ID

VAR-201703-0328

CVE

CVE-2016-6816

TITLE

Apache Tomcat Updates for multiple vulnerabilities

DESCRIPTION

The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. The Apache Software Foundation From Apache Tomcat Updates for the following multiple vulnerabilities have been released: * * HTTP Response falsification (CVE-2016-6816) * * Service operation interruption (DoS) (CVE-2016-6817) * * Arbitrary code execution (CVE-2016-8735)Expected impact varies depending on each vulnerability, but information leakage, service operation interruption (DoS) May be affected by arbitrary code execution. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Moderate: tomcat6 security update Advisory ID: RHSA-2017:0527-01 Product: Red Hat Enterprise Linux Advisory URL: https://rhn.redhat.com/errata/RHSA-2017-0527.html Issue date: 2017-03-15 CVE Names: CVE-2016-6816 CVE-2016-8745 ===================================================================== 1. Summary: An update for tomcat6 is now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. 2. Relevant releases/architectures: Red Hat Enterprise Linux Desktop Optional (v. 6) - noarch Red Hat Enterprise Linux HPC Node Optional (v. 6) - noarch Red Hat Enterprise Linux Server (v. 6) - noarch Red Hat Enterprise Linux Server Optional (v. 6) - noarch Red Hat Enterprise Linux Workstation (v. 6) - noarch Red Hat Enterprise Linux Workstation Optional (v. 6) - noarch 3. Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. The newly introduced system property tomcat.util.http.parser.HttpParser.requestTargetAllow can be used to configure Tomcat to accept curly braces ({ and }) and the pipe symbol (|) in not encoded form, as these are often used in URLs without being properly encoded. * A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body. (CVE-2016-8745) 4. Solution: For details on how to apply this update, which includes the changes described in this advisory, refer to: https://access.redhat.com/articles/11258 5. Package List: Red Hat Enterprise Linux Desktop Optional (v. 6): Source: tomcat6-6.0.24-105.el6_8.src.rpm noarch: tomcat6-6.0.24-105.el6_8.noarch.rpm tomcat6-admin-webapps-6.0.24-105.el6_8.noarch.rpm tomcat6-docs-webapp-6.0.24-105.el6_8.noarch.rpm tomcat6-el-2.1-api-6.0.24-105.el6_8.noarch.rpm tomcat6-javadoc-6.0.24-105.el6_8.noarch.rpm tomcat6-jsp-2.1-api-6.0.24-105.el6_8.noarch.rpm tomcat6-lib-6.0.24-105.el6_8.noarch.rpm tomcat6-servlet-2.5-api-6.0.24-105.el6_8.noarch.rpm tomcat6-webapps-6.0.24-105.el6_8.noarch.rpm Red Hat Enterprise Linux HPC Node Optional (v. 6): Source: tomcat6-6.0.24-105.el6_8.src.rpm noarch: tomcat6-6.0.24-105.el6_8.noarch.rpm tomcat6-admin-webapps-6.0.24-105.el6_8.noarch.rpm tomcat6-docs-webapp-6.0.24-105.el6_8.noarch.rpm tomcat6-el-2.1-api-6.0.24-105.el6_8.noarch.rpm tomcat6-javadoc-6.0.24-105.el6_8.noarch.rpm tomcat6-jsp-2.1-api-6.0.24-105.el6_8.noarch.rpm tomcat6-lib-6.0.24-105.el6_8.noarch.rpm tomcat6-servlet-2.5-api-6.0.24-105.el6_8.noarch.rpm tomcat6-webapps-6.0.24-105.el6_8.noarch.rpm Red Hat Enterprise Linux Server (v. 6): Source: tomcat6-6.0.24-105.el6_8.src.rpm noarch: tomcat6-6.0.24-105.el6_8.noarch.rpm tomcat6-el-2.1-api-6.0.24-105.el6_8.noarch.rpm tomcat6-jsp-2.1-api-6.0.24-105.el6_8.noarch.rpm tomcat6-lib-6.0.24-105.el6_8.noarch.rpm tomcat6-servlet-2.5-api-6.0.24-105.el6_8.noarch.rpm Red Hat Enterprise Linux Server Optional (v. 6): Source: tomcat6-6.0.24-105.el6_8.src.rpm noarch: tomcat6-admin-webapps-6.0.24-105.el6_8.noarch.rpm tomcat6-docs-webapp-6.0.24-105.el6_8.noarch.rpm tomcat6-javadoc-6.0.24-105.el6_8.noarch.rpm tomcat6-webapps-6.0.24-105.el6_8.noarch.rpm Red Hat Enterprise Linux Workstation (v. 6): Source: tomcat6-6.0.24-105.el6_8.src.rpm noarch: tomcat6-6.0.24-105.el6_8.noarch.rpm tomcat6-el-2.1-api-6.0.24-105.el6_8.noarch.rpm tomcat6-jsp-2.1-api-6.0.24-105.el6_8.noarch.rpm tomcat6-lib-6.0.24-105.el6_8.noarch.rpm tomcat6-servlet-2.5-api-6.0.24-105.el6_8.noarch.rpm Red Hat Enterprise Linux Workstation Optional (v. 6): Source: tomcat6-6.0.24-105.el6_8.src.rpm noarch: tomcat6-admin-webapps-6.0.24-105.el6_8.noarch.rpm tomcat6-docs-webapp-6.0.24-105.el6_8.noarch.rpm tomcat6-javadoc-6.0.24-105.el6_8.noarch.rpm tomcat6-webapps-6.0.24-105.el6_8.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/ 7. References: https://access.redhat.com/security/cve/CVE-2016-6816 https://access.redhat.com/security/cve/CVE-2016-8745 https://access.redhat.com/security/updates/classification/#moderate 8. Contact: The Red Hat security contact is <secalert@redhat.com>. More contact details at https://access.redhat.com/security/team/contact/ Copyright 2017 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iD8DBQFYyUfJXlSAg2UNWIIRAkTcAKCDm0ks64tetMz1A5Ui5bTODMeXCQCgreFB 8LuRSPjXmcOCIpY9D4+w5R0= =OgIl -----END PGP SIGNATURE----- -- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . Note: the current version of the following document is available here: https://softwaresupport.softwaregrp.com/document/-/facetsearch/document/KM03302206 SUPPORT COMMUNICATION - SECURITY BULLETIN Document ID: KM03302206 Version: 1 MFSBGN03837 rev.1 - Network Node Manager i, Multiple Vulnerabilities NOTICE: The information in this Security Bulletin should be acted upon as soon as possible. Release Date: 2018-12-12 Last Updated: 2018-12-12 Potential Security Impact: Remote: Cross-Site Scripting (XSS), Disclosure of Information Source: Micro Focus, Product Security Response Team VULNERABILITY SUMMARY A vulnerabilities in Apache Tomcat was addressed by Micro Focus Network Node Manager i. The vulnerability could be exploited Remote Cross-Site Scripting (XSS) and Remote Disclosure of Information References: - PSRT110650 - CVE-2016-6816 - CVE-2017-5664 SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed. - HPE Network Node Manager I (NNMi) Software 9.2x, 10.0x, 10.00 Patch 1, 10.00 Patch 2, 10.00 Patch 3, 10.00 Patch 4, 10.00 Patch 5, 10.1x, 10.10 Patch 1, 10.10 Patch 2, 10.10 Patch 3, 10.10 Patch 4, 10.2x, 10.20 Patch 1, 10.20 Patch 2, 10.20 Patch 3, 10.30, 10.30 Patch 1 BACKGROUND CVSS Base Metrics ================= Reference, CVSS V3 Score/Vector, CVSS V2 Score/Vector RESOLUTION Micro Focus has made the following software updates and mitigation information to resolve the vulnerability in Micro Focus Network Node Manager i: Customers using v9.X must upgrade to v10.x and then install the patch below. Patches are available to address the vulnerabilities: For v10.0x: Network Node Manager i 10.00 Patch 8 Linux [https://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/ /facetsearch/document/KM03139745](https://softwaresupport.softwaregrp.com/gro p/softwaresupport/search-result/-/facetsearch/document/KM03139745) Windows [https://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/ /facetsearch/document/KM03139763](https://softwaresupport.softwaregrp.com/gro p/softwaresupport/search-result/-/facetsearch/document/KM03139763) For v10.1x: Network Node Manager i 10.10 Patch 7 Linux [https://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/ /facetsearch/document/KM03139729](https://softwaresupport.softwaregrp.com/gro p/softwaresupport/search-result/-/facetsearch/document/KM03139729) Windows [https://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/ /facetsearch/document/KM03139781](https://softwaresupport.softwaregrp.com/gro p/softwaresupport/search-result/-/facetsearch/document/KM03139781) For v10.2x: Network Node Manager i 10.20 Patch 6 Linux [https://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/ /facetsearch/document/KM03139701](https://softwaresupport.softwaregrp.com/gro p/softwaresupport/search-result/-/facetsearch/document/KM03139701) Windows [https://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/ /facetsearch/document/KM03139715](https://softwaresupport.softwaregrp.com/gro p/softwaresupport/search-result/-/facetsearch/document/KM03139715) For v10.3x: Network Node Manager i 10.30 Patch 2 Linux [https://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/ /facetsearch/document/KM03139685](https://softwaresupport.softwaregrp.com/gro p/softwaresupport/search-result/-/facetsearch/document/KM03139685) Windows [https://softwaresupport.softwaregrp.com/group/softwaresupport/search-result/ /facetsearch/document/KM03139693](https://softwaresupport.softwaregrp.com/gro p/softwaresupport/search-result/-/facetsearch/document/KM03139693) HISTORY Version:1 (rev.1) - 12 December 2018 Initial release Third Party Security Patches: Third party security patches that are to be installed on systems running Micro Focus products should be applied in accordance with the customer's patch management policy. Support: For issues about implementing the recommendations of this Security Bulletin, contact normal Micro Focus services support channel. For other issues about the content of this Security Bulletin, send e-mail to security@microfocus.com. Report: To report a potential security vulnerability for any supported product: Web form: https://softwaresupport.softwaregrp.com/psrt Email: security@microfocus.com Subscribe: To initiate receiving subscriptions for future Micro Focus Security Bulletin alerts via Email, please subscribe here - https://softwaresupport.softwaregrp.com/group/softwaresupport/email-notification/-/subscriptions/registerdocumentnotification Once you are logged in to the portal, please choose security bulletins under product and document types. Please note that you will need to sign in using a Passport account. If you do not have a Passport account yet, you can create one- its free and easy https://cf.passport.softwaregrp.com/hppcf/createuser.do Security Bulletin Archive: A list of recently released Security Bulletins is available here: https://softwaresupport.softwaregrp.com/security-vulnerability Software Product Category: The Software Product Category is represented in the title by the two characters following Micro Focus Security Bulletin. 3P = 3rd Party Software GN = Micro Focus General Software MU = Multi-Platform Software System management and security procedures must be reviewed frequently to maintain system integrity. Micro Focus is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions. "Micro Focus is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected Micro Focus products the important security information contained in this Bulletin. Micro Focus recommends that all users determine the applicability of this information to their individual situations and take appropriate action. Micro Focus does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, Micro Focus will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, Micro Focus disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement." Copyright Micro Focus Micro Focus shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither Micro Focus nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. Micro Focus and the names of Micro Focus products referenced herein are trademarks of Micro Focus in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners. Description: The jboss-ec2-eap package provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services (AWS) Elastic Compute Cloud (EC2). Security Fix(es): * It was discovered that the jboss init script performed unsafe file handling which could result in local privilege escalation. (CVE-2016-6816) * An EAP feature to download server log files allows logs to be available via GET requests making them vulnerable to cross-origin attacks. An attacker could trigger the user's browser to request the log files consuming enough resources that normal server functioning could be impaired. (CVE-2016-8627) * It was discovered that when configuring RBAC and marking information as sensitive, users with a Monitor role are able to view the sensitive information. =========================================================================== Ubuntu Security Notice USN-3177-2 February 02, 2017 tomcat6, tomcat7 regression =========================================================================== A security issue affects these releases of Ubuntu and its derivatives: - Ubuntu 14.04 LTS - Ubuntu 12.04 LTS Summary: USN-3177-1 introduced a regression in Tomcat. The update introduced a regression in environments where Tomcat is started with a security manager. This update fixes the problem. We apologize for the inconvenience. Original advisory details: It was discovered that the Tomcat realm implementations incorrectly handled passwords when a username didn't exist. A remote attacker could possibly use this issue to enumerate usernames. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-0762) Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly limited use of a certain utility method. A malicious application could possibly use this to bypass Security Manager restrictions. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5018) It was discovered that Tomcat did not protect applications from untrusted data in the HTTP_PROXY environment variable. A remote attacker could possibly use this issue to redirect outbound traffic to an arbitrary proxy server. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5388) It was discovered that Tomcat incorrectly controlled reading system properties. A malicious application could possibly use this to bypass Security Manager restrictions. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6794) It was discovered that Tomcat incorrectly controlled certain configuration parameters. A malicious application could possibly use this to bypass Security Manager restrictions. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6796) It was discovered that Tomcat incorrectly limited access to global JNDI resources. A malicious application could use this to access any global JNDI resource without an explicit ResourceLink. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6816) Pierre Ernst discovered that the Tomcat JmxRemoteLifecycleListener did not implement a recommended fix. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2016-8745) Paul Szabo discovered that the Tomcat package incorrectly handled upgrades and removals. A local attacker could possibly use this issue to obtain root privileges. (CVE-2016-9774, CVE-2016-9775) Update instructions: The problem can be corrected by updating your system to the following package versions: Ubuntu 14.04 LTS: libtomcat7-java 7.0.52-1ubuntu0.9 tomcat7 7.0.52-1ubuntu0.9 Ubuntu 12.04 LTS: libtomcat6-java 6.0.35-1ubuntu3.10 tomcat6 6.0.35-1ubuntu3.10 In general, a standard system update will make all the necessary changes. The References section of this erratum contains a download link (you must log in to download the update)

AFFECTED PRODUCTS

CVSS

PROBLEMTYPE DATA

THREAT TYPE

remote

TYPE

input validation error

CONFIGURATIONS

EXPLOIT AVAILABILITY

PATCH

EXTERNAL IDS

REFERENCES

CREDITS

Ubuntu

SOURCES

LAST UPDATE DATE

2026-06-18T18:49:33.806000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE