Synopsis

Moderate: Red Hat JBoss Web Server 3.0.3 update

Type/Severity

Security Advisory: Moderate

Topic

Red Hat JBoss Web Server 3.0.3 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References.

Security Fix(es):

• A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)
  
• A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351)
  
• It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714)
  
• A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763)
  
• It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345)
  
• It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

• JBoss Enterprise Web Server 3 for RHEL 7 x86_64

Fixes

• BZ - 1311076 - CVE-2015-5351 tomcat: CSRF token leak
• BZ - 1311082 - CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms
• BZ - 1311085 - CVE-2015-5346 tomcat: Session fixation
• BZ - 1311087 - CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet
• BZ - 1311089 - CVE-2015-5345 tomcat: directory disclosure
• BZ - 1311093 - CVE-2016-0763 tomcat: security manager bypass via setGlobalContext()

CVEs

• CVE-2015-5345
• CVE-2015-5346
• CVE-2015-5351
• CVE-2016-0706
• CVE-2016-0714
• CVE-2016-0763

References

• http://www.redhat.com/security/updates/classification/#normal

JBoss Enterprise Web Server 3 for RHEL 7

SRPM
httpd24-2.4.6-61.ep7.el7.src.rpm	SHA-256: 34231b5b7a168e439304cf28115b508a2f33d54e5fdd297a9aa26e9870ebdb14
mod_security-jws3-2.8.0-7.GA.ep7.el7.src.rpm	SHA-256: 082c009f1357d11014d1b22c7078685062504a2c08e67976b384690c1fd9c290
tomcat7-7.0.59-50_patch_01.ep7.el7.src.rpm	SHA-256: 2ae239e076d1c64cb6e195244172b75e741933957fe872c842cb645dd2ad1afe
tomcat8-8.0.18-61_patch_01.ep7.el7.src.rpm	SHA-256: 40a8970cb24dbfe44734f4edf880b4e4d199869f5a58f44c56022bd535fb945b
x86_64
httpd24-2.4.6-61.ep7.el7.x86_64.rpm	SHA-256: 9b0e6d4673d201b6b5f45565309b6fdb3cee420b9798bc7a07098a19ed82f76b
httpd24-debuginfo-2.4.6-61.ep7.el7.x86_64.rpm	SHA-256: e6ef46aea0f95b06070fc96256851d9d601d64dc7248098882ba25b2bf23311f
httpd24-devel-2.4.6-61.ep7.el7.x86_64.rpm	SHA-256: 6cc0e61202a416c44403be211038596fca0041830e4bb314ad8a5f4347687d2e
httpd24-manual-2.4.6-61.ep7.el7.noarch.rpm	SHA-256: c88f25c60f1e39c872239cb914511510ba7660c8a2e5afe65e7ea7e7ba84ea6a
httpd24-tools-2.4.6-61.ep7.el7.x86_64.rpm	SHA-256: be9d10a7e10c7f4d7494c6039d20518c070a38456348973e4d6287c232346d14
mod_ldap24-2.4.6-61.ep7.el7.x86_64.rpm	SHA-256: c371fb8b171a2cdc633c55006e31fc50884f886dd3d589d0248060530bee07aa
mod_proxy24_html-2.4.6-61.ep7.el7.x86_64.rpm	SHA-256: 20c7628f4e9b132be3baf17e72d42f0759bffdc02ac131fed5862e7820fc1675
mod_security-jws3-2.8.0-7.GA.ep7.el7.x86_64.rpm	SHA-256: 6c4c0c767663571c7807444215c9cc1cbaccaab8d34571235af211a22e3ba2ed
mod_security-jws3-debuginfo-2.8.0-7.GA.ep7.el7.x86_64.rpm	SHA-256: dd04bc71d84df0db688154d1d56dc4c5021208e6f8e1a31570d8c0a90162a9e7
mod_session24-2.4.6-61.ep7.el7.x86_64.rpm	SHA-256: c7957e6b635b9aef14c396f4731c13e07340474f5eb4febeda9ad3b5d7d70015
mod_ssl24-2.4.6-61.ep7.el7.x86_64.rpm	SHA-256: eb751d34a503ba7a7035c5ff82ab1fb8c85a5a002ddd49f95561c104c06989f0
tomcat7-7.0.59-50_patch_01.ep7.el7.noarch.rpm	SHA-256: 742ad5085cf18aa5c7269d1c9ac14a0de510f7d6ffc7ca1be17e6fcc56307f64
tomcat7-admin-webapps-7.0.59-50_patch_01.ep7.el7.noarch.rpm	SHA-256: 511f7ea8b95bc8f1c4c609b5e5f85498894b4e6dd70d37bdafec87ee108215e9
tomcat7-docs-webapp-7.0.59-50_patch_01.ep7.el7.noarch.rpm	SHA-256: 562799e87023a668def0b1119547f1f664bec78ffc754ba222315f17b7039600
tomcat7-el-2.2-api-7.0.59-50_patch_01.ep7.el7.noarch.rpm	SHA-256: 7164af7fe463719b31371f6072d811634a5987e79d961306873c054851b34ef7
tomcat7-javadoc-7.0.59-50_patch_01.ep7.el7.noarch.rpm	SHA-256: 58b75cb2d49cba71da23968b4534f3aa77dbcdbb1ff9342f91e4d9459e3f77de
tomcat7-jsp-2.2-api-7.0.59-50_patch_01.ep7.el7.noarch.rpm	SHA-256: 5cdeea8853766862b0b138c1d0953b93eba3dc2b37196afdfc968cb1c5df6682
tomcat7-lib-7.0.59-50_patch_01.ep7.el7.noarch.rpm	SHA-256: b3acd4907272074552191444a93fe83dc786d1ec46ac7790cb11635984ffcfe1
tomcat7-log4j-7.0.59-50_patch_01.ep7.el7.noarch.rpm	SHA-256: 7956fcefa476b8dd4eba10f9ae1f804ad1ae769d942b9c26873190d6c0cdfa02
tomcat7-servlet-3.0-api-7.0.59-50_patch_01.ep7.el7.noarch.rpm	SHA-256: 6611ab6b5b63586c97ac1d65c5d7919b27204f0d1c4882e773cb32e42d0520cc
tomcat7-webapps-7.0.59-50_patch_01.ep7.el7.noarch.rpm	SHA-256: 0ee66b6380c9428dcc902e7d38c8c21d4e06812dd5d709efce52dc0f0c0887fc
tomcat8-8.0.18-61_patch_01.ep7.el7.noarch.rpm	SHA-256: e2d092b90c455ce4def111cf9009a57726b08ba452beb8b0e2441a90454bfff4
tomcat8-admin-webapps-8.0.18-61_patch_01.ep7.el7.noarch.rpm	SHA-256: d12eca18999df40197249c3a4e29acdb0f5dcb006bc20e28961350bc0b90eac6
tomcat8-docs-webapp-8.0.18-61_patch_01.ep7.el7.noarch.rpm	SHA-256: 04ebd5725c260e7778e5e7b82b0f5dca38ebe284b75af4fa72cfc48139d44764
tomcat8-el-2.2-api-8.0.18-61_patch_01.ep7.el7.noarch.rpm	SHA-256: 48fe0d33ea2bfd8b7eb6b2f0c36bba52183352bcb2544b5fd3c1b3541abef85f
tomcat8-javadoc-8.0.18-61_patch_01.ep7.el7.noarch.rpm	SHA-256: 08a6f0988856cb39b1bca29e23f094f3ec6818fc1cbd425e7a3a8eed229ef92f
tomcat8-jsp-2.3-api-8.0.18-61_patch_01.ep7.el7.noarch.rpm	SHA-256: 9d17eb869b1a11401ad4719df44ed9693f01c6dcf8086045c1d9e1938ef92509
tomcat8-lib-8.0.18-61_patch_01.ep7.el7.noarch.rpm	SHA-256: 228a1ea9d96531dbad96e0847a0200f070324ea358746c57dd0996791590fcee
tomcat8-log4j-8.0.18-61_patch_01.ep7.el7.noarch.rpm	SHA-256: a01df127051db93db6e99ca22f18d78a20b69f0e43e202f5168b6981be1004c0
tomcat8-servlet-3.1-api-8.0.18-61_patch_01.ep7.el7.noarch.rpm	SHA-256: df5793fe7c1e1ac34e85a7a69bdd548e71351cf1ec6104e861588421b9e504cd
tomcat8-webapps-8.0.18-61_patch_01.ep7.el7.noarch.rpm	SHA-256: b2211bad713197be9d91c3c08a35a0b3a5de428dbba324de5fce0bd3b16175ee