tomcat-7.0.76-11.el7

エラータID: AXSA:2020-4508:01

リリース日: 
2020/03/22 Sunday - 06:50
題名: 
tomcat-7.0.76-11.el7
影響のあるチャネル: 
Asianux Server 7 for x86_64
Severity: 
High
Description: 

以下項目について対処しました。

[Security Fix]
- Apache Tomcat は、信頼できないユーザーが AJP (Apache JServ Protocol)
ポートにアクセス可能な場合、 リモートの攻撃者が任意のWebアプリケーションファイルに
アクセス可能にしてしまう、また任意のファイルをJSPとしてコード実行することを許して
しまう脆弱性があります。(CVE-2020-1938)

一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es):

* tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability (CVE-2020-1938)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-1938
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

解決策: 

パッケージをアップデートしてください。

CVE: 
CVE-2020-1938
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.
追加情報: 

N/A

ダウンロード: 

SRPMS
  1. tomcat-7.0.76-11.el7.src.rpm
    MD5: 4b7474f46ad9b4720c9936042483c5e6
    SHA-256: 358f3e33e92cb9dfd880f1e4102b05821357d3c1e652839b58d69cb243c947ad
    Size: 4.60 MB

Asianux Server 7 for x86_64
  1. tomcat-7.0.76-11.el7.noarch.rpm
    MD5: b2b28bdbae2c638be1404999871ad1b9
    SHA-256: 5727a601d8e8bc4688a4b743fc1b45bbf6a5540740569b49cad2a4e5c71684ee
    Size: 91.04 kB
  2. tomcat-admin-webapps-7.0.76-11.el7.noarch.rpm
    MD5: 007a8c236e23be5bec51611acac05f0a
    SHA-256: 40e944cd4c91ac176db2ad1a264d6d774fbcd2730d2aac82dc1b38c84f39da60
    Size: 39.25 kB
  3. tomcat-el-2.2-api-7.0.76-11.el7.noarch.rpm
    MD5: 4af414fcfe1db6799ef44a293b10bb54
    SHA-256: 3df1e73b2d56cf7384701ad0fe5308be92b32489d48d5f07ae809d80c1b99c3c
    Size: 80.50 kB
  4. tomcat-jsp-2.2-api-7.0.76-11.el7.noarch.rpm
    MD5: 5c7d0302c55409d3992fe3a169bda539
    SHA-256: d1515456b722ab33a21efff4737cbcf058e6c7c0bd211d6a1c4251466898c4b7
    Size: 94.22 kB
  5. tomcat-lib-7.0.76-11.el7.noarch.rpm
    MD5: 4534dc3b10d065b2f472fd06e90710b2
    SHA-256: 8f4f7ea7deeab808b46bee0fafe1f56c2046f67907f2b9a75a2559130a33f1e9
    Size: 3.86 MB
  6. tomcat-servlet-3.0-api-7.0.76-11.el7.noarch.rpm
    MD5: 430d576f01ca775f09ada3a430377831
    SHA-256: e9bdaf66cb8d0607a8d54436b19d778c526a1fe62cad565253b5e01460ba6f36
    Size: 211.57 kB
  7. tomcat-webapps-7.0.76-11.el7.noarch.rpm
    MD5: 7769086e85514fb3f1b32bb0991f385b
    SHA-256: 7261bce2146ddfc7129a38508bff32592dd3263891532c074cbb054e5a67bf3f
    Size: 339.99 kB