", }, { date: "2017-03-07T19:05:59+00:00", number: "2", summary: "Last updated version", }, { date: "2025-02-02T19:59:20+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Web Server 3.1", product: { name: "Red Hat JBoss Web Server 3.1", product_id: "Red Hat JBoss Web Server 3.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_web_server:3.1", }, }, }, ], category: "product_family", name: "Red Hat JBoss Web Server", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2016-0762", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390526", }, ], notes: [ { category: "description", text: "The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: timing attack in Realm implementation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-0762", }, { category: "external", summary: "RHBZ#1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-0762", url: "https://www.cve.org/CVERecord?id=CVE-2016-0762", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: timing attack in Realm implementation", }, { cve: "CVE-2016-1240", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-09-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1376712", }, ], notes: [ { category: "description", text: "It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1240", }, { category: "external", summary: "RHBZ#1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1240", url: "https://www.cve.org/CVERecord?id=CVE-2016-1240", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", }, { category: "external", summary: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", url: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", }, ], release_date: "2016-09-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", }, { cve: "CVE-2016-3092", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-06-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1349468", }, ], notes: [ { category: "description", text: "A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-3092", }, { category: "external", summary: "RHBZ#1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-3092", url: "https://www.cve.org/CVERecord?id=CVE-2016-3092", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", }, { category: "external", summary: "http://tomcat.apache.org/security-7.html", url: "http://tomcat.apache.org/security-7.html", }, { category: "external", summary: "http://tomcat.apache.org/security-8.html", url: "http://tomcat.apache.org/security-8.html", }, ], release_date: "2016-06-21T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", }, { cve: "CVE-2016-5018", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390525", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via IntrospectHelper utility function", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5018", }, { category: "external", summary: "RHBZ#1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5018", url: "https://www.cve.org/CVERecord?id=CVE-2016-5018", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via IntrospectHelper utility function", }, { acknowledgments: [ { summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-6325", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1367447", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: tomcat writable config files allow privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6325", }, { category: "external", summary: "RHBZ#1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6325", url: "https://www.cve.org/CVERecord?id=CVE-2016-6325", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: tomcat writable config files allow privilege escalation", }, { cve: "CVE-2016-6794", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390520", }, ], notes: [ { category: "description", text: "It was discovered that when a SecurityManager was configured, Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: system property disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6794", }, { category: "external", summary: "RHBZ#1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6794", url: "https://www.cve.org/CVERecord?id=CVE-2016-6794", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: system property disclosure", }, { cve: "CVE-2016-6796", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390515", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via JSP Servlet config parameters", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6796", }, { category: "external", summary: "RHBZ#1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6796", url: "https://www.cve.org/CVERecord?id=CVE-2016-6796", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via JSP Servlet config parameters", }, { cve: "CVE-2016-6797", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390493", }, ], notes: [ { category: "description", text: "It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unrestricted access to global resources", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6797", }, { category: "external", summary: "RHBZ#1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6797", url: "https://www.cve.org/CVERecord?id=CVE-2016-6797", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: unrestricted access to global resources", }, { cve: "CVE-2016-6816", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397484", }, ], notes: [ { category: "description", text: "It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", title: "Vulnerability summary", }, { category: "other", text: "Applying the fix provided to mitigate this issue may cause Tomcat to return 400 status after updating. For more information, refer to https://access.redhat.com/solutions/2891171", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6816", }, { category: "external", summary: "RHBZ#1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6816", url: "https://www.cve.org/CVERecord?id=CVE-2016-6816", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", }, { category: "external", summary: "https://access.redhat.com/articles/2991951", url: "https://access.redhat.com/articles/2991951", }, { category: "external", summary: "https://access.redhat.com/solutions/2891171", url: "https://access.redhat.com/solutions/2891171", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", }, { cve: "CVE-2016-8735", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397485", }, ], notes: [ { category: "description", text: "The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8735", }, { category: "external", summary: "RHBZ#1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8735", url: "https://www.cve.org/CVERecord?id=CVE-2016-8735", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "exploit_status", date: "2023-05-12T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", }, { cve: "CVE-2016-8745", discovery_date: "2016-12-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1403824", }, ], notes: [ { category: "description", text: "A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: information disclosure due to incorrect Processor sharing", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8745", }, { category: "external", summary: "RHBZ#1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8745", url: "https://www.cve.org/CVERecord?id=CVE-2016-8745", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", }, ], release_date: "2016-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: information disclosure due to incorrect Processor sharing", }, ], }
rhsa-2017_0457
Vulnerability from csaf_redhat
Published
2017-03-07 19:05
Modified
2024-12-15 18:44
Summary
Red Hat Security Advisory: Red Hat JBoss Web Server security and enhancement update
Notes
Topic
An update is now available for Red Hat JBoss Web Server.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.
Security Fix(es):
* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)
* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)
* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)
* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)
* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)
* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)
* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)
* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)
* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)
The CVE-2016-6325 issue was discovered by Red Hat Product Security.
Enhancement(s):
* This enhancement update adds the Red Hat JBoss Web Server 3.1.0. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server.
Users of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Web Server.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.\n\nSecurity Fix(es):\n\n* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)\n\n* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)\n\n* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)\n\n* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)\n\n* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)\n\n* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)\n\n* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)\n\nThe CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nEnhancement(s):\n\n* This enhancement update adds the Red Hat JBoss Web Server 3.1.0. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server.\n\nUsers of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:0457", url: "https://access.redhat.com/errata/RHSA-2017:0457", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=webserver&version=3.1.0", url: "https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?downloadType=distributions&product=webserver&version=3.1.0", }, { category: "external", summary: "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.1_Release_Notes/index.html", url: "https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/3/html-single/3.1_Release_Notes/index.html", }, { category: "external", summary: "https://access.redhat.com/security/vulnerabilities/httpoxy", url: "https://access.redhat.com/security/vulnerabilities/httpoxy", }, { category: "external", summary: "https://access.redhat.com/solutions/2435491", url: "https://access.redhat.com/solutions/2435491", }, { category: "external", summary: "1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_0457.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Web Server security and enhancement update", tracking: { current_release_date: "2024-12-15T18:44:44+00:00", generator: { date: "2024-12-15T18:44:44+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2017:0457", initial_release_date: "2017-03-07T19:05:59+00:00", revision_history: [ { date: "2017-03-07T19:05:59+00:00", number: "1", summary: "Initial version", }, { date: "2017-03-07T19:05:59+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-15T18:44:44+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Web Server 3.1", product: { name: "Red Hat JBoss Web Server 3.1", product_id: "Red Hat JBoss Web Server 3.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_web_server:3.1", }, }, }, ], category: "product_family", name: "Red Hat JBoss Web Server", }, ], category: "vendor", name: "Red Hat", }, ], }, vulnerabilities: [ { cve: "CVE-2016-0762", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390526", }, ], notes: [ { category: "description", text: "The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: timing attack in Realm implementation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-0762", }, { category: "external", summary: "RHBZ#1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-0762", url: "https://www.cve.org/CVERecord?id=CVE-2016-0762", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: timing attack in Realm implementation", }, { cve: "CVE-2016-1240", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-09-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1376712", }, ], notes: [ { category: "description", text: "It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1240", }, { category: "external", summary: "RHBZ#1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1240", url: "https://www.cve.org/CVERecord?id=CVE-2016-1240", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", }, { category: "external", summary: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", url: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", }, ], release_date: "2016-09-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", }, { cve: "CVE-2016-3092", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-06-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1349468", }, ], notes: [ { category: "description", text: "A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-3092", }, { category: "external", summary: "RHBZ#1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-3092", url: "https://www.cve.org/CVERecord?id=CVE-2016-3092", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", }, { category: "external", summary: "http://tomcat.apache.org/security-7.html", url: "http://tomcat.apache.org/security-7.html", }, { category: "external", summary: "http://tomcat.apache.org/security-8.html", url: "http://tomcat.apache.org/security-8.html", }, ], release_date: "2016-06-21T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", }, { cve: "CVE-2016-5018", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390525", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via IntrospectHelper utility function", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5018", }, { category: "external", summary: "RHBZ#1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5018", url: "https://www.cve.org/CVERecord?id=CVE-2016-5018", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via IntrospectHelper utility function", }, { acknowledgments: [ { summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-6325", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1367447", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: tomcat writable config files allow privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6325", }, { category: "external", summary: "RHBZ#1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6325", url: "https://www.cve.org/CVERecord?id=CVE-2016-6325", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: tomcat writable config files allow privilege escalation", }, { cve: "CVE-2016-6794", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390520", }, ], notes: [ { category: "description", text: "It was discovered that when a SecurityManager was configured, Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: system property disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6794", }, { category: "external", summary: "RHBZ#1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6794", url: "https://www.cve.org/CVERecord?id=CVE-2016-6794", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: system property disclosure", }, { cve: "CVE-2016-6796", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390515", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via JSP Servlet config parameters", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6796", }, { category: "external", summary: "RHBZ#1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6796", url: "https://www.cve.org/CVERecord?id=CVE-2016-6796", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via JSP Servlet config parameters", }, { cve: "CVE-2016-6797", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390493", }, ], notes: [ { category: "description", text: "It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unrestricted access to global resources", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6797", }, { category: "external", summary: "RHBZ#1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6797", url: "https://www.cve.org/CVERecord?id=CVE-2016-6797", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: unrestricted access to global resources", }, { cve: "CVE-2016-6816", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397484", }, ], notes: [ { category: "description", text: "It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", title: "Vulnerability summary", }, { category: "other", text: "Applying the fix provided to mitigate this issue may cause Tomcat to return 400 status after updating. For more information, refer to https://access.redhat.com/solutions/2891171", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6816", }, { category: "external", summary: "RHBZ#1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6816", url: "https://www.cve.org/CVERecord?id=CVE-2016-6816", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", }, { category: "external", summary: "https://access.redhat.com/articles/2991951", url: "https://access.redhat.com/articles/2991951", }, { category: "external", summary: "https://access.redhat.com/solutions/2891171", url: "https://access.redhat.com/solutions/2891171", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", }, { cve: "CVE-2016-8735", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397485", }, ], notes: [ { category: "description", text: "The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8735", }, { category: "external", summary: "RHBZ#1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8735", url: "https://www.cve.org/CVERecord?id=CVE-2016-8735", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "exploit_status", date: "2023-05-12T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", }, { cve: "CVE-2016-8745", discovery_date: "2016-12-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1403824", }, ], notes: [ { category: "description", text: "A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: information disclosure due to incorrect Processor sharing", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "Red Hat JBoss Web Server 3.1", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8745", }, { category: "external", summary: "RHBZ#1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8745", url: "https://www.cve.org/CVERecord?id=CVE-2016-8745", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", }, ], release_date: "2016-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:05:59+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nThe References section of this erratum contains a download link (you must log in to download the update).", product_ids: [ "Red Hat JBoss Web Server 3.1", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0457", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "Red Hat JBoss Web Server 3.1", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: information disclosure due to incorrect Processor sharing", }, ], }
RHSA-2017:0456
Vulnerability from csaf_redhat
Published
2017-03-07 19:06
Modified
2025-02-02 19:59
Summary
Red Hat Security Advisory: Red Hat JBoss Web Server 3.1.0 security and enhancement update
Notes
Topic
An update is now available for Red Hat JBoss Web Server 3 for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.
Security Fix(es):
* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)
* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)
* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)
* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)
* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)
* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)
* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)
* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)
* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)
The CVE-2016-6325 issue was discovered by Red Hat Product Security.
Enhancement(s):
* This enhancement update adds the Red Hat JBoss Web Server 3.1.0 packages to Red Hat Enterprise Linux 7. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-268)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Web Server 3 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.\n\nSecurity Fix(es):\n\n* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)\n\n* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)\n\n* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)\n\n* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)\n\n* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)\n\n* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)\n\n* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)\n\nThe CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nEnhancement(s):\n\n* This enhancement update adds the Red Hat JBoss Web Server 3.1.0 packages to Red Hat Enterprise Linux 7. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-268)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:0456", url: "https://access.redhat.com/errata/RHSA-2017:0456", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "external", summary: "JWS-268", url: "https://issues.redhat.com/browse/JWS-268", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_0456.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1.0 security and enhancement update", tracking: { current_release_date: "2025-02-02T19:59:16+00:00", generator: { date: "2025-02-02T19:59:16+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2017:0456", initial_release_date: "2017-03-07T19:06:06+00:00", revision_history: [ { date: "2017-03-07T19:06:06+00:00", number: "1", summary: "Initial version", }, { date: "2017-03-07T19:06:06+00:00", number: "2", summary: "Last updated version", }, { date: "2025-02-02T19:59:16+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Web Server 3.1 for RHEL 7", product: { name: "Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Web Server", }, { branches: [ { category: "product_version", name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_id: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product: { name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_id: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-envers-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product: { name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_id: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-c3p0-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product: { name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_id: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-core-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product: { name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_id: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-entitymanager-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_id: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster@1.3.5-2.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product: { name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_id: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster-tomcat8@1.3.5-2.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product: { name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_id: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster-tomcat7@1.3.5-2.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", product: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", product_id: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon@1.0.15-1.redhat_2.1.jbcs.el7?arch=noarch", }, }, }, { category: "product_version", name: "jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", product: { name: "jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", product_id: "jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-runtime@1-3.jbcs.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", product: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", product_id: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-vault@1.0.8-9.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-selinux@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-jsvc@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-docs-webapp@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-servlet-3.0-api@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-el-2.2-api@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-admin-webapps@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-webapps@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-jsp-2.2-api@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-javadoc@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-lib@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-log4j@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-log4j@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-admin-webapps@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-jsvc@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-servlet-3.1-api@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-el-2.2-api@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-docs-webapp@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-selinux@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-jsp-2.3-api@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-webapps@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-lib@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-javadoc@8.0.36-17.ep7.el7?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", product: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", product_id: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc@1.0.15-17.redhat_2.jbcs.el7?arch=src&epoch=1", }, }, }, { category: "product_version", name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", product: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", product_id: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster@1.3.5-2.Final_redhat_2.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", product: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", product_id: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon@1.0.15-1.redhat_2.1.jbcs.el7?arch=src", }, }, }, { category: "product_version", name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", product: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", product_id: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-vault@1.0.8-9.Final_redhat_2.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "tomcat7-0:7.0.70-16.ep7.el7.src", product: { name: "tomcat7-0:7.0.70-16.ep7.el7.src", product_id: "tomcat7-0:7.0.70-16.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7@7.0.70-16.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "tomcat8-0:8.0.36-17.ep7.el7.src", product: { name: "tomcat8-0:8.0.36-17.ep7.el7.src", product_id: "tomcat8-0:8.0.36-17.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8@8.0.36-17.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", product: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", product_id: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native@1.2.8-9.redhat_9.ep7.el7?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo@1.0.15-17.redhat_2.jbcs.el7?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc@1.0.15-17.redhat_2.jbcs.el7?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product_id: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native@1.2.8-9.redhat_9.ep7.el7?arch=x86_64", }, }, }, { category: "product_version", name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product_id: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.8-9.redhat_9.ep7.el7?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", }, product_reference: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", }, product_reference: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", }, product_reference: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", }, product_reference: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", }, product_reference: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", }, product_reference: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", }, product_reference: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", }, product_reference: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", }, product_reference: "jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", }, product_reference: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", }, product_reference: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", }, product_reference: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", }, product_reference: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", }, product_reference: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-0:7.0.70-16.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", }, product_reference: "tomcat7-0:7.0.70-16.ep7.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-lib-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-0:8.0.36-17.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", }, product_reference: "tomcat8-0:8.0.36-17.ep7.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-lib-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, ], }, vulnerabilities: [ { cve: "CVE-2016-0762", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390526", }, ], notes: [ { category: "description", text: "The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: timing attack in Realm implementation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-0762", }, { category: "external", summary: "RHBZ#1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-0762", url: "https://www.cve.org/CVERecord?id=CVE-2016-0762", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: timing attack in Realm implementation", }, { cve: "CVE-2016-1240", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-09-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1376712", }, ], notes: [ { category: "description", text: "It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1240", }, { category: "external", summary: "RHBZ#1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1240", url: "https://www.cve.org/CVERecord?id=CVE-2016-1240", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", }, { category: "external", summary: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", url: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", }, ], release_date: "2016-09-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", }, { cve: "CVE-2016-3092", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-06-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1349468", }, ], notes: [ { category: "description", text: "A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-3092", }, { category: "external", summary: "RHBZ#1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-3092", url: "https://www.cve.org/CVERecord?id=CVE-2016-3092", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", }, { category: "external", summary: "http://tomcat.apache.org/security-7.html", url: "http://tomcat.apache.org/security-7.html", }, { category: "external", summary: "http://tomcat.apache.org/security-8.html", url: "http://tomcat.apache.org/security-8.html", }, ], release_date: "2016-06-21T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", }, { cve: "CVE-2016-5018", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390525", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via IntrospectHelper utility function", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5018", }, { category: "external", summary: "RHBZ#1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5018", url: "https://www.cve.org/CVERecord?id=CVE-2016-5018", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via IntrospectHelper utility function", }, { acknowledgments: [ { summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-6325", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1367447", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: tomcat writable config files allow privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6325", }, { category: "external", summary: "RHBZ#1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6325", url: "https://www.cve.org/CVERecord?id=CVE-2016-6325", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: tomcat writable config files allow privilege escalation", }, { cve: "CVE-2016-6794", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390520", }, ], notes: [ { category: "description", text: "It was discovered that when a SecurityManager was configured, Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: system property disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6794", }, { category: "external", summary: "RHBZ#1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6794", url: "https://www.cve.org/CVERecord?id=CVE-2016-6794", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: system property disclosure", }, { cve: "CVE-2016-6796", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390515", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via JSP Servlet config parameters", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6796", }, { category: "external", summary: "RHBZ#1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6796", url: "https://www.cve.org/CVERecord?id=CVE-2016-6796", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via JSP Servlet config parameters", }, { cve: "CVE-2016-6797", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390493", }, ], notes: [ { category: "description", text: "It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unrestricted access to global resources", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6797", }, { category: "external", summary: "RHBZ#1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6797", url: "https://www.cve.org/CVERecord?id=CVE-2016-6797", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: unrestricted access to global resources", }, { cve: "CVE-2016-6816", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397484", }, ], notes: [ { category: "description", text: "It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", title: "Vulnerability summary", }, { category: "other", text: "Applying the fix provided to mitigate this issue may cause Tomcat to return 400 status after updating. For more information, refer to https://access.redhat.com/solutions/2891171", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6816", }, { category: "external", summary: "RHBZ#1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6816", url: "https://www.cve.org/CVERecord?id=CVE-2016-6816", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", }, { category: "external", summary: "https://access.redhat.com/articles/2991951", url: "https://access.redhat.com/articles/2991951", }, { category: "external", summary: "https://access.redhat.com/solutions/2891171", url: "https://access.redhat.com/solutions/2891171", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", }, { cve: "CVE-2016-8735", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397485", }, ], notes: [ { category: "description", text: "The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8735", }, { category: "external", summary: "RHBZ#1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8735", url: "https://www.cve.org/CVERecord?id=CVE-2016-8735", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "exploit_status", date: "2023-05-12T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", }, { cve: "CVE-2016-8745", discovery_date: "2016-12-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1403824", }, ], notes: [ { category: "description", text: "A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: information disclosure due to incorrect Processor sharing", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8745", }, { category: "external", summary: "RHBZ#1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8745", url: "https://www.cve.org/CVERecord?id=CVE-2016-8745", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", }, ], release_date: "2016-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: information disclosure due to incorrect Processor sharing", }, ], }
RHSA-2017:0455
Vulnerability from csaf_redhat
Published
2017-03-07 19:06
Modified
2025-02-02 19:59
Summary
Red Hat Security Advisory: Red Hat JBoss Web Server 3.1.0 security and enhancement update
Notes
Topic
An update is now available for Red Hat JBoss Web Server 3 for RHEL 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.
Security Fix(es):
* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)
* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)
* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)
* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)
* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)
* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)
* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)
* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)
* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)
The CVE-2016-6325 issue was discovered by Red Hat Product Security.
Enhancement(s):
This enhancement update adds the Red Hat JBoss Web Server 3.1.0 packages to Red Hat Enterprise Linux 6. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-267)
Users of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Web Server 3 for RHEL 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.\n\nSecurity Fix(es):\n\n* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)\n\n* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)\n\n* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)\n\n* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)\n\n* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)\n\n* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)\n\n* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)\n\nThe CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nEnhancement(s):\n\nThis enhancement update adds the Red Hat JBoss Web Server 3.1.0 packages to Red Hat Enterprise Linux 6. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-267)\n\nUsers of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:0455", url: "https://access.redhat.com/errata/RHSA-2017:0455", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "external", summary: "JWS-267", url: "https://issues.redhat.com/browse/JWS-267", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_0455.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1.0 security and enhancement update", tracking: { current_release_date: "2025-02-02T19:59:09+00:00", generator: { date: "2025-02-02T19:59:09+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2017:0455", initial_release_date: "2017-03-07T19:06:40+00:00", revision_history: [ { date: "2017-03-07T19:06:40+00:00", number: "1", summary: "Initial version", }, { date: "2017-03-07T19:06:40+00:00", number: "2", summary: "Last updated version", }, { date: "2025-02-02T19:59:09+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Web Server 3.1 for RHEL 6", product: { name: "Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", }, }, }, ], category: "product_family", name: "Red Hat JBoss Web Server", }, { branches: [ { category: "product_version", name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product: { name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_id: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-envers-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product: { name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_id: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-c3p0-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product: { name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_id: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-core-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_id: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product: { name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_id: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-entitymanager-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_id: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster@1.3.5-2.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product: { name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_id: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster-tomcat7@1.3.5-2.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product: { name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_id: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster-tomcat8@1.3.5-2.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", product: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", product_id: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon@1.0.15-1.redhat_2.1.jbcs.el6?arch=noarch", }, }, }, { category: "product_version", name: "jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", product: { name: "jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", product_id: "jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-runtime@1-3.jbcs.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", product: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", product_id: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-vault@1.0.8-9.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-jsvc@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-selinux@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-docs-webapp@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-servlet-3.0-api@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-el-2.2-api@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-admin-webapps@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-jsp-2.2-api@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-javadoc@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-lib@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-log4j@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-webapps@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-log4j@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-admin-webapps@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-jsvc@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-el-2.2-api@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-docs-webapp@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-servlet-3.1-api@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-webapps@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-selinux@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-jsp-2.3-api@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-lib@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-javadoc@8.0.36-17.ep7.el6?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", product: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", product_id: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc@1.0.15-17.redhat_2.jbcs.el6?arch=src&epoch=1", }, }, }, { category: "product_version", name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", product: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", product_id: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster@1.3.5-2.Final_redhat_2.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", product: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", product_id: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon@1.0.15-1.redhat_2.1.jbcs.el6?arch=src", }, }, }, { category: "product_version", name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", product: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", product_id: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-vault@1.0.8-9.Final_redhat_2.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "tomcat7-0:7.0.70-16.ep7.el6.src", product: { name: "tomcat7-0:7.0.70-16.ep7.el6.src", product_id: "tomcat7-0:7.0.70-16.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7@7.0.70-16.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "tomcat8-0:8.0.36-17.ep7.el6.src", product: { name: "tomcat8-0:8.0.36-17.ep7.el6.src", product_id: "tomcat8-0:8.0.36-17.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8@8.0.36-17.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", product: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", product_id: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native@1.2.8-9.redhat_9.ep7.el6?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo@1.0.15-17.redhat_2.jbcs.el6?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc@1.0.15-17.redhat_2.jbcs.el6?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product_id: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.8-9.redhat_9.ep7.el6?arch=x86_64", }, }, }, { category: "product_version", name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product_id: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native@1.2.8-9.redhat_9.ep7.el6?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo@1.0.15-17.redhat_2.jbcs.el6?arch=i686&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc@1.0.15-17.redhat_2.jbcs.el6?arch=i686&epoch=1", }, }, }, { category: "product_version", name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", product: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", product_id: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.8-9.redhat_9.ep7.el6?arch=i686", }, }, }, { category: "product_version", name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", product: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", product_id: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native@1.2.8-9.redhat_9.ep7.el6?arch=i686", }, }, }, ], category: "architecture", name: "i686", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", }, product_reference: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", }, product_reference: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", }, product_reference: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", }, product_reference: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", }, product_reference: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", }, product_reference: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", }, product_reference: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", }, product_reference: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", }, product_reference: "jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", }, product_reference: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", }, product_reference: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", }, product_reference: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", }, product_reference: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", }, product_reference: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", }, product_reference: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", }, product_reference: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-0:7.0.70-16.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", }, product_reference: "tomcat7-0:7.0.70-16.ep7.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-lib-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-0:8.0.36-17.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", }, product_reference: "tomcat8-0:8.0.36-17.ep7.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-lib-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, ], }, vulnerabilities: [ { cve: "CVE-2016-0762", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390526", }, ], notes: [ { category: "description", text: "The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: timing attack in Realm implementation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-0762", }, { category: "external", summary: "RHBZ#1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-0762", url: "https://www.cve.org/CVERecord?id=CVE-2016-0762", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: timing attack in Realm implementation", }, { cve: "CVE-2016-1240", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-09-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1376712", }, ], notes: [ { category: "description", text: "It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1240", }, { category: "external", summary: "RHBZ#1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1240", url: "https://www.cve.org/CVERecord?id=CVE-2016-1240", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", }, { category: "external", summary: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", url: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", }, ], release_date: "2016-09-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", }, { cve: "CVE-2016-3092", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-06-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1349468", }, ], notes: [ { category: "description", text: "A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-3092", }, { category: "external", summary: "RHBZ#1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-3092", url: "https://www.cve.org/CVERecord?id=CVE-2016-3092", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", }, { category: "external", summary: "http://tomcat.apache.org/security-7.html", url: "http://tomcat.apache.org/security-7.html", }, { category: "external", summary: "http://tomcat.apache.org/security-8.html", url: "http://tomcat.apache.org/security-8.html", }, ], release_date: "2016-06-21T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", }, { cve: "CVE-2016-5018", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390525", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via IntrospectHelper utility function", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5018", }, { category: "external", summary: "RHBZ#1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5018", url: "https://www.cve.org/CVERecord?id=CVE-2016-5018", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via IntrospectHelper utility function", }, { acknowledgments: [ { summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-6325", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1367447", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: tomcat writable config files allow privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6325", }, { category: "external", summary: "RHBZ#1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6325", url: "https://www.cve.org/CVERecord?id=CVE-2016-6325", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: tomcat writable config files allow privilege escalation", }, { cve: "CVE-2016-6794", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390520", }, ], notes: [ { category: "description", text: "It was discovered that when a SecurityManager was configured, Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: system property disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6794", }, { category: "external", summary: "RHBZ#1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6794", url: "https://www.cve.org/CVERecord?id=CVE-2016-6794", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: system property disclosure", }, { cve: "CVE-2016-6796", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390515", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via JSP Servlet config parameters", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6796", }, { category: "external", summary: "RHBZ#1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6796", url: "https://www.cve.org/CVERecord?id=CVE-2016-6796", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via JSP Servlet config parameters", }, { cve: "CVE-2016-6797", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390493", }, ], notes: [ { category: "description", text: "It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unrestricted access to global resources", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6797", }, { category: "external", summary: "RHBZ#1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6797", url: "https://www.cve.org/CVERecord?id=CVE-2016-6797", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: unrestricted access to global resources", }, { cve: "CVE-2016-6816", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397484", }, ], notes: [ { category: "description", text: "It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", title: "Vulnerability summary", }, { category: "other", text: "Applying the fix provided to mitigate this issue may cause Tomcat to return 400 status after updating. For more information, refer to https://access.redhat.com/solutions/2891171", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6816", }, { category: "external", summary: "RHBZ#1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6816", url: "https://www.cve.org/CVERecord?id=CVE-2016-6816", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", }, { category: "external", summary: "https://access.redhat.com/articles/2991951", url: "https://access.redhat.com/articles/2991951", }, { category: "external", summary: "https://access.redhat.com/solutions/2891171", url: "https://access.redhat.com/solutions/2891171", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", }, { cve: "CVE-2016-8735", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397485", }, ], notes: [ { category: "description", text: "The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8735", }, { category: "external", summary: "RHBZ#1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8735", url: "https://www.cve.org/CVERecord?id=CVE-2016-8735", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "exploit_status", date: "2023-05-12T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", }, { cve: "CVE-2016-8745", discovery_date: "2016-12-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1403824", }, ], notes: [ { category: "description", text: "A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: information disclosure due to incorrect Processor sharing", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8745", }, { category: "external", summary: "RHBZ#1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8745", url: "https://www.cve.org/CVERecord?id=CVE-2016-8745", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", }, ], release_date: "2016-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: information disclosure due to incorrect Processor sharing", }, ], }
rhsa-2016_2046
Vulnerability from csaf_redhat
Published
2016-10-10 20:38
Modified
2024-11-22 10:10
Summary
Red Hat Security Advisory: tomcat security update
Notes
Topic
An update for tomcat is now available for Red Hat Enterprise Linux 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
* It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425)
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)
* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)
* A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)
Red Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update for tomcat is now available for Red Hat Enterprise Linux 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.\n\nSecurity Fix(es):\n\n* It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-5425)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)\n\n* It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)\n\n* A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)\n\nRed Hat would like to thank Dawid Golunski (http://legalhackers.com) for reporting CVE-2016-5425 and Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2016:2046", url: "https://access.redhat.com/errata/RHSA-2016:2046", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59", }, { category: "external", summary: "1222573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1222573", }, { category: "external", summary: "1311085", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311085", }, { category: "external", summary: "1353809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1353809", }, { category: "external", summary: "1362545", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1362545", }, { category: "external", summary: "1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2016/rhsa-2016_2046.json", }, ], title: "Red Hat Security Advisory: tomcat security update", tracking: { current_release_date: "2024-11-22T10:10:37+00:00", generator: { date: "2024-11-22T10:10:37+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.1", }, }, id: "RHSA-2016:2046", initial_release_date: "2016-10-10T20:38:43+00:00", revision_history: [ { date: "2016-10-10T20:38:43+00:00", number: "1", summary: "Initial version", }, { date: "2016-10-10T20:38:43+00:00", number: "2", summary: "Last updated version", }, { date: "2024-11-22T10:10:37+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat Enterprise Linux Client (v. 7)", product: { name: "Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::client", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Client Optional (v. 7)", product: { name: "Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::client", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux ComputeNode (v. 7)", product: { name: "Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::computenode", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product: { name: "Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::computenode", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Server (v. 7)", product: { name: "Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::server", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Server Optional (v. 7)", product: { name: "Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::server", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Workstation (v. 7)", product: { name: "Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::workstation", }, }, }, { category: "product_name", name: "Red Hat Enterprise Linux Workstation Optional (v. 7)", product: { name: "Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z", product_identification_helper: { cpe: "cpe:/o:redhat:enterprise_linux:7::workstation", }, }, }, ], category: "product_family", name: "Red Hat Enterprise Linux", }, { branches: [ { category: "product_version", name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-jsp-2.2-api@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-servlet-3.0-api@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-webapps@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-el-2.2-api@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-admin-webapps@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-lib-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-lib-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-lib@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-docs-webapp@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-javadoc@7.0.54-8.el7_2?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", product: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", product_id: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-jsvc@7.0.54-8.el7_2?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "tomcat-0:7.0.54-8.el7_2.src", product: { name: "tomcat-0:7.0.54-8.el7_2.src", product_id: "tomcat-0:7.0.54-8.el7_2.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat@7.0.54-8.el7_2?arch=src", }, }, }, ], category: "architecture", name: "src", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client (v. 7)", product_id: "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Client Optional (v. 7)", product_id: "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Client-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode (v. 7)", product_id: "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux ComputeNode Optional (v. 7)", product_id: "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7ComputeNode-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server (v. 7)", product_id: "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Server Optional (v. 7)", product_id: "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Server-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation (v. 7)", product_id: "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-0:7.0.54-8.el7_2.src as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", }, product_reference: "tomcat-0:7.0.54-8.el7_2.src", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-javadoc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-jsvc-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-lib-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-0:7.0.54-8.el7_2.noarch as a component of Red Hat Enterprise Linux Workstation Optional (v. 7)", product_id: "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", }, product_reference: "tomcat-webapps-0:7.0.54-8.el7_2.noarch", relates_to_product_reference: "7Workstation-optional-7.2.Z", }, ], }, vulnerabilities: [ { cve: "CVE-2014-7810", discovery_date: "2015-05-14T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1222573", }, ], notes: [ { category: "description", text: "It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections.", title: "Vulnerability description", }, { category: "summary", text: "Tomcat/JbossWeb: security manager bypass via EL expressions", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2014-7810", }, { category: "external", summary: "RHBZ#1222573", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1222573", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2014-7810", url: "https://www.cve.org/CVERecord?id=CVE-2014-7810", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2014-7810", url: "https://nvd.nist.gov/vuln/detail/CVE-2014-7810", }, { category: "external", summary: "http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44", url: "http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44", }, { category: "external", summary: "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59", url: "http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59", }, { category: "external", summary: "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.17", url: "http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.17", }, ], release_date: "2015-05-14T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:43+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2046", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, products: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Tomcat/JbossWeb: security manager bypass via EL expressions", }, { cve: "CVE-2015-5346", discovery_date: "2014-06-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1311085", }, ], notes: [ { category: "description", text: "A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Session fixation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2015-5346", }, { category: "external", summary: "RHBZ#1311085", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1311085", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2015-5346", url: "https://www.cve.org/CVERecord?id=CVE-2015-5346", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2015-5346", url: "https://nvd.nist.gov/vuln/detail/CVE-2015-5346", }, { category: "external", summary: "http://seclists.org/bugtraq/2016/Feb/143", url: "http://seclists.org/bugtraq/2016/Feb/143", }, ], release_date: "2016-02-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:43+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2046", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: Session fixation", }, { acknowledgments: [ { names: [ "Scott Geary", ], organization: "VendHQ", }, ], cve: "CVE-2016-5388", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-07-04T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1353809", }, ], notes: [ { category: "description", text: "It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request.", title: "Vulnerability description", }, { category: "summary", text: "Tomcat: CGI sets environmental variable based on user supplied Proxy request header", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5388", }, { category: "external", summary: "RHBZ#1353809", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1353809", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5388", url: "https://www.cve.org/CVERecord?id=CVE-2016-5388", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5388", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5388", }, ], release_date: "2016-07-18T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:43+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2046", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:N/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.5, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "CHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:N/I:L/A:N", version: "3.0", }, products: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "Tomcat: CGI sets environmental variable based on user supplied Proxy request header", }, { acknowledgments: [ { names: [ "Dawid Golunski", ], organization: "http://legalhackers.com", }, ], cve: "CVE-2016-5425", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-07-30T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1362545", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed configuration file /usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Local privilege escalation via systemd-tmpfiles service", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5425", }, { category: "external", summary: "RHBZ#1362545", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1362545", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5425", url: "https://www.cve.org/CVERecord?id=CVE-2016-5425", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5425", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5425", }, { category: "external", summary: "http://legalhackers.com/advisories/Tomcat-RedHat-based-Root-Privilege-Escalation-Exploit.txt", url: "http://legalhackers.com/advisories/Tomcat-RedHat-based-Root-Privilege-Escalation-Exploit.txt", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:43+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2046", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: Local privilege escalation via systemd-tmpfiles service", }, { acknowledgments: [ { summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-6325", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1367447", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: tomcat writable config files allow privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6325", }, { category: "external", summary: "RHBZ#1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6325", url: "https://www.cve.org/CVERecord?id=CVE-2016-6325", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2016-10-10T20:38:43+00:00", details: "For details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258", product_ids: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2016:2046", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "NONE", baseScore: 1.9, confidentialityImpact: "NONE", integrityImpact: "PARTIAL", vectorString: "AV:L/AC:M/Au:N/C:N/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "NONE", baseScore: 3.3, baseSeverity: "LOW", confidentialityImpact: "NONE", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", version: "3.0", }, products: [ "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Client-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Client-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7ComputeNode-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7ComputeNode-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Server-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Server-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-0:7.0.54-8.el7_2.src", "7Workstation-optional-7.2.Z:tomcat-admin-webapps-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-docs-webapp-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-el-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-javadoc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsp-2.2-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-jsvc-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-lib-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-servlet-3.0-api-0:7.0.54-8.el7_2.noarch", "7Workstation-optional-7.2.Z:tomcat-webapps-0:7.0.54-8.el7_2.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: tomcat writable config files allow privilege escalation", }, ], }
rhsa-2017:0456
Vulnerability from csaf_redhat
Published
2017-03-07 19:06
Modified
2025-02-02 19:59
Summary
Red Hat Security Advisory: Red Hat JBoss Web Server 3.1.0 security and enhancement update
Notes
Topic
An update is now available for Red Hat JBoss Web Server 3 for RHEL 7.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.
Security Fix(es):
* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)
* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)
* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)
* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)
* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)
* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)
* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)
* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)
* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)
The CVE-2016-6325 issue was discovered by Red Hat Product Security.
Enhancement(s):
* This enhancement update adds the Red Hat JBoss Web Server 3.1.0 packages to Red Hat Enterprise Linux 7. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-268)
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Web Server 3 for RHEL 7.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.\n\nSecurity Fix(es):\n\n* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)\n\n* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)\n\n* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)\n\n* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)\n\n* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)\n\n* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)\n\n* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)\n\nThe CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nEnhancement(s):\n\n* This enhancement update adds the Red Hat JBoss Web Server 3.1.0 packages to Red Hat Enterprise Linux 7. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-268)", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:0456", url: "https://access.redhat.com/errata/RHSA-2017:0456", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "external", summary: "JWS-268", url: "https://issues.redhat.com/browse/JWS-268", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_0456.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1.0 security and enhancement update", tracking: { current_release_date: "2025-02-02T19:59:16+00:00", generator: { date: "2025-02-02T19:59:16+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.6", }, }, id: "RHSA-2017:0456", initial_release_date: "2017-03-07T19:06:06+00:00", revision_history: [ { date: "2017-03-07T19:06:06+00:00", number: "1", summary: "Initial version", }, { date: "2017-03-07T19:06:06+00:00", number: "2", summary: "Last updated version", }, { date: "2025-02-02T19:59:16+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Web Server 3.1 for RHEL 7", product: { name: "Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", }, }, }, ], category: "product_family", name: "Red Hat JBoss Web Server", }, { branches: [ { category: "product_version", name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_id: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product: { name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_id: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-envers-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product: { name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_id: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-c3p0-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product: { name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_id: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-core-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product: { name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_id: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-entitymanager-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_id: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster@1.3.5-2.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product: { name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_id: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster-tomcat8@1.3.5-2.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product: { name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_id: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster-tomcat7@1.3.5-2.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", product: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", product_id: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon@1.0.15-1.redhat_2.1.jbcs.el7?arch=noarch", }, }, }, { category: "product_version", name: "jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", product: { name: "jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", product_id: "jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-runtime@1-3.jbcs.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", product: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", product_id: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-vault@1.0.8-9.Final_redhat_2.1.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-selinux@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-jsvc@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-docs-webapp@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-servlet-3.0-api@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-el-2.2-api@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-admin-webapps@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-webapps@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-jsp-2.2-api@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-javadoc@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-lib@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", product: { name: "tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", product_id: "tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-log4j@7.0.70-16.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-log4j@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-admin-webapps@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-jsvc@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-servlet-3.1-api@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-el-2.2-api@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-docs-webapp@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-selinux@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-jsp-2.3-api@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-webapps@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-lib@8.0.36-17.ep7.el7?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", product: { name: "tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", product_id: "tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-javadoc@8.0.36-17.ep7.el7?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", product: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", product_id: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-eap6@4.2.23-1.Final_redhat_1.1.ep6.el7?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc@1.0.15-17.redhat_2.jbcs.el7?arch=src&epoch=1", }, }, }, { category: "product_version", name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", product: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", product_id: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster@1.3.5-2.Final_redhat_2.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", product: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", product_id: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon@1.0.15-1.redhat_2.1.jbcs.el7?arch=src", }, }, }, { category: "product_version", name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", product: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", product_id: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-vault@1.0.8-9.Final_redhat_2.1.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "tomcat7-0:7.0.70-16.ep7.el7.src", product: { name: "tomcat7-0:7.0.70-16.ep7.el7.src", product_id: "tomcat7-0:7.0.70-16.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7@7.0.70-16.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "tomcat8-0:8.0.36-17.ep7.el7.src", product: { name: "tomcat8-0:8.0.36-17.ep7.el7.src", product_id: "tomcat8-0:8.0.36-17.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8@8.0.36-17.ep7.el7?arch=src", }, }, }, { category: "product_version", name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", product: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", product_id: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native@1.2.8-9.redhat_9.ep7.el7?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo@1.0.15-17.redhat_2.jbcs.el7?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc@1.0.15-17.redhat_2.jbcs.el7?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product_id: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native@1.2.8-9.redhat_9.ep7.el7?arch=x86_64", }, }, }, { category: "product_version", name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product_id: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.8-9.redhat_9.ep7.el7?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", }, product_reference: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", }, product_reference: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", }, product_reference: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", }, product_reference: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", }, product_reference: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", }, product_reference: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", }, product_reference: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", }, product_reference: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", }, product_reference: "jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", }, product_reference: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", }, product_reference: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", }, product_reference: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", }, product_reference: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", }, product_reference: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", }, product_reference: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-0:7.0.70-16.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", }, product_reference: "tomcat7-0:7.0.70-16.ep7.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-lib-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", }, product_reference: "tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-0:8.0.36-17.ep7.el7.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", }, product_reference: "tomcat8-0:8.0.36-17.ep7.el7.src", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-lib-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 7", product_id: "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", }, product_reference: "tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", relates_to_product_reference: "7Server-JWS-3.1", }, ], }, vulnerabilities: [ { cve: "CVE-2016-0762", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390526", }, ], notes: [ { category: "description", text: "The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: timing attack in Realm implementation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-0762", }, { category: "external", summary: "RHBZ#1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-0762", url: "https://www.cve.org/CVERecord?id=CVE-2016-0762", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: timing attack in Realm implementation", }, { cve: "CVE-2016-1240", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-09-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1376712", }, ], notes: [ { category: "description", text: "It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1240", }, { category: "external", summary: "RHBZ#1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1240", url: "https://www.cve.org/CVERecord?id=CVE-2016-1240", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", }, { category: "external", summary: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", url: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", }, ], release_date: "2016-09-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", }, { cve: "CVE-2016-3092", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-06-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1349468", }, ], notes: [ { category: "description", text: "A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-3092", }, { category: "external", summary: "RHBZ#1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-3092", url: "https://www.cve.org/CVERecord?id=CVE-2016-3092", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", }, { category: "external", summary: "http://tomcat.apache.org/security-7.html", url: "http://tomcat.apache.org/security-7.html", }, { category: "external", summary: "http://tomcat.apache.org/security-8.html", url: "http://tomcat.apache.org/security-8.html", }, ], release_date: "2016-06-21T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", }, { cve: "CVE-2016-5018", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390525", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via IntrospectHelper utility function", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5018", }, { category: "external", summary: "RHBZ#1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5018", url: "https://www.cve.org/CVERecord?id=CVE-2016-5018", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via IntrospectHelper utility function", }, { acknowledgments: [ { summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-6325", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1367447", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: tomcat writable config files allow privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6325", }, { category: "external", summary: "RHBZ#1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6325", url: "https://www.cve.org/CVERecord?id=CVE-2016-6325", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: tomcat writable config files allow privilege escalation", }, { cve: "CVE-2016-6794", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390520", }, ], notes: [ { category: "description", text: "It was discovered that when a SecurityManager was configured, Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: system property disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6794", }, { category: "external", summary: "RHBZ#1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6794", url: "https://www.cve.org/CVERecord?id=CVE-2016-6794", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: system property disclosure", }, { cve: "CVE-2016-6796", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390515", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via JSP Servlet config parameters", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6796", }, { category: "external", summary: "RHBZ#1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6796", url: "https://www.cve.org/CVERecord?id=CVE-2016-6796", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via JSP Servlet config parameters", }, { cve: "CVE-2016-6797", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390493", }, ], notes: [ { category: "description", text: "It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unrestricted access to global resources", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6797", }, { category: "external", summary: "RHBZ#1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6797", url: "https://www.cve.org/CVERecord?id=CVE-2016-6797", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: unrestricted access to global resources", }, { cve: "CVE-2016-6816", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397484", }, ], notes: [ { category: "description", text: "It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", title: "Vulnerability summary", }, { category: "other", text: "Applying the fix provided to mitigate this issue may cause Tomcat to return 400 status after updating. For more information, refer to https://access.redhat.com/solutions/2891171", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6816", }, { category: "external", summary: "RHBZ#1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6816", url: "https://www.cve.org/CVERecord?id=CVE-2016-6816", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", }, { category: "external", summary: "https://access.redhat.com/articles/2991951", url: "https://access.redhat.com/articles/2991951", }, { category: "external", summary: "https://access.redhat.com/solutions/2891171", url: "https://access.redhat.com/solutions/2891171", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", }, { cve: "CVE-2016-8735", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397485", }, ], notes: [ { category: "description", text: "The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8735", }, { category: "external", summary: "RHBZ#1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8735", url: "https://www.cve.org/CVERecord?id=CVE-2016-8735", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "exploit_status", date: "2023-05-12T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", }, { cve: "CVE-2016-8745", discovery_date: "2016-12-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1403824", }, ], notes: [ { category: "description", text: "A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: information disclosure due to incorrect Processor sharing", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8745", }, { category: "external", summary: "RHBZ#1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8745", url: "https://www.cve.org/CVERecord?id=CVE-2016-8745", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", }, ], release_date: "2016-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:06+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0456", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "7Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.src", "7Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.noarch", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.src", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el7.x86_64", "7Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.src", "7Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el7.x86_64", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.noarch", "7Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7.src", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el7.src", "7Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el7.src", "7Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el7.noarch", "7Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el7.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: information disclosure due to incorrect Processor sharing", }, ], }
rhsa-2017_0455
Vulnerability from csaf_redhat
Published
2017-03-07 19:06
Modified
2024-12-15 18:44
Summary
Red Hat Security Advisory: Red Hat JBoss Web Server 3.1.0 security and enhancement update
Notes
Topic
An update is now available for Red Hat JBoss Web Server 3 for RHEL 6.
Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.
Details
Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.
This release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.
Security Fix(es):
* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)
* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)
* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)
* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)
* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)
* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)
* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)
* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)
* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)
* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)
The CVE-2016-6325 issue was discovered by Red Hat Product Security.
Enhancement(s):
This enhancement update adds the Red Hat JBoss Web Server 3.1.0 packages to Red Hat Enterprise Linux 6. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-267)
Users of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.
Terms of Use
This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.
{ document: { aggregate_severity: { namespace: "https://access.redhat.com/security/updates/classification/", text: "Important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright © Red Hat, Inc. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "An update is now available for Red Hat JBoss Web Server 3 for RHEL 6.\n\nRed Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.", title: "Topic", }, { category: "general", text: "Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.\n\nThis release of Red Hat JBoss Web Server 3.1.0 serves as a replacement for Red Hat JBoss Web Server 3.0.3, and includes enhancements.\n\nSecurity Fix(es):\n\n* It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation. (CVE-2016-1240)\n\n* It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)\n\n* The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance. (CVE-2016-8735)\n\n* A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. (CVE-2016-3092)\n\n* It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own. (CVE-2016-6816)\n\n* A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745)\n\n* The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)\n\n* It was discovered that when a SecurityManager is configured Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)\n\n* It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)\n\n* It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)\n\nThe CVE-2016-6325 issue was discovered by Red Hat Product Security.\n\nEnhancement(s):\n\nThis enhancement update adds the Red Hat JBoss Web Server 3.1.0 packages to Red Hat Enterprise Linux 6. These packages provide a number of enhancements over the previous version of Red Hat JBoss Web Server. (JIRA#JWS-267)\n\nUsers of Red Hat JBoss Web Server are advised to upgrade to these updated packages, which add this enhancement.", title: "Details", }, { category: "legal_disclaimer", text: "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original.", title: "Terms of Use", }, ], publisher: { category: "vendor", contact_details: "https://access.redhat.com/security/team/contact/", issuing_authority: "Red Hat Product Security is responsible for vulnerability handling across all Red Hat products and services.", name: "Red Hat Product Security", namespace: "https://www.redhat.com", }, references: [ { category: "self", summary: "https://access.redhat.com/errata/RHSA-2017:0455", url: "https://access.redhat.com/errata/RHSA-2017:0455", }, { category: "external", summary: "https://access.redhat.com/security/updates/classification/#important", url: "https://access.redhat.com/security/updates/classification/#important", }, { category: "external", summary: "1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "external", summary: "JWS-267", url: "https://issues.redhat.com/browse/JWS-267", }, { category: "self", summary: "Canonical URL", url: "https://security.access.redhat.com/data/csaf/v2/advisories/2017/rhsa-2017_0455.json", }, ], title: "Red Hat Security Advisory: Red Hat JBoss Web Server 3.1.0 security and enhancement update", tracking: { current_release_date: "2024-12-15T18:44:33+00:00", generator: { date: "2024-12-15T18:44:33+00:00", engine: { name: "Red Hat SDEngine", version: "4.2.3", }, }, id: "RHSA-2017:0455", initial_release_date: "2017-03-07T19:06:40+00:00", revision_history: [ { date: "2017-03-07T19:06:40+00:00", number: "1", summary: "Initial version", }, { date: "2017-03-07T19:06:40+00:00", number: "2", summary: "Last updated version", }, { date: "2024-12-15T18:44:33+00:00", number: "3", summary: "Last generated version", }, ], status: "final", version: "3", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_name", name: "Red Hat JBoss Web Server 3.1 for RHEL 6", product: { name: "Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1", product_identification_helper: { cpe: "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", }, }, }, ], category: "product_family", name: "Red Hat JBoss Web Server", }, { branches: [ { category: "product_version", name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product: { name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_id: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-envers-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product: { name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_id: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-c3p0-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product: { name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_id: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-core-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_id: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=noarch", }, }, }, { category: "product_version", name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product: { name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_id: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-entitymanager-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_id: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster@1.3.5-2.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product: { name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_id: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster-tomcat7@1.3.5-2.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product: { name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_id: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster-tomcat8@1.3.5-2.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", product: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", product_id: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon@1.0.15-1.redhat_2.1.jbcs.el6?arch=noarch", }, }, }, { category: "product_version", name: "jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", product: { name: "jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", product_id: "jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-runtime@1-3.jbcs.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", product: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", product_id: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-vault@1.0.8-9.Final_redhat_2.1.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-jsvc@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-selinux@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-docs-webapp@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-servlet-3.0-api@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-el-2.2-api@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-admin-webapps@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-jsp-2.2-api@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-javadoc@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-lib@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-log4j@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", product: { name: "tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", product_id: "tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7-webapps@7.0.70-16.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-log4j@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-admin-webapps@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-jsvc@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-el-2.2-api@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-docs-webapp@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-servlet-3.1-api@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-webapps@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-selinux@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-jsp-2.3-api@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-lib@8.0.36-17.ep7.el6?arch=noarch", }, }, }, { category: "product_version", name: "tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", product: { name: "tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", product_id: "tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8-javadoc@8.0.36-17.ep7.el6?arch=noarch", }, }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_version", name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", product: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", product_id: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/hibernate4-eap6@4.2.23-1.Final_redhat_1.1.ep6.el6?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc@1.0.15-17.redhat_2.jbcs.el6?arch=src&epoch=1", }, }, }, { category: "product_version", name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", product: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", product_id: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/mod_cluster@1.3.5-2.Final_redhat_2.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", product: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", product_id: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon@1.0.15-1.redhat_2.1.jbcs.el6?arch=src", }, }, }, { category: "product_version", name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", product: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", product_id: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-vault@1.0.8-9.Final_redhat_2.1.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "tomcat7-0:7.0.70-16.ep7.el6.src", product: { name: "tomcat7-0:7.0.70-16.ep7.el6.src", product_id: "tomcat7-0:7.0.70-16.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat7@7.0.70-16.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "tomcat8-0:8.0.36-17.ep7.el6.src", product: { name: "tomcat8-0:8.0.36-17.ep7.el6.src", product_id: "tomcat8-0:8.0.36-17.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat8@8.0.36-17.ep7.el6?arch=src", }, }, }, { category: "product_version", name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", product: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", product_id: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native@1.2.8-9.redhat_9.ep7.el6?arch=src", }, }, }, ], category: "architecture", name: "src", }, { branches: [ { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo@1.0.15-17.redhat_2.jbcs.el6?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc@1.0.15-17.redhat_2.jbcs.el6?arch=x86_64&epoch=1", }, }, }, { category: "product_version", name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product_id: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.8-9.redhat_9.ep7.el6?arch=x86_64", }, }, }, { category: "product_version", name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product_id: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native@1.2.8-9.redhat_9.ep7.el6?arch=x86_64", }, }, }, ], category: "architecture", name: "x86_64", }, { branches: [ { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo@1.0.15-17.redhat_2.jbcs.el6?arch=i686&epoch=1", }, }, }, { category: "product_version", name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", product: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", product_id: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/jbcs-httpd24-apache-commons-daemon-jsvc@1.0.15-17.redhat_2.jbcs.el6?arch=i686&epoch=1", }, }, }, { category: "product_version", name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", product: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", product_id: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native-debuginfo@1.2.8-9.redhat_9.ep7.el6?arch=i686", }, }, }, { category: "product_version", name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", product: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", product_id: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", product_identification_helper: { purl: "pkg:rpm/redhat/tomcat-native@1.2.8-9.redhat_9.ep7.el6?arch=i686", }, }, }, ], category: "architecture", name: "i686", }, ], category: "vendor", name: "Red Hat", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", }, product_reference: "hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", }, product_reference: "hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", }, product_reference: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", }, product_reference: "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", }, product_reference: "hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", }, product_reference: "hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", }, product_reference: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", }, product_reference: "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", }, product_reference: "jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", }, product_reference: "jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", }, product_reference: "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", }, product_reference: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", }, product_reference: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", }, product_reference: "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", }, product_reference: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64 as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", }, product_reference: "tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", }, product_reference: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", }, product_reference: "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-0:7.0.70-16.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", }, product_reference: "tomcat7-0:7.0.70-16.ep7.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-lib-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", }, product_reference: "tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-0:8.0.36-17.ep7.el6.src as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", }, product_reference: "tomcat8-0:8.0.36-17.ep7.el6.src", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-lib-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, { category: "default_component_of", full_product_name: { name: "tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch as a component of Red Hat JBoss Web Server 3.1 for RHEL 6", product_id: "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", }, product_reference: "tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", relates_to_product_reference: "6Server-JWS-3.1", }, ], }, vulnerabilities: [ { cve: "CVE-2016-0762", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390526", }, ], notes: [ { category: "description", text: "The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: timing attack in Realm implementation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-0762", }, { category: "external", summary: "RHBZ#1390526", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390526", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-0762", url: "https://www.cve.org/CVERecord?id=CVE-2016-0762", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-0762", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: timing attack in Realm implementation", }, { cve: "CVE-2016-1240", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-09-15T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1376712", }, ], notes: [ { category: "description", text: "It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-1240", }, { category: "external", summary: "RHBZ#1376712", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1376712", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-1240", url: "https://www.cve.org/CVERecord?id=CVE-2016-1240", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-1240", }, { category: "external", summary: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", url: "http://legalhackers.com/advisories/Tomcat-DebPkgs-Root-Privilege-Escalation-Exploit-CVE-2016-1240.txt", }, ], release_date: "2016-09-15T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation", }, { cve: "CVE-2016-3092", cwe: { id: "CWE-20", name: "Improper Input Validation", }, discovery_date: "2016-06-21T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1349468", }, ], notes: [ { category: "description", text: "A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-3092", }, { category: "external", summary: "RHBZ#1349468", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-3092", url: "https://www.cve.org/CVERecord?id=CVE-2016-3092", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", }, { category: "external", summary: "http://tomcat.apache.org/security-7.html", url: "http://tomcat.apache.org/security-7.html", }, { category: "external", summary: "http://tomcat.apache.org/security-8.html", url: "http://tomcat.apache.org/security-8.html", }, ], release_date: "2016-06-21T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 4.3, confidentialityImpact: "NONE", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:N/I:N/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "NONE", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: Usage of vulnerable FileUpload package can result in denial of service", }, { cve: "CVE-2016-5018", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390525", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via IntrospectHelper utility function", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-5018", }, { category: "external", summary: "RHBZ#1390525", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390525", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-5018", url: "https://www.cve.org/CVERecord?id=CVE-2016-5018", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-5018", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via IntrospectHelper utility function", }, { acknowledgments: [ { summary: "This issue was discovered by Red Hat.", }, ], cve: "CVE-2016-6325", cwe: { id: "CWE-284", name: "Improper Access Control", }, discovery_date: "2016-08-09T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1367447", }, ], notes: [ { category: "description", text: "It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: tomcat writable config files allow privilege escalation", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6325", }, { category: "external", summary: "RHBZ#1367447", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6325", url: "https://www.cve.org/CVERecord?id=CVE-2016-6325", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", }, ], release_date: "2016-10-10T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 6.9, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:M/Au:N/C:C/I:C/A:C", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: tomcat writable config files allow privilege escalation", }, { cve: "CVE-2016-6794", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390520", }, ], notes: [ { category: "description", text: "It was discovered that when a SecurityManager was configured, Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: system property disclosure", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6794", }, { category: "external", summary: "RHBZ#1390520", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390520", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6794", url: "https://www.cve.org/CVERecord?id=CVE-2016-6794", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6794", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.1, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: system property disclosure", }, { cve: "CVE-2016-6796", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390515", }, ], notes: [ { category: "description", text: "It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: security manager bypass via JSP Servlet config parameters", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6796", }, { category: "external", summary: "RHBZ#1390515", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390515", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6796", url: "https://www.cve.org/CVERecord?id=CVE-2016-6796", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6796", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:H/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 4.2, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: security manager bypass via JSP Servlet config parameters", }, { cve: "CVE-2016-6797", discovery_date: "2016-10-27T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1390493", }, ], notes: [ { category: "description", text: "It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: unrestricted access to global resources", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6797", }, { category: "external", summary: "RHBZ#1390493", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1390493", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6797", url: "https://www.cve.org/CVERecord?id=CVE-2016-6797", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6797", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37", }, ], release_date: "2016-10-27T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "HIGH", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 2.6, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:H/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 3.7, baseSeverity: "LOW", confidentialityImpact: "LOW", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Low", }, ], title: "tomcat: unrestricted access to global resources", }, { cve: "CVE-2016-6816", cwe: { id: "CWE-444", name: "Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling')", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397484", }, ], notes: [ { category: "description", text: "It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", title: "Vulnerability summary", }, { category: "other", text: "Applying the fix provided to mitigate this issue may cause Tomcat to return 400 status after updating. For more information, refer to https://access.redhat.com/solutions/2891171", title: "Statement", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-6816", }, { category: "external", summary: "RHBZ#1397484", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397484", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-6816", url: "https://www.cve.org/CVERecord?id=CVE-2016-6816", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6816", }, { category: "external", summary: "https://access.redhat.com/articles/2991951", url: "https://access.redhat.com/articles/2991951", }, { category: "external", summary: "https://access.redhat.com/solutions/2891171", url: "https://access.redhat.com/solutions/2891171", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 5.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 6.5, baseSeverity: "MEDIUM", confidentialityImpact: "LOW", integrityImpact: "LOW", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Moderate", }, ], title: "tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests", }, { cve: "CVE-2016-8735", cwe: { id: "CWE-502", name: "Deserialization of Untrusted Data", }, discovery_date: "2016-11-22T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1397485", }, ], notes: [ { category: "description", text: "The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8735", }, { category: "external", summary: "RHBZ#1397485", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1397485", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8735", url: "https://www.cve.org/CVERecord?id=CVE-2016-8735", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8735", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.73", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.39", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.8", }, { category: "external", summary: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", url: "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, ], release_date: "2016-11-22T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "PARTIAL", baseScore: 6.8, confidentialityImpact: "PARTIAL", integrityImpact: "PARTIAL", vectorString: "AV:N/AC:M/Au:N/C:P/I:P/A:P", version: "2.0", }, cvss_v3: { attackComplexity: "HIGH", attackVector: "NETWORK", availabilityImpact: "HIGH", baseScore: 8.1, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "exploit_status", date: "2023-05-12T00:00:00+00:00", details: "CISA: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", }, { category: "impact", details: "Important", }, ], title: "tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener", }, { cve: "CVE-2016-8745", discovery_date: "2016-12-12T00:00:00+00:00", ids: [ { system_name: "Red Hat Bugzilla ID", text: "1403824", }, ], notes: [ { category: "description", text: "A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body.", title: "Vulnerability description", }, { category: "summary", text: "tomcat: information disclosure due to incorrect Processor sharing", title: "Vulnerability summary", }, { category: "general", text: "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", title: "CVSS score applicability", }, ], product_status: { fixed: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, references: [ { category: "self", summary: "Canonical URL", url: "https://access.redhat.com/security/cve/CVE-2016-8745", }, { category: "external", summary: "RHBZ#1403824", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1403824", }, { category: "external", summary: "https://www.cve.org/CVERecord?id=CVE-2016-8745", url: "https://www.cve.org/CVERecord?id=CVE-2016-8745", }, { category: "external", summary: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-8745", }, { category: "external", summary: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", url: "https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.49", }, { category: "external", summary: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", url: "https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.74", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.40", }, { category: "external", summary: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", url: "https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.9", }, ], release_date: "2016-12-12T00:00:00+00:00", remediations: [ { category: "vendor_fix", date: "2017-03-07T19:06:40+00:00", details: "Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).\n\nFor details on how to apply this update, which includes the changes described in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\nAfter installing the updated packages, the httpd daemon will be restarted automatically.", product_ids: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], restart_required: { category: "none", }, url: "https://access.redhat.com/errata/RHSA-2017:0455", }, ], scores: [ { cvss_v2: { accessComplexity: "MEDIUM", accessVector: "NETWORK", authentication: "NONE", availabilityImpact: "NONE", baseScore: 4.3, confidentialityImpact: "PARTIAL", integrityImpact: "NONE", vectorString: "AV:N/AC:M/Au:N/C:P/I:N/A:N", version: "2.0", }, cvss_v3: { attackComplexity: "LOW", attackVector: "NETWORK", availabilityImpact: "NONE", baseScore: 7.5, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "NONE", privilegesRequired: "NONE", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", version: "3.0", }, products: [ "6Server-JWS-3.1:hibernate4-c3p0-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-core-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.src", "6Server-JWS-3.1:hibernate4-entitymanager-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:hibernate4-envers-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.noarch", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.src", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.i686", "6Server-JWS-3.1:jbcs-httpd24-apache-commons-daemon-jsvc-debuginfo-1:1.0.15-17.redhat_2.jbcs.el6.x86_64", "6Server-JWS-3.1:jbcs-httpd24-runtime-0:1-3.jbcs.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:mod_cluster-tomcat7-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:mod_cluster-tomcat8-0:1.3.5-2.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.src", "6Server-JWS-3.1:tomcat-native-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.i686", "6Server-JWS-3.1:tomcat-native-debuginfo-0:1.2.8-9.redhat_9.ep7.el6.x86_64", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.noarch", "6Server-JWS-3.1:tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6.src", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-0:7.0.70-16.ep7.el6.src", "6Server-JWS-3.1:tomcat7-admin-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-docs-webapp-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-el-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-javadoc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsp-2.2-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-jsvc-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-lib-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-log4j-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-selinux-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-servlet-3.0-api-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat7-webapps-0:7.0.70-16.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-0:8.0.36-17.ep7.el6.src", "6Server-JWS-3.1:tomcat8-admin-webapps-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-docs-webapp-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-el-2.2-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-javadoc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsp-2.3-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-jsvc-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-lib-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-log4j-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-selinux-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-servlet-3.1-api-0:8.0.36-17.ep7.el6.noarch", "6Server-JWS-3.1:tomcat8-webapps-0:8.0.36-17.ep7.el6.noarch", ], }, ], threats: [ { category: "impact", details: "Important", }, ], title: "tomcat: information disclosure due to incorrect Processor sharing", }, ], }
gsd-2016-6325
Vulnerability from gsd
Modified
2023-12-13 01:21
Details
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Aliases
Aliases
{ GSD: { alias: "CVE-2016-6325", description: "The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.", id: "GSD-2016-6325", references: [ "https://access.redhat.com/errata/RHSA-2017:0457", "https://access.redhat.com/errata/RHSA-2017:0456", "https://access.redhat.com/errata/RHSA-2017:0455", "https://access.redhat.com/errata/RHSA-2016:2046", "https://access.redhat.com/errata/RHSA-2016:2045", "https://advisories.mageia.org/CVE-2016-6325.html", "https://alas.aws.amazon.com/cve/html/CVE-2016-6325.html", "https://linux.oracle.com/cve/CVE-2016-6325.html", ], }, gsd: { metadata: { exploitCode: "unknown", remediation: "unknown", reportConfidence: "confirmed", type: "vulnerability", }, osvSchema: { aliases: [ "CVE-2016-6325", ], details: "The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.", id: "GSD-2016-6325", modified: "2023-12-13T01:21:23.216551Z", schema_version: "1.4.0", }, }, namespaces: { "cve.org": { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2016-6325", STATE: "PUBLIC", }, affects: { vendor: { vendor_data: [ { product: { product_data: [ { product_name: "n/a", version: { version_data: [ { version_affected: "=", version_value: "n/a", }, ], }, }, ], }, vendor_name: "n/a", }, ], }, }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "eng", value: "The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "eng", value: "n/a", }, ], }, ], }, references: { reference_data: [ { name: "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html", refsource: "MISC", url: "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html", }, { name: "http://rhn.redhat.com/errata/RHSA-2016-2045.html", refsource: "MISC", url: "http://rhn.redhat.com/errata/RHSA-2016-2045.html", }, { name: "http://rhn.redhat.com/errata/RHSA-2016-2046.html", refsource: "MISC", url: "http://rhn.redhat.com/errata/RHSA-2016-2046.html", }, { name: "http://rhn.redhat.com/errata/RHSA-2017-0457.html", refsource: "MISC", url: "http://rhn.redhat.com/errata/RHSA-2017-0457.html", }, { name: "http://www.securityfocus.com/bid/93478", refsource: "MISC", url: "http://www.securityfocus.com/bid/93478", }, { name: "https://access.redhat.com/errata/RHSA-2017:0455", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2017:0455", }, { name: "https://access.redhat.com/errata/RHSA-2017:0456", refsource: "MISC", url: "https://access.redhat.com/errata/RHSA-2017:0456", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", refsource: "MISC", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, ], }, }, "nvd.nist.gov": { configurations: { CVE_data_version: "4.0", nodes: [ { children: [ { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:apache:tomcat:-:*:*:*:*:*:*:*", cpe_name: [], vulnerable: true, }, ], operator: "OR", }, { children: [], cpe_match: [ { cpe23Uri: "cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, { cpe23Uri: "cpe:2.3:a:redhat:jboss_web_server:3.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, { cpe23Uri: "cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, { cpe23Uri: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, { cpe23Uri: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, { cpe23Uri: "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, { cpe23Uri: "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, { cpe23Uri: "cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, { cpe23Uri: "cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, { cpe23Uri: "cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, { cpe23Uri: "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, { cpe23Uri: "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, { cpe23Uri: "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, { cpe23Uri: "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, { cpe23Uri: "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, { cpe23Uri: "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", cpe_name: [], vulnerable: false, }, ], operator: "OR", }, ], cpe_match: [], operator: "AND", }, ], }, cve: { CVE_data_meta: { ASSIGNER: "secalert@redhat.com", ID: "CVE-2016-6325", }, data_format: "MITRE", data_type: "CVE", data_version: "4.0", description: { description_data: [ { lang: "en", value: "The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.", }, ], }, problemtype: { problemtype_data: [ { description: [ { lang: "en", value: "CWE-264", }, ], }, ], }, references: { reference_data: [ { name: "RHSA-2016:2045", refsource: "REDHAT", tags: [ "Vendor Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2045.html", }, { name: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", refsource: "CONFIRM", tags: [ "Issue Tracking", "VDB Entry", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { name: "RHSA-2016:2046", refsource: "REDHAT", tags: [ "Vendor Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2046.html", }, { name: "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html", refsource: "CONFIRM", tags: [], url: "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html", }, { name: "93478", refsource: "BID", tags: [], url: "http://www.securityfocus.com/bid/93478", }, { name: "RHSA-2017:0456", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2017:0456", }, { name: "RHSA-2017:0455", refsource: "REDHAT", tags: [], url: "https://access.redhat.com/errata/RHSA-2017:0455", }, { name: "RHSA-2017:0457", refsource: "REDHAT", tags: [], url: "http://rhn.redhat.com/errata/RHSA-2017-0457.html", }, ], }, }, impact: { baseMetricV2: { acInsufInfo: false, cvssV2: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 7.2, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, severity: "HIGH", userInteractionRequired: false, }, baseMetricV3: { cvssV3: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 1.8, impactScore: 5.9, }, }, lastModifiedDate: "2023-02-12T23:24Z", publishedDate: "2016-10-13T14:59Z", }, }, }
ghsa-398j-w8vh-r865
Vulnerability from github
Published
2022-05-14 03:56
Modified
2022-05-14 03:56
Severity ?
Details
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
{ affected: [], aliases: [ "CVE-2016-6325", ], database_specific: { cwe_ids: [], github_reviewed: false, github_reviewed_at: null, nvd_published_at: "2016-10-13T14:59:00Z", severity: "HIGH", }, details: "The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.", id: "GHSA-398j-w8vh-r865", modified: "2022-05-14T03:56:16Z", published: "2022-05-14T03:56:16Z", references: [ { type: "ADVISORY", url: "https://nvd.nist.gov/vuln/detail/CVE-2016-6325", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2016:2045", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2016:2046", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:0455", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:0456", }, { type: "WEB", url: "https://access.redhat.com/errata/RHSA-2017:0457", }, { type: "WEB", url: "https://access.redhat.com/security/cve/CVE-2016-6325", }, { type: "WEB", url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { type: "WEB", url: "http://rhn.redhat.com/errata/RHSA-2016-2045.html", }, { type: "WEB", url: "http://rhn.redhat.com/errata/RHSA-2016-2046.html", }, { type: "WEB", url: "http://rhn.redhat.com/errata/RHSA-2017-0457.html", }, { type: "WEB", url: "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html", }, { type: "WEB", url: "http://www.securityfocus.com/bid/93478", }, ], schema_version: "1.4.0", severity: [ { score: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", type: "CVSS_V3", }, ], }
fkie_cve-2016-6325
Vulnerability from fkie_nvd
Published
2016-10-13 14:59
Modified
2024-11-21 02:55
Severity ?
Summary
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
References
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| apache | tomcat | - | |
| redhat | jboss_enterprise_web_server | 2.0.0 | |
| redhat | jboss_web_server | 3.0 | |
| redhat | enterprise_linux | 5.0 | |
| redhat | enterprise_linux | 6.0 | |
| redhat | enterprise_linux | 7.0 | |
| redhat | enterprise_linux_desktop | 6.0 | |
| redhat | enterprise_linux_desktop | 7.0 | |
| redhat | enterprise_linux_hpc_node | 6.0 | |
| redhat | enterprise_linux_hpc_node | 7.0 | |
| redhat | enterprise_linux_hpc_node_eus | 7.2 | |
| redhat | enterprise_linux_server | 6.0 | |
| redhat | enterprise_linux_server | 7.0 | |
| redhat | enterprise_linux_server_aus | 7.2 | |
| redhat | enterprise_linux_server_eus | 7.2 | |
| redhat | enterprise_linux_workstation | 6.0 | |
| redhat | enterprise_linux_workstation | 7.0 |
{ configurations: [ { nodes: [ { cpeMatch: [ { criteria: "cpe:2.3:a:apache:tomcat:-:*:*:*:*:*:*:*", matchCriteriaId: "DB5FCB11-3FCA-4EB4-8FA6-87B356B80739", vulnerable: true, }, ], negate: false, operator: "OR", }, { cpeMatch: [ { criteria: "cpe:2.3:a:redhat:jboss_enterprise_web_server:2.0.0:*:*:*:*:*:*:*", matchCriteriaId: "681173DF-537E-4A64-8FC7-75F439CCAD0D", vulnerable: false, }, { criteria: "cpe:2.3:a:redhat:jboss_web_server:3.0:*:*:*:*:*:*:*", matchCriteriaId: "54EB07A0-FB38-4F17-9C8D-DB629967F07B", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:5.0:*:*:*:*:*:*:*", matchCriteriaId: "1D8B549B-E57B-4DFE-8A13-CAB06B5356B3", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*", matchCriteriaId: "2F6AB192-9D7D-4A9A-8995-E53A9DE9EAFC", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*", matchCriteriaId: "142AD0DD-4CF3-4D74-9442-459CE3347E3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_desktop:6.0:*:*:*:*:*:*:*", matchCriteriaId: "EE249E1B-A1FD-4E08-AA71-A0E1F10FFE97", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*", matchCriteriaId: "33C068A4-3780-4EAB-A937-6082DF847564", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_hpc_node:6.0:*:*:*:*:*:*:*", matchCriteriaId: "C2FAC325-6EEB-466D-9EBA-8ED4DBC9CFBF", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_hpc_node:7.0:*:*:*:*:*:*:*", matchCriteriaId: "3C84489B-B08C-4854-8A12-D01B6E45CF79", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_hpc_node_eus:7.2:*:*:*:*:*:*:*", matchCriteriaId: "39A901D6-0874-46A4-92A8-5F72C7A89E85", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*", matchCriteriaId: "9BBCD86A-E6C7-4444-9D74-F861084090F0", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*", matchCriteriaId: "51EF4996-72F4-4FA4-814F-F5991E7A8318", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_aus:7.2:*:*:*:*:*:*:*", matchCriteriaId: "1C8D871B-AEA1-4407-AEE3-47EC782250FF", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_server_eus:7.2:*:*:*:*:*:*:*", matchCriteriaId: "44B067C7-735E-43C9-9188-7E1522A02491", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_workstation:6.0:*:*:*:*:*:*:*", matchCriteriaId: "E5ED5807-55B7-47C5-97A6-03233F4FBC3A", vulnerable: false, }, { criteria: "cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*", matchCriteriaId: "825ECE2D-E232-46E0-A047-074B34DB1E97", vulnerable: false, }, ], negate: false, operator: "OR", }, ], operator: "AND", }, ], cveTags: [], descriptions: [ { lang: "en", value: "The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.", }, { lang: "es", value: "El paquete Tomcat en Red Hat Enterprise Linux (RHEL) 5 hasta la versión 7, JBoss Web Server 3.0 y JBoss EWS 2 utiliza permisos débiles para (1) /etc/sysconfig/tomcat y (2) /etc/tomcat/tomcat.conf, lo que permite a usuarios locales obtener privilegios aprovechando su pertenencia al grupo tomcat.", }, ], id: "CVE-2016-6325", lastModified: "2024-11-21T02:55:54.337", metrics: { cvssMetricV2: [ { acInsufInfo: false, baseSeverity: "HIGH", cvssData: { accessComplexity: "LOW", accessVector: "LOCAL", authentication: "NONE", availabilityImpact: "COMPLETE", baseScore: 7.2, confidentialityImpact: "COMPLETE", integrityImpact: "COMPLETE", vectorString: "AV:L/AC:L/Au:N/C:C/I:C/A:C", version: "2.0", }, exploitabilityScore: 3.9, impactScore: 10, obtainAllPrivilege: false, obtainOtherPrivilege: false, obtainUserPrivilege: false, source: "nvd@nist.gov", type: "Primary", userInteractionRequired: false, }, ], cvssMetricV30: [ { cvssData: { attackComplexity: "LOW", attackVector: "LOCAL", availabilityImpact: "HIGH", baseScore: 7.8, baseSeverity: "HIGH", confidentialityImpact: "HIGH", integrityImpact: "HIGH", privilegesRequired: "LOW", scope: "UNCHANGED", userInteraction: "NONE", vectorString: "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, exploitabilityScore: 1.8, impactScore: 5.9, source: "nvd@nist.gov", type: "Primary", }, ], }, published: "2016-10-13T14:59:09.127", references: [ { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2045.html", }, { source: "secalert@redhat.com", tags: [ "Vendor Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2046.html", }, { source: "secalert@redhat.com", url: "http://rhn.redhat.com/errata/RHSA-2017-0457.html", }, { source: "secalert@redhat.com", url: "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html", }, { source: "secalert@redhat.com", url: "http://www.securityfocus.com/bid/93478", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2017:0455", }, { source: "secalert@redhat.com", url: "https://access.redhat.com/errata/RHSA-2017:0456", }, { source: "secalert@redhat.com", tags: [ "Issue Tracking", "VDB Entry", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2045.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Vendor Advisory", ], url: "http://rhn.redhat.com/errata/RHSA-2016-2046.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://rhn.redhat.com/errata/RHSA-2017-0457.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "http://www.securityfocus.com/bid/93478", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2017:0455", }, { source: "af854a3a-2127-422b-91ae-364da2661108", url: "https://access.redhat.com/errata/RHSA-2017:0456", }, { source: "af854a3a-2127-422b-91ae-364da2661108", tags: [ "Issue Tracking", "VDB Entry", "Vendor Advisory", ], url: "https://bugzilla.redhat.com/show_bug.cgi?id=1367447", }, ], sourceIdentifier: "secalert@redhat.com", vulnStatus: "Modified", weaknesses: [ { description: [ { lang: "en", value: "CWE-264", }, ], source: "nvd@nist.gov", type: "Primary", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.