tomcat-7.0.76-9.el7

エラータID: AXSA:2019-4053:02

Release date: 
Monday, August 19, 2019 - 17:21
Subject: 
tomcat-7.0.76-9.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
Moderate
Description: 

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es):

* tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304)

* tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305)

* tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)

* tomcat: Host name verification missing in WebSocket client (CVE-2018-8034)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2018-1304
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.
CVE-2018-1305
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
CVE-2018-8014
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
CVE-2018-8034
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Solution: 

Update packages.

CVEs: 
CVE-2018-1304
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.
CVE-2018-1305
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
CVE-2018-8014
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
CVE-2018-8034
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
Additional Info: 

N/A

Download: 

SRPMS
  1. tomcat-7.0.76-9.el7.src.rpm
    MD5: 7f74e7c4a415c615fcdeb9371cfd0c6f
    SHA-256: e2fa2b0dc2e5a083eeca151a9b00c1314a2ecdeececce2bec0ff6a54c4e3b40d
    Size: 4.60 MB

Asianux Server 7 for x86_64
  1. tomcat-7.0.76-9.el7.noarch.rpm
    MD5: 000526f8345b92a772468c543fe1cd21
    SHA-256: 9543b13dddb60ca317220e007fbc266087d1b2317c97f1d915d24bad617ee896
    Size: 90.78 kB
  2. tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm
    MD5: c79341bcbcd8a1f929f3c6d7c1d57039
    SHA-256: 11d00a45bc729273adc47749096937e7e6a77adbf790ef0a5e9f1724489ecb39
    Size: 38.98 kB
  3. tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm
    MD5: 00f96029d52212726b4e631e15e5a7f3
    SHA-256: 5d76903a1f67c52da210ea0f28831c70872294426a8a24baa669b0d22b17ba02
    Size: 80.24 kB
  4. tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm
    MD5: 584b3875959f1658a6050fdc446282a3
    SHA-256: 4e572d6deb82dd411bae5a119d4daf13300bc03e6a65d2d5ae800f7f8b9356a4
    Size: 93.95 kB
  5. tomcat-lib-7.0.76-9.el7.noarch.rpm
    MD5: 7f3f90ee3825542b9738cab5da8585c7
    SHA-256: 3f76ba5d3b7039983e905470b209da84dc68fa9fa55bbbf206e546e78341db9f
    Size: 3.86 MB
  6. tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm
    MD5: 4fe5b3d7589599f7b092afa90ba65e13
    SHA-256: b6a51a60df8b5c6b24d3a0cc9ec175c51a067bea6d8d08f8a77341c24fe7714e
    Size: 211.32 kB
  7. tomcat-webapps-7.0.76-9.el7.noarch.rpm
    MD5: 506e9da9bbecc3c5a493be793b1e65c1
    SHA-256: 1f05ba13cf92a6c71d9e55174ae2fef04c71783a19bcdfe7066a1156872e0d83
    Size: 339.85 kB