- On Red Hat Enterprise Linux, Apache Tomcat initscripts should be located in the /etc/rc.d/init.d directory. However, the comman initscript was previously located in the /etc/init.d directory due to a mistake in the package specs file. With this update, the specs file has been updated and the conman script is located in the /etc/rc.d/init.d directory along with other initscripts as expected.
- When a web application used its own class loader, a deadlock in Tomcat WebappClassLoader could occur when compiling JSPs due to a synchronization bug. This update fixes the synchronization bug and external class loaders no longer interfere with WebappClassLoader.
- The service status returned an incorrect tomcat6 status when TOMCAT_USER in the /etc/tomcat6/tomcat6.conf file was changed to a user whose UID differed from the user GID due to incorrect logic in retrieving the process details. With this update, the code has been modified and the correct service status is now returned in this scenario.
- A flaw was found in the way the tomcat6 init script handled the tomcat6-initd.log log file. A malicious web application deployed on Tomcat could use this flaw to perform a symbolic link attack to change the ownership of an arbitrary system file to that of the tomcat user, allowing them to escalate their privileges to root.
- Note: With this update, tomcat6-initd.log has been moved from /var/log/tomcat6/ to the /var/log/ directory.It was found that the RHSA-2013:0623 update did not correctly fix CVE-2012-5887, a weakness in the Tomcat DIGEST authentication implementation. A remote attacker could use this flaw to perform replay attacks in some circumstances. Additionally, this problem also prevented users from being able to authenticate using DIGEST authentication.
- It was found that when an application used FORM authentication, along with another component that calls request.setUserPrincipal() before the call to FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was possible to bypass the security constraint checks in the FORM authenticator by appending "/j_security_check" to the end of a URL. A remote attacker with an authenticated session on an affected application could use this flaw to circumvent authorization controls, and thereby access resources not permitted by the roles associated with their authenticated session.
- A flaw was found in the way Tomcat handled sendfile operations when using the HTTP NIO (Non-Blocking I/O) connector and HTTPS. A remote attacker could use this flaw to cause a denial of service (infinite loop). The HTTP blocking IO (BIO) connector, which is not vulnerable to this issue, is used by default in Red Hat Enterprise Linux 6.
- CVE-2012-5885, CVE-2012-5886, CVE-2012-5887
- Multiple weaknesses were found in the Tomcat DIGEST authentication implementation, effectively reducing the security normally provided by DIGEST authentication. A remote attacker could use these flaws to perform replay attacks in some circumstances.