Vulnerability from csaf_suse
Published
2017-11-23 16:16
Modified
2017-11-23 16:16
Summary
Security update for tomcat
Notes
Title of the patch
Security update for tomcat
Description of the patch
Apache Tomcat was updated to 7.0.82 adding features, fixing bugs and security issues.
This is another bugfix release, for full details see:
https://tomcat.apache.org/tomcat-7.0-doc/changelog.html
Fixed security issues:
- CVE-2017-5664: A problem in handling error pages was fixed, to avoid potential file overwrites during error page handling. (bsc#1042910).
- CVE-2017-7674: A CORS Filter issue could lead to client and server side cache poisoning (bsc#1053352)
- CVE-2017-12617: A remote code execution possibility via JSP Upload was fixed (bsc#1059554)
- CVE-2017-12616: An information disclosure when using VirtualDirContext was fixed (bsc#1059551)
- CVE-2017-12615: A Remote Code Execution via JSP Upload was fixed (bsc#1059554)
Non-security issues fixed:
- Fix tomcat-digest classpath error (bsc#977410)
Patchnames
SUSE-SLE-SERVER-12-2017-1889
Terms of use
CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
{ document: { aggregate_severity: { namespace: "https://www.suse.com/support/security/rating/", text: "important", }, category: "csaf_security_advisory", csaf_version: "2.0", distribution: { text: "Copyright 2024 SUSE LLC. All rights reserved.", tlp: { label: "WHITE", url: "https://www.first.org/tlp/", }, }, lang: "en", notes: [ { category: "summary", text: "Security update for tomcat", title: "Title of the patch", }, { category: "description", text: "\n\nApache Tomcat was updated to 7.0.82 adding features, fixing bugs and security issues.\n\nThis is another bugfix release, for full details see:\n\n https://tomcat.apache.org/tomcat-7.0-doc/changelog.html\n\nFixed security issues:\n\n- CVE-2017-5664: A problem in handling error pages was fixed, to avoid potential file overwrites during error page handling. (bsc#1042910).\n- CVE-2017-7674: A CORS Filter issue could lead to client and server side cache poisoning (bsc#1053352)\n- CVE-2017-12617: A remote code execution possibility via JSP Upload was fixed (bsc#1059554)\n- CVE-2017-12616: An information disclosure when using VirtualDirContext was fixed (bsc#1059551)\n- CVE-2017-12615: A Remote Code Execution via JSP Upload was fixed (bsc#1059554)\n\nNon-security issues fixed:\n\n- Fix tomcat-digest classpath error (bsc#977410) \n", title: "Description of the patch", }, { category: "details", text: "SUSE-SLE-SERVER-12-2017-1889", title: "Patchnames", }, { category: "legal_disclaimer", text: "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).", title: "Terms of use", }, ], publisher: { category: "vendor", contact_details: "https://www.suse.com/support/security/contact/", name: "SUSE Product Security Team", namespace: "https://www.suse.com/", }, references: [ { category: "external", summary: "SUSE ratings", url: "https://www.suse.com/support/security/rating/", }, { category: "self", summary: "URL of this CSAF notice", url: "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2017_3059-1.json", }, { category: "self", summary: "URL for SUSE-SU-2017:3059-1", url: "https://www.suse.com/support/update/announcement/2017/suse-su-20173059-1/", }, { category: "self", summary: "E-Mail link for SUSE-SU-2017:3059-1", url: "https://lists.suse.com/pipermail/sle-security-updates/2017-November/003405.html", }, { category: "self", summary: "SUSE Bug 1042910", url: "https://bugzilla.suse.com/1042910", }, { category: "self", summary: "SUSE Bug 1053352", url: "https://bugzilla.suse.com/1053352", }, { category: "self", summary: "SUSE Bug 1059551", url: "https://bugzilla.suse.com/1059551", }, { category: "self", summary: "SUSE Bug 1059554", url: "https://bugzilla.suse.com/1059554", }, { category: "self", summary: "SUSE Bug 977410", url: "https://bugzilla.suse.com/977410", }, { category: "self", summary: "SUSE CVE CVE-2017-12615 page", url: "https://www.suse.com/security/cve/CVE-2017-12615/", }, { category: "self", summary: "SUSE CVE CVE-2017-12616 page", url: "https://www.suse.com/security/cve/CVE-2017-12616/", }, { category: "self", summary: "SUSE CVE CVE-2017-12617 page", url: "https://www.suse.com/security/cve/CVE-2017-12617/", }, { category: "self", summary: "SUSE CVE CVE-2017-5664 page", url: "https://www.suse.com/security/cve/CVE-2017-5664/", }, { category: "self", summary: "SUSE CVE CVE-2017-7674 page", url: "https://www.suse.com/security/cve/CVE-2017-7674/", }, ], title: "Security update for tomcat", tracking: { current_release_date: "2017-11-23T16:16:52Z", generator: { date: "2017-11-23T16:16:52Z", engine: { name: "cve-database.git:bin/generate-csaf.pl", version: "1", }, }, id: "SUSE-SU-2017:3059-1", initial_release_date: "2017-11-23T16:16:52Z", revision_history: [ { date: "2017-11-23T16:16:52Z", number: "1", summary: "Current version", }, ], status: "final", version: "1", }, }, product_tree: { branches: [ { branches: [ { branches: [ { category: "product_version", name: "tomcat-7.0.82-7.16.1.noarch", product: { name: "tomcat-7.0.82-7.16.1.noarch", product_id: "tomcat-7.0.82-7.16.1.noarch", }, }, { category: "product_version", name: "tomcat-admin-webapps-7.0.82-7.16.1.noarch", product: { name: "tomcat-admin-webapps-7.0.82-7.16.1.noarch", product_id: "tomcat-admin-webapps-7.0.82-7.16.1.noarch", }, }, { category: "product_version", name: "tomcat-docs-webapp-7.0.82-7.16.1.noarch", product: { name: "tomcat-docs-webapp-7.0.82-7.16.1.noarch", product_id: "tomcat-docs-webapp-7.0.82-7.16.1.noarch", }, }, { category: "product_version", name: "tomcat-el-2_2-api-7.0.82-7.16.1.noarch", product: { name: "tomcat-el-2_2-api-7.0.82-7.16.1.noarch", product_id: "tomcat-el-2_2-api-7.0.82-7.16.1.noarch", }, }, { category: "product_version", name: "tomcat-javadoc-7.0.82-7.16.1.noarch", product: { name: "tomcat-javadoc-7.0.82-7.16.1.noarch", product_id: "tomcat-javadoc-7.0.82-7.16.1.noarch", }, }, { category: "product_version", name: "tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", product: { name: "tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", product_id: "tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", }, }, { category: "product_version", name: "tomcat-lib-7.0.82-7.16.1.noarch", product: { name: "tomcat-lib-7.0.82-7.16.1.noarch", product_id: "tomcat-lib-7.0.82-7.16.1.noarch", }, }, { category: "product_version", name: "tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", product: { name: "tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", product_id: "tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", }, }, { category: "product_version", name: "tomcat-webapps-7.0.82-7.16.1.noarch", product: { name: "tomcat-webapps-7.0.82-7.16.1.noarch", product_id: "tomcat-webapps-7.0.82-7.16.1.noarch", }, }, ], category: "architecture", name: "noarch", }, { branches: [ { category: "product_name", name: "SUSE Linux Enterprise Server 12-LTSS", product: { name: "SUSE Linux Enterprise Server 12-LTSS", product_id: "SUSE Linux Enterprise Server 12-LTSS", product_identification_helper: { cpe: "cpe:/o:suse:sles-ltss:12", }, }, }, ], category: "product_family", name: "SUSE Linux Enterprise", }, ], category: "vendor", name: "SUSE", }, ], relationships: [ { category: "default_component_of", full_product_name: { name: "tomcat-7.0.82-7.16.1.noarch as component of SUSE Linux Enterprise Server 12-LTSS", product_id: "SUSE Linux Enterprise Server 12-LTSS:tomcat-7.0.82-7.16.1.noarch", }, product_reference: "tomcat-7.0.82-7.16.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 12-LTSS", }, { category: "default_component_of", full_product_name: { name: "tomcat-admin-webapps-7.0.82-7.16.1.noarch as component of SUSE Linux Enterprise Server 12-LTSS", product_id: "SUSE Linux Enterprise Server 12-LTSS:tomcat-admin-webapps-7.0.82-7.16.1.noarch", }, product_reference: "tomcat-admin-webapps-7.0.82-7.16.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 12-LTSS", }, { category: "default_component_of", full_product_name: { name: "tomcat-docs-webapp-7.0.82-7.16.1.noarch as component of SUSE Linux Enterprise Server 12-LTSS", product_id: "SUSE Linux Enterprise Server 12-LTSS:tomcat-docs-webapp-7.0.82-7.16.1.noarch", }, product_reference: "tomcat-docs-webapp-7.0.82-7.16.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 12-LTSS", }, { category: "default_component_of", full_product_name: { name: "tomcat-el-2_2-api-7.0.82-7.16.1.noarch as component of SUSE Linux Enterprise Server 12-LTSS", product_id: "SUSE Linux Enterprise Server 12-LTSS:tomcat-el-2_2-api-7.0.82-7.16.1.noarch", }, product_reference: "tomcat-el-2_2-api-7.0.82-7.16.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 12-LTSS", }, { category: "default_component_of", full_product_name: { name: "tomcat-javadoc-7.0.82-7.16.1.noarch as component of SUSE Linux Enterprise Server 12-LTSS", product_id: "SUSE Linux Enterprise Server 12-LTSS:tomcat-javadoc-7.0.82-7.16.1.noarch", }, product_reference: "tomcat-javadoc-7.0.82-7.16.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 12-LTSS", }, { category: "default_component_of", full_product_name: { name: "tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch as component of SUSE Linux Enterprise Server 12-LTSS", product_id: "SUSE Linux Enterprise Server 12-LTSS:tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", }, product_reference: "tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 12-LTSS", }, { category: "default_component_of", full_product_name: { name: "tomcat-lib-7.0.82-7.16.1.noarch as component of SUSE Linux Enterprise Server 12-LTSS", product_id: "SUSE Linux Enterprise Server 12-LTSS:tomcat-lib-7.0.82-7.16.1.noarch", }, product_reference: "tomcat-lib-7.0.82-7.16.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 12-LTSS", }, { category: "default_component_of", full_product_name: { name: "tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch as component of SUSE Linux Enterprise Server 12-LTSS", product_id: "SUSE Linux Enterprise Server 12-LTSS:tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", }, product_reference: "tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 12-LTSS", }, { category: "default_component_of", full_product_name: { name: "tomcat-webapps-7.0.82-7.16.1.noarch as component of SUSE Linux Enterprise Server 12-LTSS", product_id: "SUSE Linux Enterprise Server 12-LTSS:tomcat-webapps-7.0.82-7.16.1.noarch", }, product_reference: "tomcat-webapps-7.0.82-7.16.1.noarch", relates_to_product_reference: "SUSE Linux Enterprise Server 12-LTSS", }, ], }, vulnerabilities: [ { cve: "CVE-2017-12615", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-12615", }, ], notes: [ { category: "general", text: "When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Server 12-LTSS:tomcat-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-admin-webapps-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-docs-webapp-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-el-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-javadoc-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-lib-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-webapps-7.0.82-7.16.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-12615", url: "https://www.suse.com/security/cve/CVE-2017-12615", }, { category: "external", summary: "SUSE Bug 1059554 for CVE-2017-12615", url: "https://bugzilla.suse.com/1059554", }, { category: "external", summary: "SUSE Bug 1180947 for CVE-2017-12615", url: "https://bugzilla.suse.com/1180947", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Server 12-LTSS:tomcat-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-admin-webapps-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-docs-webapp-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-el-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-javadoc-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-lib-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-webapps-7.0.82-7.16.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 8.1, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "SUSE Linux Enterprise Server 12-LTSS:tomcat-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-admin-webapps-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-docs-webapp-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-el-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-javadoc-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-lib-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-webapps-7.0.82-7.16.1.noarch", ], }, ], threats: [ { category: "impact", date: "2017-11-23T16:16:52Z", details: "moderate", }, ], title: "CVE-2017-12615", }, { cve: "CVE-2017-12616", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-12616", }, ], notes: [ { category: "general", text: "When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Server 12-LTSS:tomcat-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-admin-webapps-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-docs-webapp-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-el-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-javadoc-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-lib-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-webapps-7.0.82-7.16.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-12616", url: "https://www.suse.com/security/cve/CVE-2017-12616", }, { category: "external", summary: "SUSE Bug 1059551 for CVE-2017-12616", url: "https://bugzilla.suse.com/1059551", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Server 12-LTSS:tomcat-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-admin-webapps-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-docs-webapp-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-el-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-javadoc-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-lib-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-webapps-7.0.82-7.16.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 5.3, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", version: "3.0", }, products: [ "SUSE Linux Enterprise Server 12-LTSS:tomcat-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-admin-webapps-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-docs-webapp-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-el-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-javadoc-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-lib-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-webapps-7.0.82-7.16.1.noarch", ], }, ], threats: [ { category: "impact", date: "2017-11-23T16:16:52Z", details: "moderate", }, ], title: "CVE-2017-12616", }, { cve: "CVE-2017-12617", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-12617", }, ], notes: [ { category: "general", text: "When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Server 12-LTSS:tomcat-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-admin-webapps-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-docs-webapp-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-el-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-javadoc-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-lib-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-webapps-7.0.82-7.16.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-12617", url: "https://www.suse.com/security/cve/CVE-2017-12617", }, { category: "external", summary: "SUSE Bug 1059554 for CVE-2017-12617", url: "https://bugzilla.suse.com/1059554", }, { category: "external", summary: "SUSE Bug 1062607 for CVE-2017-12617", url: "https://bugzilla.suse.com/1062607", }, { category: "external", summary: "SUSE Bug 1180947 for CVE-2017-12617", url: "https://bugzilla.suse.com/1180947", }, { category: "external", summary: "SUSE Bug 1189861 for CVE-2017-12617", url: "https://bugzilla.suse.com/1189861", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Server 12-LTSS:tomcat-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-admin-webapps-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-docs-webapp-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-el-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-javadoc-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-lib-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-webapps-7.0.82-7.16.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 9.8, baseSeverity: "CRITICAL", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", version: "3.0", }, products: [ "SUSE Linux Enterprise Server 12-LTSS:tomcat-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-admin-webapps-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-docs-webapp-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-el-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-javadoc-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-lib-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-webapps-7.0.82-7.16.1.noarch", ], }, ], threats: [ { category: "impact", date: "2017-11-23T16:16:52Z", details: "moderate", }, ], title: "CVE-2017-12617", }, { cve: "CVE-2017-5664", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-5664", }, ], notes: [ { category: "general", text: "The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Server 12-LTSS:tomcat-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-admin-webapps-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-docs-webapp-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-el-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-javadoc-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-lib-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-webapps-7.0.82-7.16.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-5664", url: "https://www.suse.com/security/cve/CVE-2017-5664", }, { category: "external", summary: "SUSE Bug 1042910 for CVE-2017-5664", url: "https://bugzilla.suse.com/1042910", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Server 12-LTSS:tomcat-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-admin-webapps-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-docs-webapp-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-el-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-javadoc-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-lib-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-webapps-7.0.82-7.16.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 7.5, baseSeverity: "HIGH", vectorString: "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", version: "3.0", }, products: [ "SUSE Linux Enterprise Server 12-LTSS:tomcat-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-admin-webapps-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-docs-webapp-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-el-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-javadoc-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-lib-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-webapps-7.0.82-7.16.1.noarch", ], }, ], threats: [ { category: "impact", date: "2017-11-23T16:16:52Z", details: "important", }, ], title: "CVE-2017-5664", }, { cve: "CVE-2017-7674", ids: [ { system_name: "SUSE CVE Page", text: "https://www.suse.com/security/cve/CVE-2017-7674", }, ], notes: [ { category: "general", text: "The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.", title: "CVE description", }, ], product_status: { recommended: [ "SUSE Linux Enterprise Server 12-LTSS:tomcat-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-admin-webapps-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-docs-webapp-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-el-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-javadoc-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-lib-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-webapps-7.0.82-7.16.1.noarch", ], }, references: [ { category: "external", summary: "CVE-2017-7674", url: "https://www.suse.com/security/cve/CVE-2017-7674", }, { category: "external", summary: "SUSE Bug 1053352 for CVE-2017-7674", url: "https://bugzilla.suse.com/1053352", }, ], remediations: [ { category: "vendor_fix", details: "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n", product_ids: [ "SUSE Linux Enterprise Server 12-LTSS:tomcat-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-admin-webapps-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-docs-webapp-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-el-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-javadoc-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-lib-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-webapps-7.0.82-7.16.1.noarch", ], }, ], scores: [ { cvss_v3: { baseScore: 5.6, baseSeverity: "MEDIUM", vectorString: "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L", version: "3.0", }, products: [ "SUSE Linux Enterprise Server 12-LTSS:tomcat-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-admin-webapps-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-docs-webapp-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-el-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-javadoc-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-jsp-2_2-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-lib-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-servlet-3_0-api-7.0.82-7.16.1.noarch", "SUSE Linux Enterprise Server 12-LTSS:tomcat-webapps-7.0.82-7.16.1.noarch", ], }, ], threats: [ { category: "impact", date: "2017-11-23T16:16:52Z", details: "moderate", }, ], title: "CVE-2017-7674", }, ], }
Log in or create an account to share your comment.
Security Advisory comment format.
This schema specifies the format of a comment related to a security advisory.
Title of the comment
Description of the comment
Loading…
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.