tomcat-7.0.76-15.el7
エラータID: AXSA:2020-627:03
リリース日:
2020/10/08 Thursday - 00:26
題名:
tomcat-7.0.76-15.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Tomcat には、FORM 認証の際に、攻撃者がセッション
固定化攻撃を引き起こすことのできる脆弱性があります。(CVE-2019-17563)
- Tomcat には、WebSocket フレームのペイロード長を正しく検証しない問題があり、
攻撃者が無効なペイロード長を持つ複数のリクエストを介してサービス拒否を
引き起こすことのできる脆弱性があります。(CVE-2020-13935)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2019-17563
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
CVE-2020-13935
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
追加情報:
N/A
ダウンロード:
SRPMS
- tomcat-7.0.76-15.el7.src.rpm
MD5: d88214e87aa6c5b6d62da21baf565395
SHA-256: 59fac5d7a9fbe26d36f5a5c2ca269b1789f8a25cb372a4a8ae21f43d3940418f
Size: 4.61 MB
Asianux Server 7 for x86_64
- tomcat-7.0.76-15.el7.noarch.rpm
MD5: bc1e2ffd9b26217fb294eb40a5555062
SHA-256: 6b21741113867ba997e536a921b50e09c1a9fc4bb0d24c565576ad4f1e2d0261
Size: 92.17 kB - tomcat-admin-webapps-7.0.76-15.el7.noarch.rpm
MD5: 71e9e2bbacf987c79df43cf5c54854ed
SHA-256: d66b2e792053c2358e164540f953156aeb7bc9bd6d8cd360cf4462932284bc4c
Size: 40.31 kB - tomcat-el-2.2-api-7.0.76-15.el7.noarch.rpm
MD5: 1f8f5c0b2f7bd958290c882b8aab20a3
SHA-256: cd9197d13f2af6c40f4a65caac666e6c0cb98cc5f93d058a624c3d30acbfd9c2
Size: 81.55 kB - tomcat-jsp-2.2-api-7.0.76-15.el7.noarch.rpm
MD5: 44fb3a18373641fffdc020bcb3f6b594
SHA-256: ab64047dbcdbf105e5a4972acc529c35508ce92c04ac8bb82ec364cd0b003df6
Size: 95.27 kB - tomcat-lib-7.0.76-15.el7.noarch.rpm
MD5: 67514a4f6533efc4d3fbaeddb0b4f72c
SHA-256: 179a35338257d91f5f5d9555563c803caa452ff670bde44bf181d09a42702957
Size: 3.86 MB - tomcat-servlet-3.0-api-7.0.76-15.el7.noarch.rpm
MD5: f763f5deb5dcee9c511f6676b5e7f82f
SHA-256: bd3aa1388fa058b30cc63dd89676a8a6860de23da039713c883370e346e892b9
Size: 212.64 kB - tomcat-webapps-7.0.76-15.el7.noarch.rpm
MD5: 702081adaed6823cc4f0cd7955e32eec
SHA-256: c5884990a91ab43bdca24dee367a3217de9bd3fd550061c903066975e2eb82f1
Size: 341.06 kB
English