tomcat-7.0.76-9.el7
エラータID: AXSA:2019-4053:02
リリース日:
2019/08/19 Monday - 17:21
題名:
tomcat-7.0.76-9.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- tomcat には、セキュリティ制約定義における空文字列のURLパターンが
正しく扱われておらず、コンテキストルートを意味していませんでした。
これにより、制約が無視され、未認証のユーザーが、守られるべきWeb
アプリケーションのリソースへのアクセスを得る可能性があります。
空文字のURLパターンを用いたセキュリティ制約のみが影響を受けます。
(CVE-2018-1304)
- tomcat では、サーブレットを列挙して定義するセキュリティ制約が、
サーブレットがロードされている場合にのみ適用されていました。
このようなセキュリティ制約は URL パターンとその下のあらゆる
URL に適用されるため、一部のセキュリティ制約が、サーブレットの
読み込み順にも依存し、適用されないことがありました。これにより、
本来アクセスを認可されていないユーザーに対して、リソースを暴露
する可能性があります。(CVE-2018-1305)
- tomcat における CORS の既定の設定が、セキュアではなく、全ての
オリジンに対して'supportsCredentials'を有効にしていました。CORS
フィルターのユーザーは、既定のままではなく環境に応じて適切に設定
していることが想定されるため、多くのユーザーは影響を受けないと
期待されます。(CVE-2018-8014)
- WebSocket クライアントとの TLS 接続において、ホスト名の検証が
されない脆弱性があります。(CVE-2018-8034)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2018-1304
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected.
CVE-2018-1305
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
Security constraints defined by annotations of Servlets in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them.
CVE-2018-8014
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
CVE-2018-8034
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
追加情報:
N/A
ダウンロード:
SRPMS
- tomcat-7.0.76-9.el7.src.rpm
MD5: 7f74e7c4a415c615fcdeb9371cfd0c6f
SHA-256: e2fa2b0dc2e5a083eeca151a9b00c1314a2ecdeececce2bec0ff6a54c4e3b40d
Size: 4.60 MB
Asianux Server 7 for x86_64
- tomcat-7.0.76-9.el7.noarch.rpm
MD5: 000526f8345b92a772468c543fe1cd21
SHA-256: 9543b13dddb60ca317220e007fbc266087d1b2317c97f1d915d24bad617ee896
Size: 90.78 kB - tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm
MD5: c79341bcbcd8a1f929f3c6d7c1d57039
SHA-256: 11d00a45bc729273adc47749096937e7e6a77adbf790ef0a5e9f1724489ecb39
Size: 38.98 kB - tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm
MD5: 00f96029d52212726b4e631e15e5a7f3
SHA-256: 5d76903a1f67c52da210ea0f28831c70872294426a8a24baa669b0d22b17ba02
Size: 80.24 kB - tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm
MD5: 584b3875959f1658a6050fdc446282a3
SHA-256: 4e572d6deb82dd411bae5a119d4daf13300bc03e6a65d2d5ae800f7f8b9356a4
Size: 93.95 kB - tomcat-lib-7.0.76-9.el7.noarch.rpm
MD5: 7f3f90ee3825542b9738cab5da8585c7
SHA-256: 3f76ba5d3b7039983e905470b209da84dc68fa9fa55bbbf206e546e78341db9f
Size: 3.86 MB - tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm
MD5: 4fe5b3d7589599f7b092afa90ba65e13
SHA-256: b6a51a60df8b5c6b24d3a0cc9ec175c51a067bea6d8d08f8a77341c24fe7714e
Size: 211.32 kB - tomcat-webapps-7.0.76-9.el7.noarch.rpm
MD5: 506e9da9bbecc3c5a493be793b1e65c1
SHA-256: 1f05ba13cf92a6c71d9e55174ae2fef04c71783a19bcdfe7066a1156872e0d83
Size: 339.85 kB
English