Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2016:1087 - Security Advisory
Issued:
2016-05-17
Updated:
2016-05-17

RHSA-2016:1087 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: Red Hat JBoss Web Server 3.0.3 update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Red Hat JBoss Web Server 3.0.3 is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References.

Security Fix(es):

  • A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)
  • A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351)
  • It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714)
  • A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763)
  • It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345)
  • It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

  • JBoss Enterprise Web Server 3 for RHEL 6 x86_64
  • JBoss Enterprise Web Server 3 for RHEL 6 i386

Fixes

  • BZ - 1311076 - CVE-2015-5351 tomcat: CSRF token leak
  • BZ - 1311082 - CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms
  • BZ - 1311085 - CVE-2015-5346 tomcat: Session fixation
  • BZ - 1311087 - CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet
  • BZ - 1311089 - CVE-2015-5345 tomcat: directory disclosure
  • BZ - 1311093 - CVE-2016-0763 tomcat: security manager bypass via setGlobalContext()

CVEs

  • CVE-2015-5345
  • CVE-2015-5346
  • CVE-2015-5351
  • CVE-2016-0706
  • CVE-2016-0714
  • CVE-2016-0763

References

  • http://www.redhat.com/security/updates/classification/#normal
Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Web Server 3 for RHEL 6

SRPM
httpd24-2.4.6-61.ep7.el6.src.rpm SHA-256: b863ca67615841199fd3f4f2b79e6ca9e19ff2296c77da96b83f804f32cdf298
mod_security-jws3-2.8.0-7.GA.ep7.el6.src.rpm SHA-256: 8a749ca69cb47e1d0921a0bff180811c5dd0c25b8d32b4e9764a473d07347526
tomcat7-7.0.59-50_patch_01.ep7.el6.src.rpm SHA-256: 65cb4dd28901238d87eec55d69c0907f46ef6cce3a2e4ff6eb2e8b70ed3cbea3
tomcat8-8.0.18-61_patch_01.ep7.el6.src.rpm SHA-256: e3114abbd43126c063b3e933faa3cc3553c0fb7b70b35a99085cc0850277d734
x86_64
httpd24-2.4.6-61.ep7.el6.x86_64.rpm SHA-256: b1c339fa014e71d56a9defe685b9ecfe8b513aee99df8abee21cf02bf98d3c63
httpd24-debuginfo-2.4.6-61.ep7.el6.x86_64.rpm SHA-256: 6b2ad752fc14218a8db50b0c88d292fae1e57fd5b2c322b321791f10f3359dd7
httpd24-devel-2.4.6-61.ep7.el6.x86_64.rpm SHA-256: 658522548b9cbe16625ec5ca6010e502e700437d7d5990773438bd6219a4d9b4
httpd24-manual-2.4.6-61.ep7.el6.noarch.rpm SHA-256: ea206591e0c527a5f0ee830eda064ffe3fca9a1246e3332406f7cd0c5cf26092
httpd24-tools-2.4.6-61.ep7.el6.x86_64.rpm SHA-256: ce510d08a8eb2a0042d939b7cfad337940f252089e84e8976f180652e1c3c614
mod_ldap24-2.4.6-61.ep7.el6.x86_64.rpm SHA-256: 29030d2d4ce2eed046fa08fec78a2e668d405e50612d482bef7de7e4bcd5d169
mod_proxy24_html-2.4.6-61.ep7.el6.x86_64.rpm SHA-256: bed8733dc2422508a2f31ef493c7450a896ef988fbb1841a586f4b4f9adbea84
mod_security-jws3-2.8.0-7.GA.ep7.el6.x86_64.rpm SHA-256: 0274cb8032861c22d13154eb757beb9cad35a1b2478133a15aef67c20a208714
mod_security-jws3-debuginfo-2.8.0-7.GA.ep7.el6.x86_64.rpm SHA-256: bd3960760e45b0d1dd6c5b03d96ebbc03aef000b28d1a0225d1f56b81569427c
mod_session24-2.4.6-61.ep7.el6.x86_64.rpm SHA-256: 9094fe72f2f026a2f50f43d3af08dc2db036a0efe3f6d46bb7e8b229094c7a7c
mod_ssl24-2.4.6-61.ep7.el6.x86_64.rpm SHA-256: 1cd73df8ab7b3bbc1f39768ab318c8058ce434fd7453ce6a6f4412c82e49e140
tomcat7-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: ace6cc717b36d8addc2068c8d6d2a15bea4ceebf2e54569497ae6d72325568bd
tomcat7-admin-webapps-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: c29809effcbfc1c2f2d20324c0b96a4e8803da20e1f18419028f4ae5ad996986
tomcat7-docs-webapp-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: 4c37fc0be06172a71c8cd15f6b5e7866fa35414fb58edee698df15409a676e82
tomcat7-el-2.2-api-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: 77c3cf8bf586f4e5b9d5404c9be5694b015ddeab183d575bdc716c9113cec6ac
tomcat7-javadoc-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: 5f7ec2a463626afd095cb352c4668128e75ee588d94b45da57d5f47723f88e13
tomcat7-jsp-2.2-api-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: 07e4d0de68901c6b0a0f4961dd30cf16122491bb483879f14877f1ee6d34303c
tomcat7-lib-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: 34a963193d735a125938e2b0f2e38419e313b4cb638b05637e825de40209c8f5
tomcat7-log4j-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: 20530e5f3a7b85e70ae58057597d6419c868e630f8ec8e20fcae17adf714e103
tomcat7-servlet-3.0-api-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: 213e2e03910143b3b2b67ac2a13e08af603fe79f9a9e014a7a79d8f95dcfaa9a
tomcat7-webapps-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: 4c4e452f2b2dbe734752ac1db150f785e78dda95de74c86929aa90abe6cb9ef2
tomcat8-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: b70997dca935b3002c984b5a2143f0ed5cd9798e1170a8931b4abb2da863fdca
tomcat8-admin-webapps-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: dbeff11c5e775c4731b61cde391fb48b4304c6d441ca7594237af424ca7b5a2f
tomcat8-docs-webapp-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: c3e6aecf0d18d3994a55caddba92c4a1868e44671ae6200547cd901e482045c4
tomcat8-el-2.2-api-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: 25899b0c10d77e99999e1b154a82aabb59f90b42249050231152a22658244202
tomcat8-javadoc-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: 8c0f6034721b0d3c1f4bf9f58175642ff76bf33996043f7df7cb19018086879d
tomcat8-jsp-2.3-api-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: 04aae0b4cae2ce616ebbad55dd099a3a2668a140059a9c8e90cdd4f2b34ff40a
tomcat8-lib-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: 3b6be728fd2010ffb205e89faa185df297ccf84a1a32d3e3d9d4f3856728b887
tomcat8-log4j-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: ff622c623722d4d01aa4a6ca3d91fa8d3eb49aa3077e193e736652b357e98aac
tomcat8-servlet-3.1-api-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: 75c2b7b946a0343bbf355af364a9f3b66572d741d5d9a528f4be14baf30922c4
tomcat8-webapps-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: f65af2dcde3b7c071146bb839b2395d106f406752d6d21ca39177521e74d8f80
i386
httpd24-2.4.6-61.ep7.el6.i686.rpm SHA-256: a2777a78a4d32668abff1647fa5150addaa4b2645bffb380116d75c1dd5076da
httpd24-debuginfo-2.4.6-61.ep7.el6.i686.rpm SHA-256: 4b205817ea70f0e8e92e7bdf1bc2cc46444f8e6fac154229b4faba4ba0f9b772
httpd24-devel-2.4.6-61.ep7.el6.i686.rpm SHA-256: e2643c9d1e7230e6f980534031d9c295fd4e2bd0e235b99a3e8f0c484e27c4b2
httpd24-manual-2.4.6-61.ep7.el6.noarch.rpm SHA-256: ea206591e0c527a5f0ee830eda064ffe3fca9a1246e3332406f7cd0c5cf26092
httpd24-tools-2.4.6-61.ep7.el6.i686.rpm SHA-256: 5980374afc70dcdfcc91f81382437d3f7f345c13caec2f7dcc01d4beb57e0cd0
mod_ldap24-2.4.6-61.ep7.el6.i686.rpm SHA-256: 5d45a6fa3508fe25faeac7c022d7b19e2933bb54b02c70276e5a1c904f3adb55
mod_proxy24_html-2.4.6-61.ep7.el6.i686.rpm SHA-256: 435d83611f95ed3500da6f10b1061c719c70a621e6c2607cf4662b6f8a943228
mod_security-jws3-2.8.0-7.GA.ep7.el6.i686.rpm SHA-256: 8a29ad93e9032be11bedc9b56d321358259d43e7773e3541b595cd6214fc75b5
mod_security-jws3-debuginfo-2.8.0-7.GA.ep7.el6.i686.rpm SHA-256: 49d1eae177fe8e096562832dc8de2d3b2203548e2434832663cc70797637cc2b
mod_session24-2.4.6-61.ep7.el6.i686.rpm SHA-256: 7c8c857dcfbbdb52d1d544016a904f869d7d0f30349bd0c3af1521a6a171f0e8
mod_ssl24-2.4.6-61.ep7.el6.i686.rpm SHA-256: 7d33bec21658d24f5d6ec674c19170c35f41983d2b1c8be639efb7acce59c0ba
tomcat7-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: ace6cc717b36d8addc2068c8d6d2a15bea4ceebf2e54569497ae6d72325568bd
tomcat7-admin-webapps-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: c29809effcbfc1c2f2d20324c0b96a4e8803da20e1f18419028f4ae5ad996986
tomcat7-docs-webapp-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: 4c37fc0be06172a71c8cd15f6b5e7866fa35414fb58edee698df15409a676e82
tomcat7-el-2.2-api-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: 77c3cf8bf586f4e5b9d5404c9be5694b015ddeab183d575bdc716c9113cec6ac
tomcat7-javadoc-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: 5f7ec2a463626afd095cb352c4668128e75ee588d94b45da57d5f47723f88e13
tomcat7-jsp-2.2-api-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: 07e4d0de68901c6b0a0f4961dd30cf16122491bb483879f14877f1ee6d34303c
tomcat7-lib-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: 34a963193d735a125938e2b0f2e38419e313b4cb638b05637e825de40209c8f5
tomcat7-log4j-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: 20530e5f3a7b85e70ae58057597d6419c868e630f8ec8e20fcae17adf714e103
tomcat7-servlet-3.0-api-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: 213e2e03910143b3b2b67ac2a13e08af603fe79f9a9e014a7a79d8f95dcfaa9a
tomcat7-webapps-7.0.59-50_patch_01.ep7.el6.noarch.rpm SHA-256: 4c4e452f2b2dbe734752ac1db150f785e78dda95de74c86929aa90abe6cb9ef2
tomcat8-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: b70997dca935b3002c984b5a2143f0ed5cd9798e1170a8931b4abb2da863fdca
tomcat8-admin-webapps-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: dbeff11c5e775c4731b61cde391fb48b4304c6d441ca7594237af424ca7b5a2f
tomcat8-docs-webapp-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: c3e6aecf0d18d3994a55caddba92c4a1868e44671ae6200547cd901e482045c4
tomcat8-el-2.2-api-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: 25899b0c10d77e99999e1b154a82aabb59f90b42249050231152a22658244202
tomcat8-javadoc-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: 8c0f6034721b0d3c1f4bf9f58175642ff76bf33996043f7df7cb19018086879d
tomcat8-jsp-2.3-api-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: 04aae0b4cae2ce616ebbad55dd099a3a2668a140059a9c8e90cdd4f2b34ff40a
tomcat8-lib-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: 3b6be728fd2010ffb205e89faa185df297ccf84a1a32d3e3d9d4f3856728b887
tomcat8-log4j-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: ff622c623722d4d01aa4a6ca3d91fa8d3eb49aa3077e193e736652b357e98aac
tomcat8-servlet-3.1-api-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: 75c2b7b946a0343bbf355af364a9f3b66572d741d5d9a528f4be14baf30922c4
tomcat8-webapps-8.0.18-61_patch_01.ep7.el6.noarch.rpm SHA-256: f65af2dcde3b7c071146bb839b2395d106f406752d6d21ca39177521e74d8f80

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
Copyright © 2022 Red Hat, Inc.
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Red Hat Summit
Twitter