Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2015:2660 - Security Advisory
Issued:
2015-12-16
Updated:
2015-12-16

RHSA-2015:2660 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: Red Hat JBoss Web Server 3.0.2 security update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated Red Hat JBoss Web Server 3.0.2 packages are now available for Red
Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.

Description

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the
Apache HTTP Server, the Apache Tomcat Servlet container, Apache
Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster),
Hibernate, and the Tomcat Native library.

It was found that Tomcat would keep connections open after processing
requests with a large enough request body. A remote attacker could
potentially use this flaw to exhaust the pool of available connections
and prevent further, legitimate connections to the Tomcat server.
(CVE-2014-0230)

A flaw was found in the way httpd handled HTTP Trailer headers when
processing requests using chunked encoding. A malicious client could
use Trailer headers to set additional HTTP headers after header
processing was performed by other modules. This could, for example,
lead to a bypass of header restrictions defined with mod_headers.
(CVE-2013-5704)

Multiple flaws were found in the way httpd parsed HTTP requests and
responses using chunked transfer encoding. A remote attacker could
use these flaws to create a specially crafted request, which httpd
would decode differently from an HTTP proxy software in front of it,
possibly leading to HTTP request smuggling attacks. (CVE-2015-3183)

  • This enhancement update adds the Red Hat JBoss Web Server 3.0.2

packages to Red Hat Enterprise Linux 7. These packages provide a
number of enhancements over the previous version of Red Hat JBoss Web
Server. (JIRA#JWS-229)

Users of Red Hat JBoss Web Server are advised to upgrade to these
updated packages, which add this enhancement.

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:
https://access.redhat.com/articles/11258

Affected Products

  • JBoss Enterprise Web Server 3 for RHEL 7 x86_64

Fixes

  • BZ - 1082903 - CVE-2013-5704 httpd: bypass of mod_headers rules via chunked requests
  • BZ - 1191200 - CVE-2014-0230 tomcat: non-persistent DoS attack by feeding data by aborting an upload
  • BZ - 1243887 - CVE-2015-3183 httpd: HTTP request smuggling attack against chunked request parser
  • BZ - 1263884 - JWS3.0.2 tracker for RHEL7

CVEs

  • CVE-2013-5704
  • CVE-2014-0230
  • CVE-2014-3581
  • CVE-2015-3183
  • CVE-2015-5174

References

  • http://www.redhat.com/security/updates/classification/#normal
Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Web Server 3 for RHEL 7

SRPM
apache-commons-collections-eap6-3.2.1-18.redhat_7.1.ep6.el7.src.rpm SHA-256: 7ffd45ffd1e93021993a460d98042a6829d6a7a4ce7fe6c9aff640361be8231b
httpd24-2.4.6-59.ep7.el7.src.rpm SHA-256: dd697bde32938c6d44c1b811775388173f896da441acb3919ca05e29984a0271
mod_bmx-0.9.5-7.GA.ep7.el7.src.rpm SHA-256: 80a0aa389a46512b6b43ef8fd337f2ffd65846302fcd62c4b33612ecb0fbb496
mod_cluster-native-1.3.1-6.Final_redhat_2.ep7.el7.src.rpm SHA-256: 8e54f2e842564eeb98c96d7aa114b6c5f23107723e70b45cfc702d401b587f50
tomcat-vault-1.0.8-4.Final_redhat_4.1.ep7.el7.src.rpm SHA-256: bc033ec76a116ac70f193abcb28a0b8dda23c3b89d42f472d569268d75589d7c
tomcat7-7.0.59-42_patch_01.ep7.el7.src.rpm SHA-256: 1e54ae9a41082c38d7b5c762b24db3e5061cbc3b7d464918095b52cb7365e768
tomcat8-8.0.18-52_patch_01.ep7.el7.src.rpm SHA-256: ff86889d8bcd946d44a83dcdf778e7d56ecc90ebd565cd2aa86c200b25c9ca56
x86_64
apache-commons-collections-eap6-3.2.1-18.redhat_7.1.ep6.el7.noarch.rpm SHA-256: 46c7a5e467c7c6c5e54f8d1438e04a4b3112d6a622b6b6fe1b4d356a3627407d
apache-commons-collections-tomcat-eap6-3.2.1-18.redhat_7.1.ep6.el7.noarch.rpm SHA-256: bd9c76669d3383afc10ef70a5adbf3526d8d6fc65636bb2c4826272ae4907fde
httpd24-2.4.6-59.ep7.el7.x86_64.rpm SHA-256: 81602b728dac09ec31956ce8421d08b135ed534167eece42dbbe71ea70501846
httpd24-debuginfo-2.4.6-59.ep7.el7.x86_64.rpm SHA-256: f766cdd491ad17848acaee6ee12d302d33d9747ae42b531cc3b2e9652f3eaee9
httpd24-devel-2.4.6-59.ep7.el7.x86_64.rpm SHA-256: ba5632a5297ba9808b12625dd7555d04e7708d175077dfd4f3ba77841cc50938
httpd24-manual-2.4.6-59.ep7.el7.noarch.rpm SHA-256: 7e432777fcdc1a915c521813bff0d02faaa21cf5b664384f84522052dba10a69
httpd24-tools-2.4.6-59.ep7.el7.x86_64.rpm SHA-256: c526a9aabcac30610e6fc051e2de154e6a560ece90e709a877c91e7bec48e195
mod_bmx-0.9.5-7.GA.ep7.el7.x86_64.rpm SHA-256: 26f853f8d8aff2823dabeb24b5b9423b76526751bdbbda452d9308128e4b3c3a
mod_bmx-debuginfo-0.9.5-7.GA.ep7.el7.x86_64.rpm SHA-256: 1766d9bb8365cc2ae237ef1a977fd3f1132034684a0e52fc1029d8759f632780
mod_cluster-native-1.3.1-6.Final_redhat_2.ep7.el7.x86_64.rpm SHA-256: c022e6ea4719bccd1559753618da1e7211fea11c21be0e9cb1ba247b8f11d71d
mod_cluster-native-debuginfo-1.3.1-6.Final_redhat_2.ep7.el7.x86_64.rpm SHA-256: d197196aa4760ecfc4d28c3920c7a84bc93b7487da0cb2b2736a276cf8f13545
mod_ldap24-2.4.6-59.ep7.el7.x86_64.rpm SHA-256: 08ad61e7d6aa53425c5174d0134afe06ff38bc71e37bed6056446789c51e6325
mod_proxy24_html-2.4.6-59.ep7.el7.x86_64.rpm SHA-256: 6b19b6f26329520db61b62a0d2e4650df24b23b10ac9298227beac2a34165a2b
mod_session24-2.4.6-59.ep7.el7.x86_64.rpm SHA-256: b0c4967999575e86fc4ad03dcf38b4aed4ba1e0758dafb5aa64b6bb55dc58a0c
mod_ssl24-2.4.6-59.ep7.el7.x86_64.rpm SHA-256: fefa1cbf7837a9d7fc11ed3d8063b4d352188014622a84474338ed64c1bbdfd5
tomcat-vault-1.0.8-4.Final_redhat_4.1.ep7.el7.noarch.rpm SHA-256: be5614aaebd832d5c49b9071ce3feb85f2b6c9d874f704f6d9b24d083624b0cb
tomcat7-7.0.59-42_patch_01.ep7.el7.noarch.rpm SHA-256: 956f7b60e7a4aa530df21b608dda81e36ba31ce9f16abb26ccf545750c308785
tomcat7-admin-webapps-7.0.59-42_patch_01.ep7.el7.noarch.rpm SHA-256: 67f6a0adf3569fc1af20b0abc5f2f39193bad3ac5228449233c8da527f30cc30
tomcat7-docs-webapp-7.0.59-42_patch_01.ep7.el7.noarch.rpm SHA-256: aac89256d44e57d176232288a94677bfa1450aea63647601471a5a267624ff03
tomcat7-el-2.2-api-7.0.59-42_patch_01.ep7.el7.noarch.rpm SHA-256: d650418c7abccc99f5890b3fdf949636688295284775978e4fb68afd868ba6cc
tomcat7-javadoc-7.0.59-42_patch_01.ep7.el7.noarch.rpm SHA-256: 0cbc33a0819d4aebf618573cde1164991ec1e038ba401bfe5832d4d53f3ac226
tomcat7-jsp-2.2-api-7.0.59-42_patch_01.ep7.el7.noarch.rpm SHA-256: e066676280cca77a8d57490582a70659b4b6ab8abcc675f5cf0e71cd8cb02de6
tomcat7-lib-7.0.59-42_patch_01.ep7.el7.noarch.rpm SHA-256: bc8ef0fa03600516db6f1ee295a3fa0ff56a0aafa812c703f215f17be51d9ee4
tomcat7-log4j-7.0.59-42_patch_01.ep7.el7.noarch.rpm SHA-256: 48cc10a379134c5f04fb00243344d68363387e889351b38d2f7d70661925a655
tomcat7-servlet-3.0-api-7.0.59-42_patch_01.ep7.el7.noarch.rpm SHA-256: 74e53a039c4a5595345d93c35001bdae3e1cfeb9ca0cfb393271e53fe9fe1381
tomcat7-webapps-7.0.59-42_patch_01.ep7.el7.noarch.rpm SHA-256: 5b026af8bc998fec78b238c8d9d6160013b5c53fb15863d25bc1ac61e8858250
tomcat8-8.0.18-52_patch_01.ep7.el7.noarch.rpm SHA-256: b34b77f625ffcf132a03e63bb70eb125148bce206eaf5c1aaa890eb542de0163
tomcat8-admin-webapps-8.0.18-52_patch_01.ep7.el7.noarch.rpm SHA-256: 8fdada8a3dadbef4d4ddbcf94dfee96cf3af202b4a07aa6ba8e3596f2458368b
tomcat8-docs-webapp-8.0.18-52_patch_01.ep7.el7.noarch.rpm SHA-256: 20866a4779108a3c371dbe2d22dea191baaf835c4a386aa0fde5dc2ab50a27cf
tomcat8-el-2.2-api-8.0.18-52_patch_01.ep7.el7.noarch.rpm SHA-256: 2a905ad18b66c715d6b26fd3a1e1c85a385439b44516a49d0d34e7909dab21ee
tomcat8-javadoc-8.0.18-52_patch_01.ep7.el7.noarch.rpm SHA-256: ff5b922887afcde77f0c5c5e105f16ee0402d33587013b837a1e87fa46a84c12
tomcat8-jsp-2.3-api-8.0.18-52_patch_01.ep7.el7.noarch.rpm SHA-256: 16ae94948daf5f01c6050a5f27db38e17b0f9e5198fa402952c004b7875eff54
tomcat8-lib-8.0.18-52_patch_01.ep7.el7.noarch.rpm SHA-256: a38cf0e0bd6c59287f4747592951b80f9bf8523d25d234a7208319e86043e2b1
tomcat8-log4j-8.0.18-52_patch_01.ep7.el7.noarch.rpm SHA-256: 61a5ac8cad5b8f83ccf18ac1efaf679da7ef44145a7454a94aef1b36af15c671
tomcat8-servlet-3.1-api-8.0.18-52_patch_01.ep7.el7.noarch.rpm SHA-256: c420fdcf99949ae62bf721385993ed507aee210c04206058ea245f82cc65d045
tomcat8-webapps-8.0.18-52_patch_01.ep7.el7.noarch.rpm SHA-256: 4ffe6a385137c92ac0ad54e9c510fd0a98cfbf3d15e2c330d8eccdd2d27d176c

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat, Inc.

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility