AXSA:2020-4523:01

リリース日: 
2020/03/23 Monday - 07:53
題名: 
tomcat6-6.0.24-114.AXS4
影響のあるチャネル: 
Asianux Server 4 for x86
Asianux Server 4 for x86_64
Severity: 
High
Description: 

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es):

* tomcat: Apache Tomcat AJP File Read/Inclusion Vulnerability (CVE-2020-1938)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2020-1938
When using the Apache JServ Protocol (AJP), care must be taken when trusting incoming connections to Apache Tomcat. Tomcat treats AJP connections as having higher trust than, for example, a similar HTTP connection. If such connections are available to an attacker, they can be exploited in ways that may be surprising. In Apache Tomcat 9.0.0.M1 to 9.0.0.30, 8.5.0 to 8.5.50 and 7.0.0 to 7.0.99, Tomcat shipped with an AJP Connector enabled by default that listened on all configured IP addresses. It was expected (and recommended in the security guide) that this Connector would be disabled if not required. This vulnerability report identified a mechanism that allowed: - returning arbitrary files from anywhere in the web application - processing any file in the web application as a JSP Further, if the web application allowed file upload and stored those files within the web application (or the attacker was able to control the content of the web application by some other means) then this, along with the ability to process a file as a JSP, made remote code execution possible. It is important to note that mitigation is only required if an AJP port is accessible to untrusted users. Users wishing to take a defence-in-depth approach and block the vector that permits returning arbitrary files and execution as JSP may upgrade to Apache Tomcat 9.0.31, 8.5.51 or 7.0.100 or later. A number of changes were made to the default AJP Connector configuration in 9.0.31 to harden the default configuration. It is likely that users upgrading to 9.0.31, 8.5.51 or 7.0.100 or later will need to make small changes to their configurations.

解決策: 

Update packages.

追加情報: 

N/A

ダウンロード: 

SRPMS
  1. tomcat6-6.0.24-114.AXS4.src.rpm
    MD5: be9c09d4aad596417a9c02f2630f02f6
    SHA-256: d292c4fff768948c69170d0a0aafb39501b908af545b1d39dced329d3268623c
    Size: 3.66 MB

Asianux Server 4 for x86
  1. tomcat6-6.0.24-114.AXS4.noarch.rpm
    MD5: 38d5ed4c125822ae3b5d53a40137f6ad
    SHA-256: 94d0009f01e4804aeea12d5c6ab064b173e41c917f04990e533bb3d63b0ea209
    Size: 96.08 kB
  2. tomcat6-el-2.1-api-6.0.24-114.AXS4.noarch.rpm
    MD5: 5a6cbf97d3b01759962f4a57740ee3a8
    SHA-256: 156530b8c0d4ce1dbb26d14c23580412c1b49a79d7eb0acad2b8af477f278700
    Size: 51.87 kB
  3. tomcat6-jsp-2.1-api-6.0.24-114.AXS4.noarch.rpm
    MD5: 68ebd93cbd2c23f5ba009a028ba884dc
    SHA-256: 8d0e86224b71b21858d244fbb62b4dd77632996240f53d71117d791904394a11
    Size: 88.32 kB
  4. tomcat6-lib-6.0.24-114.AXS4.noarch.rpm
    MD5: 3cfddbbb6cfb5b952a666a2a7af987c1
    SHA-256: 0ac6eed6636883996c231f9b820b998a4c12b9be01cb5da81e324ee21007b27a
    Size: 2.92 MB
  5. tomcat6-servlet-2.5-api-6.0.24-114.AXS4.noarch.rpm
    MD5: e272ef604d84265bec8d90e6c0bcd74a
    SHA-256: 5f770b56b3bae6338c7a8257ab8619a553b2e6af5ca4e307da8a9369ae340493
    Size: 122.35 kB

Asianux Server 4 for x86_64
  1. tomcat6-6.0.24-114.AXS4.noarch.rpm
    MD5: 22c7c97dba9a99cc51237780707f98cd
    SHA-256: c09b0a7cfcda33a316f2be164ea359828a2e711e884923c5df1fddc2ceaa0478
    Size: 95.64 kB
  2. tomcat6-el-2.1-api-6.0.24-114.AXS4.noarch.rpm
    MD5: 7760a3e63927032aaf569a787a2580a3
    SHA-256: 4cd56c3218c252a3acf3c95330da13a8ccc446adcf47946cd57c11add42bad15
    Size: 51.41 kB
  3. tomcat6-jsp-2.1-api-6.0.24-114.AXS4.noarch.rpm
    MD5: ecad5593a249942610f57a54275aed01
    SHA-256: dc89d4ed56abae1c5c74b30fbd00610f2f567d30e6c250e82d4ad8a43a96384d
    Size: 87.87 kB
  4. tomcat6-lib-6.0.24-114.AXS4.noarch.rpm
    MD5: 55d0cde452adb0b94950b3a5f21f9e2d
    SHA-256: fbcdd379ffc6179b8587033cd368695d4efb46c0321082fcab6a95134bca2b3d
    Size: 2.92 MB
  5. tomcat6-servlet-2.5-api-6.0.24-114.AXS4.noarch.rpm
    MD5: 94e70ec18078106573d4c58cbde96009
    SHA-256: 4f70d2587140acf9c67e1bbbc5e76bdb22a16348d1d83bafc44dcfabca3bec49
    Size: 121.90 kB
Copyright© 2007-2015 Asianux. All rights reserved.