tomcat-7.0.76-3.el7

エラータID: AXSA:2017-2389:05

Release date: 
Wednesday, November 1, 2017 - 17:35
Subject: 
tomcat-7.0.76-3.el7
Affected Channels: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es):

* A vulnerability was discovered in Tomcat's handling of pipelined requests when "Sendfile" was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure. (CVE-2017-5647)

* Two vulnerabilities were discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution. (CVE-2017-12615, CVE-2017-12617)

* A vulnerability was discovered in Tomcat where the CORS Filter did not send a "Vary: Origin" HTTP header. This potentially allowed sensitive data to be leaked to other visitors through both client-side and server-side caches. (CVE-2017-7674)

CVE-2017-12615
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs
enabled (e.g. via setting the readonly initialisation parameter of the
Default to false) it was possible to upload a JSP file to the server
via a specially crafted request. This JSP could then be requested and
any code it contained would be executed by the server.
CVE-2017-12617
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to
8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled
(e.g. via setting the readonly initialisation parameter of the Default
servlet to false) it was possible to upload a JSP file to the server
via a specially crafted request. This JSP could then be requested and
any code it contained would be executed by the server.
CVE-2017-5647
A bug in the handling of the pipelined requests in Apache Tomcat
9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to
7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the
pipelined request being lost when send file processing of the previous
request completed. This could result in responses appearing to be sent
for the wrong request. For example, a user agent that sent requests A,
B and C could see the correct response for request A, the response for
request C for request B and no response for request C.
CVE-2017-7674
The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to
8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP
Vary header indicating that the response varies depending on Origin.
This permitted client and server side cache poisoning in some
circumstances.

Solution: 

Update packages.

CVEs: 
CVE-2017-12615
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2017-12617
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
CVE-2017-5647
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.
CVE-2017-7674
The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
Additional Info: 

N/A

Download: 

SRPMS
  1. tomcat-7.0.76-3.el7.src.rpm
    MD5: 7719489a7bde216578e8c94cc174389e
    SHA-256: 51cc143d36f5bcb9b739e30eb9b287950f918ba3f0c14b9cd94917766aaaffbb
    Size: 4.58 MB

Asianux Server 7 for x86_64
  1. tomcat-7.0.76-3.el7.noarch.rpm
    MD5: 92c6e9d9bc3ede01f10f445d18aa4c97
    SHA-256: c53c87c863335b81a174eaaeaa182103fb835defad35ca7eaf38e0bad7ea9e7e
    Size: 89.05 kB
  2. tomcat-admin-webapps-7.0.76-3.el7.noarch.rpm
    MD5: 54a167654361bbbe208af6ad3a2e919f
    SHA-256: bf986689561ac8d869b04393ddd87b794685c119f7304bf8530981b2d729050c
    Size: 37.49 kB
  3. tomcat-el-2.2-api-7.0.76-3.el7.noarch.rpm
    MD5: b5176fcc300e8239bce8a9e3089185c7
    SHA-256: a0ec6d88c2a3226ef0583b5ac611d46ac160bda9c24cdb6285dbbe7b4486c311
    Size: 78.75 kB
  4. tomcat-jsp-2.2-api-7.0.76-3.el7.noarch.rpm
    MD5: 551956d4d0df23a5a32d1dfa3d44191d
    SHA-256: 68af529d09c9082408eea16ffce11bcd997dade79b4f69c37d6050292863863b
    Size: 92.46 kB
  5. tomcat-lib-7.0.76-3.el7.noarch.rpm
    MD5: 57329451e0742a211f23a68be3a2725e
    SHA-256: 0c772f492e7f3d388c7dd311de75b6ae5da735f47bc97a80d47de96643b1a6c0
    Size: 3.85 MB
  6. tomcat-servlet-3.0-api-7.0.76-3.el7.noarch.rpm
    MD5: 0820ae904ab0a0d6e9df196cd9350cdd
    SHA-256: a85a660808ffa5edaeac8f5b2207a4e995599f2b00e87aa64befa142321642ad
    Size: 209.83 kB
  7. tomcat-webapps-7.0.76-3.el7.noarch.rpm
    MD5: b6770e53bb2eac88aa864db6046b0d25
    SHA-256: 98da9bbacecc646a08be3cfd64423ff36d2fd21604ca2cb391ea4426ecd4f05b
    Size: 338.36 kB