【CEBA-2016:2045】An update for tomcat6 is now available for Red Hat Enterprise Linux 6


An update for tomcat6 is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages
(JSP) technologies.

Security Fix(es):

* It was discovered that the Tomcat packages installed certain configuration
files read by the Tomcat initialization script as writeable to the tomcat group.
A member of the group or a malicious web application deployed on Tomcat could
use this flaw to escalate their privileges. (CVE-2016-6325)

* It was found that several Tomcat session persistence mechanisms could allow a
remote, authenticated user to bypass intended SecurityManager restrictions and
execute arbitrary code in a privileged context via a web application that placed
a crafted object in a session. (CVE-2016-0714)

* It was discovered that tomcat used the value of the Proxy header from HTTP
requests to initialize the HTTP_PROXY environment variable for CGI scripts,
which in turn was incorrectly used by certain HTTP client implementations to
configure the proxy for outgoing HTTP requests. A remote attacker could possibly
use this flaw to redirect HTTP requests performed by a CGI script to an
attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)

* A directory traversal flaw was found in Tomcat’s RequestUtil.java. A remote,
authenticated user could use this flaw to bypass intended SecurityManager
restrictions and list a parent directory via a ‘/..’ in a pathname used by a web
application in a getResource, getResourceAsStream, or getResourcePaths call, as
demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174)

* It was found that Tomcat could reveal the presence of a directory even when
that directory was protected by a security constraint. A user could make a
request to a directory via a URL not ending with a slash and, depending on
whether Tomcat redirected that request, could confirm whether that directory
existed. (CVE-2015-5345)

* It was found that Tomcat allowed the StatusManagerServlet to be loaded by a
web application when a security manager was configured. This allowed a web
application to list all deployed web applications and expose sensitive
information such as session IDs. (CVE-2016-0706)

Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5388.
The CVE-2016-6325 issue was discovered by Red Hat Product Security.

Bug Fix(es):

* Due to a bug in the tomcat6 spec file, the catalina.out file’s md5sum, size,
and mtime attributes were compared to the file’s attributes at installation
time. Because these attributes change after the service is started, the “rpm -V”
command previously failed. With this update, the attributes mentioned above are
ignored in the RPM verification and the catalina.out file now passes the
verification check. (BZ#1357123)

Bugs Fixed

1265698 – CVE-2015-5174 tomcat: URL Normalization issue
1311082 – CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms
1311087 – CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet
1311089 – CVE-2015-5345 tomcat: directory disclosure
1353809 – CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header
1357123 – rpm -V tomcat6 fails due on /var/log/tomcat6/catalina.out [rhel-6.8.z]
1367447 – CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation


Updated libtirpct packages that fix one bug are now available for Red Hat Enterprise Linux 6.

The libtirpc packages contain SunLib’s implementation of transport-independent remote procedure call (TI-RPC) documentation, which includes a library required by programs in the nfs-utils and rpcbind packages.