tomcat-7.0.69-12.el7
エラータID: AXSA:2017-1748:02
リリース日:
2017/07/27 Thursday - 12:54
題名:
tomcat-7.0.69-12.el7
影響のあるチャネル:
Asianux Server 7 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Apache Tomcat は、適切に facade オブジェクトを用いておらず、
SecurityManager の下で信頼されないアプリケーションを実行する
際に,信頼されないアプリケーションがオブジェクトのリクエスト
あるいはレスポンスの参照を保持することができ,ほかの Web ア
プリケーションと関連がある情報にアクセスあるいは情報を変更する
脆弱性があります。(CVE-2017-5648)
- Java Servlet 仕様書のエラーページのメカニズムは,エラーが生じた
場合,生じたエラーに対してエラーページが設定されていた場合,もとの
リクエストとレスポンスがエラーページに転送されてしまいます。
DefaultServlet が書き込み禁止で設定されていると,巧妙に細工された
HTTP リクエストによって,カスタムエラーページの置き換えあるいは削除
が起こる脆弱性があります。(CVE-2017-5664)
一部CVEの翻訳文はJVNからの引用になります。
http://jvndb.jvn.jp/
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2017-5648
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.
CVE-2017-5664
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.
追加情報:
N/A
ダウンロード:
SRPMS
- tomcat-7.0.69-12.el7.src.rpm
MD5: dcd7806def3081302d680dc6f5d1c2c4
SHA-256: 949056c260cc04dd6c0b16026e4dba4dba49b3a69b6e149802954c143d4a933a
Size: 4.57 MB
Asianux Server 7 for x86_64
- tomcat-7.0.69-12.el7.noarch.rpm
MD5: a5843a3114e3085f0971797398acba02
SHA-256: d32609c38fb5caaa34ed1d3fc9feb6c25c26a6839dd08c344af90916b2c3519d
Size: 88.33 kB - tomcat-admin-webapps-7.0.69-12.el7.noarch.rpm
MD5: 6bbd23656d0b66f2498b50aab3a97796
SHA-256: 1db6a8b60e482542123ff6357c216554000578b95af8ea574b5c1f30cfa536d7
Size: 40.51 kB - tomcat-el-2.2-api-7.0.69-12.el7.noarch.rpm
MD5: c804d558d1d684a87420f493f2ea7bb5
SHA-256: ecb08b9461cc563df4f6b5a8544f6d392fed7721dfa545d21fe0d2191ac004cc
Size: 78.75 kB - tomcat-jsp-2.2-api-7.0.69-12.el7.noarch.rpm
MD5: 304c3017a545044aac041a37f7704f82
SHA-256: 6a1782b5e66e4e230047bc02e6fdc3925edf592f9d38d457a5cae865b9b6f07e
Size: 92.47 kB - tomcat-lib-7.0.69-12.el7.noarch.rpm
MD5: c9bd344620069df5223b98e90f291413
SHA-256: 3c6528e5873d524773057f32b430f4c85d6ec0cc605e6b58368aa605dd2eaf02
Size: 3.83 MB - tomcat-servlet-3.0-api-7.0.69-12.el7.noarch.rpm
MD5: 0b8ed4de6be85d233e389eb376c2cfa7
SHA-256: e768b4209d5c164823a8d38233f9cd7f0c8c2da5657d382e98388f6956169619
Size: 209.85 kB - tomcat-webapps-7.0.69-12.el7.noarch.rpm
MD5: e46c433cb7b195025d33dc168d603e27
SHA-256: b8073b75a98a20a122662df1f2a5d72ce868064e74cf8090d93174df84de3cdd
Size: 356.18 kB