Red Hat Customer Portal

Skip to main content

Main Navigation

  • Products & Services
    • Back
    • View All Products
    • Infrastructure and Management
      • Back
      • Red Hat Enterprise Linux
      • Red Hat Virtualization
      • Red Hat Identity Management
      • Red Hat Directory Server
      • Red Hat Certificate System
      • Red Hat Satellite
      • Red Hat Subscription Management
      • Red Hat Update Infrastructure
      • Red Hat Insights
      • Red Hat Ansible Automation Platform
    • Cloud Computing
      • Back
      • Red Hat CloudForms
      • Red Hat OpenStack Platform
      • Red Hat OpenShift Container Platform
      • Red Hat OpenShift Online
      • Red Hat OpenShift Dedicated
      • Red Hat Advanced Cluster Management for Kubernetes
      • Red Hat Quay
      • Red Hat CodeReady Workspaces
    • Storage
      • Back
      • Red Hat Gluster Storage
      • Red Hat Hyperconverged Infrastructure
      • Red Hat Ceph Storage
      • Red Hat Openshift Container Storage
    • Runtimes
      • Back
      • Red Hat Runtimes
      • Red Hat JBoss Enterprise Application Platform
      • Red Hat Data Grid
      • Red Hat JBoss Web Server
      • Red Hat Single Sign On
      • Red Hat support for Spring Boot
      • Red Hat build of Node.js
      • Red Hat build of Thorntail
      • Red Hat build of Eclipse Vert.x
      • Red Hat build of OpenJDK
      • Red Hat build of Quarkus
      • Red Hat CodeReady Studio
    • Integration and Automation
      • Back
      • Red Hat Integration
      • Red Hat Fuse
      • Red Hat AMQ
      • Red Hat 3scale API Management
      • Red Hat JBoss Data Virtualization
      • Red Hat Process Automation
      • Red Hat Process Automation Manager
      • Red Hat Decision Manager
    • Support
    • Production Support
    • Development Support
    • Product Life Cycles
    • Documentation
    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    • Services
    • Consulting
    • Technical Account Management
    • Training & Certifications
    • Ecosystem Catalog
    • Partner Resources
    • Red Hat in the Public Cloud
  • Tools
    • Back
    • Red Hat Insights
    • Tools
    • Troubleshoot a product issue
    • Packages
    • Errata
    • Customer Portal Labs
    • Explore Labs
    • Configuration
    • Deployment
    • Security
    • Troubleshooting
  • Security
    • Back
    • Product Security Center
    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Security Labs
    • Resources
    • Overview
    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community
    • Back
    • Customer Portal Community
    • Discussions
    • Blogs
    • Private Groups
    • Community Activity
    • Customer Events
    • Red Hat Convergence
    • Red Hat Summit
    • Stories
    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Account
    • Back
    • Log In
    • Register
    • Red Hat Account Number:
    • Account Details
    • User Management
    • Account Maintenance
    • My Profile
    • Notifications
    • Help
    • Log Out
  • Language
    • Back
    • English
    • 한국어
    • 日本語
    • 中文 (中国)
Red Hat Customer Portal
  • Products & Services
    • Back
    • View All Products
    • Infrastructure and Management
      • Back
      • Red Hat Enterprise Linux
      • Red Hat Virtualization
      • Red Hat Identity Management
      • Red Hat Directory Server
      • Red Hat Certificate System
      • Red Hat Satellite
      • Red Hat Subscription Management
      • Red Hat Update Infrastructure
      • Red Hat Insights
      • Red Hat Ansible Automation Platform
    • Cloud Computing
      • Back
      • Red Hat CloudForms
      • Red Hat OpenStack Platform
      • Red Hat OpenShift Container Platform
      • Red Hat OpenShift Online
      • Red Hat OpenShift Dedicated
      • Red Hat Advanced Cluster Management for Kubernetes
      • Red Hat Quay
      • Red Hat CodeReady Workspaces
    • Storage
      • Back
      • Red Hat Gluster Storage
      • Red Hat Hyperconverged Infrastructure
      • Red Hat Ceph Storage
      • Red Hat Openshift Container Storage
    • Runtimes
      • Back
      • Red Hat Runtimes
      • Red Hat JBoss Enterprise Application Platform
      • Red Hat Data Grid
      • Red Hat JBoss Web Server
      • Red Hat Single Sign On
      • Red Hat support for Spring Boot
      • Red Hat build of Node.js
      • Red Hat build of Thorntail
      • Red Hat build of Eclipse Vert.x
      • Red Hat build of OpenJDK
      • Red Hat build of Quarkus
      • Red Hat CodeReady Studio
    • Integration and Automation
      • Back
      • Red Hat Integration
      • Red Hat Fuse
      • Red Hat AMQ
      • Red Hat 3scale API Management
      • Red Hat JBoss Data Virtualization
      • Red Hat Process Automation
      • Red Hat Process Automation Manager
      • Red Hat Decision Manager
    • Support
    • Production Support
    • Development Support
    • Product Life Cycles
    • Documentation
    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    • Services
    • Consulting
    • Technical Account Management
    • Training & Certifications
    • Ecosystem Catalog
    • Partner Resources
    • Red Hat in the Public Cloud
  • Tools
    • Back
    • Red Hat Insights
    • Tools
    • Troubleshoot a product issue
    • Packages
    • Errata
    • Customer Portal Labs
    • Explore Labs
    • Configuration
    • Deployment
    • Security
    • Troubleshooting
  • Security
    • Back
    • Product Security Center
    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Security Labs
    • Resources
    • Overview
    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community
    • Back
    • Customer Portal Community
    • Discussions
    • Blogs
    • Private Groups
    • Community Activity
    • Customer Events
    • Red Hat Convergence
    • Red Hat Summit
    • Stories
    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Account
    • Back
    • Log In
    • Register
    • Red Hat Account Number:
    • Account Details
    • User Management
    • Account Maintenance
    • My Profile
    • Notifications
    • Help
    • Log Out
  • Language
    • Back
    • English
    • 한국어
    • 日本語
    • 中文 (中国)
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Search
  • Log In
  • Language
Or troubleshoot an issue.

Log in to Your Red Hat Account

Log In

Your Red Hat account gives you access to your profile, preferences, and services, depending on your status.

Register

If you are a new customer, register now for access to product evaluations and purchasing capabilities.

Need access to an account?

If your company has an existing Red Hat account, your organization administrator can grant you access.

If you have any questions, please contact customer service.

Red Hat Account Number:

Red Hat Account

  • Account Details
  • User Management
  • Account Maintenance
  • Account Team

Customer Portal

  • My Profile
  • Notifications
  • Help

For your security, if you’re on a public computer and have finished using your Red Hat services, please be sure to log out.

Log Out

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)
Red Hat Customer Portal Red Hat Customer Portal
  • Products & Services
  • Tools
  • Security
  • Community
  • Infrastructure and Management

  • Cloud Computing

  • Storage

  • Runtimes

  • Integration and Automation

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS
  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat Openshift Container Storage
  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus
  • Red Hat CodeReady Studio
  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
View All Products
  • Support
  • Production Support
  • Development Support
  • Product Life Cycles

Services

  • Consulting
  • Technical Account Management
  • Training & Certifications
  • Documentation
  • Red Hat Enterprise Linux
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Ecosystem Catalog
  • Red Hat in the Public Cloud
  • Partner Resources

Tools

  • Troubleshoot a product issue
  • Packages
  • Errata
  • Customer Portal Labs
  • Configuration
  • Deployment
  • Security
  • Troubleshooting

Red Hat Insights

Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

  • Learn more
  • Go to Insights

Red Hat Product Security Center

Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

Product Security Center

Security Updates

  • Security Advisories
  • Red Hat CVE Database
  • Security Labs

Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

  • View Responses

Resources

  • Overview
  • Security Blog
  • Security Measurement
  • Severity Ratings
  • Backporting Policies
  • Product Signing (GPG) Keys

Customer Portal Community

  • Discussions
  • Blogs
  • Private Groups
  • Community Activity

Customer Events

  • Red Hat Convergence
  • Red Hat Summit

Stories

  • Red Hat Subscription Value
  • You Asked. We Acted.
  • Open Source Communities
Red Hat Product Errata RHSA-2016:1088 - Security Advisory
Issued:
2016-05-17
Updated:
2016-05-17

RHSA-2016:1088 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Moderate: Red Hat JBoss Web Server 3.0.3 update

Type/Severity

Security Advisory: Moderate

Topic

Red Hat JBoss Web Server 3.0.3 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

This release of Red Hat JBoss Web Server 3.0.3 serves as a replacement for Red Hat JBoss Web Server 3.0.2, and includes bug fixes and enhancements, which are documented in the Release Notes documented linked to in the References.

Security Fix(es):

  • A session fixation flaw was found in the way Tomcat recycled the requestedSessionSSL field. If at least one web application was configured to use the SSL session ID as the HTTP session ID, an attacker could reuse a previously used session ID for further requests. (CVE-2015-5346)
  • A CSRF flaw was found in Tomcat's the index pages for the Manager and Host Manager applications. These applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to perform a CSRF attack. (CVE-2015-5351)
  • It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714)
  • A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service. (CVE-2016-0763)
  • It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345)
  • It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically.

Affected Products

  • JBoss Enterprise Web Server 3 for RHEL 7 x86_64

Fixes

  • BZ - 1311076 - CVE-2015-5351 tomcat: CSRF token leak
  • BZ - 1311082 - CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms
  • BZ - 1311085 - CVE-2015-5346 tomcat: Session fixation
  • BZ - 1311087 - CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet
  • BZ - 1311089 - CVE-2015-5345 tomcat: directory disclosure
  • BZ - 1311093 - CVE-2016-0763 tomcat: security manager bypass via setGlobalContext()

CVEs

  • CVE-2015-5345
  • CVE-2015-5346
  • CVE-2015-5351
  • CVE-2016-0706
  • CVE-2016-0714
  • CVE-2016-0763

References

  • http://www.redhat.com/security/updates/classification/#normal
  • Note: More recent versions of these packages may be available. Click a package name for more details.

    JBoss Enterprise Web Server 3 for RHEL 7

    SRPM
    httpd24-2.4.6-61.ep7.el7.src.rpm SHA-256: 34231b5b7a168e439304cf28115b508a2f33d54e5fdd297a9aa26e9870ebdb14
    mod_security-jws3-2.8.0-7.GA.ep7.el7.src.rpm SHA-256: 082c009f1357d11014d1b22c7078685062504a2c08e67976b384690c1fd9c290
    tomcat7-7.0.59-50_patch_01.ep7.el7.src.rpm SHA-256: 2ae239e076d1c64cb6e195244172b75e741933957fe872c842cb645dd2ad1afe
    tomcat8-8.0.18-61_patch_01.ep7.el7.src.rpm SHA-256: 40a8970cb24dbfe44734f4edf880b4e4d199869f5a58f44c56022bd535fb945b
    x86_64
    httpd24-2.4.6-61.ep7.el7.x86_64.rpm SHA-256: 9b0e6d4673d201b6b5f45565309b6fdb3cee420b9798bc7a07098a19ed82f76b
    httpd24-debuginfo-2.4.6-61.ep7.el7.x86_64.rpm SHA-256: e6ef46aea0f95b06070fc96256851d9d601d64dc7248098882ba25b2bf23311f
    httpd24-devel-2.4.6-61.ep7.el7.x86_64.rpm SHA-256: 6cc0e61202a416c44403be211038596fca0041830e4bb314ad8a5f4347687d2e
    httpd24-manual-2.4.6-61.ep7.el7.noarch.rpm SHA-256: c88f25c60f1e39c872239cb914511510ba7660c8a2e5afe65e7ea7e7ba84ea6a
    httpd24-tools-2.4.6-61.ep7.el7.x86_64.rpm SHA-256: be9d10a7e10c7f4d7494c6039d20518c070a38456348973e4d6287c232346d14
    mod_ldap24-2.4.6-61.ep7.el7.x86_64.rpm SHA-256: c371fb8b171a2cdc633c55006e31fc50884f886dd3d589d0248060530bee07aa
    mod_proxy24_html-2.4.6-61.ep7.el7.x86_64.rpm SHA-256: 20c7628f4e9b132be3baf17e72d42f0759bffdc02ac131fed5862e7820fc1675
    mod_security-jws3-2.8.0-7.GA.ep7.el7.x86_64.rpm SHA-256: 6c4c0c767663571c7807444215c9cc1cbaccaab8d34571235af211a22e3ba2ed
    mod_security-jws3-debuginfo-2.8.0-7.GA.ep7.el7.x86_64.rpm SHA-256: dd04bc71d84df0db688154d1d56dc4c5021208e6f8e1a31570d8c0a90162a9e7
    mod_session24-2.4.6-61.ep7.el7.x86_64.rpm SHA-256: c7957e6b635b9aef14c396f4731c13e07340474f5eb4febeda9ad3b5d7d70015
    mod_ssl24-2.4.6-61.ep7.el7.x86_64.rpm SHA-256: eb751d34a503ba7a7035c5ff82ab1fb8c85a5a002ddd49f95561c104c06989f0
    tomcat7-7.0.59-50_patch_01.ep7.el7.noarch.rpm SHA-256: 742ad5085cf18aa5c7269d1c9ac14a0de510f7d6ffc7ca1be17e6fcc56307f64
    tomcat7-admin-webapps-7.0.59-50_patch_01.ep7.el7.noarch.rpm SHA-256: 511f7ea8b95bc8f1c4c609b5e5f85498894b4e6dd70d37bdafec87ee108215e9
    tomcat7-docs-webapp-7.0.59-50_patch_01.ep7.el7.noarch.rpm SHA-256: 562799e87023a668def0b1119547f1f664bec78ffc754ba222315f17b7039600
    tomcat7-el-2.2-api-7.0.59-50_patch_01.ep7.el7.noarch.rpm SHA-256: 7164af7fe463719b31371f6072d811634a5987e79d961306873c054851b34ef7
    tomcat7-javadoc-7.0.59-50_patch_01.ep7.el7.noarch.rpm SHA-256: 58b75cb2d49cba71da23968b4534f3aa77dbcdbb1ff9342f91e4d9459e3f77de
    tomcat7-jsp-2.2-api-7.0.59-50_patch_01.ep7.el7.noarch.rpm SHA-256: 5cdeea8853766862b0b138c1d0953b93eba3dc2b37196afdfc968cb1c5df6682
    tomcat7-lib-7.0.59-50_patch_01.ep7.el7.noarch.rpm SHA-256: b3acd4907272074552191444a93fe83dc786d1ec46ac7790cb11635984ffcfe1
    tomcat7-log4j-7.0.59-50_patch_01.ep7.el7.noarch.rpm SHA-256: 7956fcefa476b8dd4eba10f9ae1f804ad1ae769d942b9c26873190d6c0cdfa02
    tomcat7-servlet-3.0-api-7.0.59-50_patch_01.ep7.el7.noarch.rpm SHA-256: 6611ab6b5b63586c97ac1d65c5d7919b27204f0d1c4882e773cb32e42d0520cc
    tomcat7-webapps-7.0.59-50_patch_01.ep7.el7.noarch.rpm SHA-256: 0ee66b6380c9428dcc902e7d38c8c21d4e06812dd5d709efce52dc0f0c0887fc
    tomcat8-8.0.18-61_patch_01.ep7.el7.noarch.rpm SHA-256: e2d092b90c455ce4def111cf9009a57726b08ba452beb8b0e2441a90454bfff4
    tomcat8-admin-webapps-8.0.18-61_patch_01.ep7.el7.noarch.rpm SHA-256: d12eca18999df40197249c3a4e29acdb0f5dcb006bc20e28961350bc0b90eac6
    tomcat8-docs-webapp-8.0.18-61_patch_01.ep7.el7.noarch.rpm SHA-256: 04ebd5725c260e7778e5e7b82b0f5dca38ebe284b75af4fa72cfc48139d44764
    tomcat8-el-2.2-api-8.0.18-61_patch_01.ep7.el7.noarch.rpm SHA-256: 48fe0d33ea2bfd8b7eb6b2f0c36bba52183352bcb2544b5fd3c1b3541abef85f
    tomcat8-javadoc-8.0.18-61_patch_01.ep7.el7.noarch.rpm SHA-256: 08a6f0988856cb39b1bca29e23f094f3ec6818fc1cbd425e7a3a8eed229ef92f
    tomcat8-jsp-2.3-api-8.0.18-61_patch_01.ep7.el7.noarch.rpm SHA-256: 9d17eb869b1a11401ad4719df44ed9693f01c6dcf8086045c1d9e1938ef92509
    tomcat8-lib-8.0.18-61_patch_01.ep7.el7.noarch.rpm SHA-256: 228a1ea9d96531dbad96e0847a0200f070324ea358746c57dd0996791590fcee
    tomcat8-log4j-8.0.18-61_patch_01.ep7.el7.noarch.rpm SHA-256: a01df127051db93db6e99ca22f18d78a20b69f0e43e202f5168b6981be1004c0
    tomcat8-servlet-3.1-api-8.0.18-61_patch_01.ep7.el7.noarch.rpm SHA-256: df5793fe7c1e1ac34e85a7a69bdd548e71351cf1ec6104e861588421b9e504cd
    tomcat8-webapps-8.0.18-61_patch_01.ep7.el7.noarch.rpm SHA-256: b2211bad713197be9d91c3c08a35a0b3a5de428dbba324de5fce0bd3b16175ee

    The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

    Red Hat

    Quick Links

    • Downloads
    • Subscriptions
    • Support Cases
    • Customer Service
    • Product Documentation

    Help

    • Contact Us
    • Customer Portal FAQ
    • Log-in Assistance

    Site Info

    • Trust Red Hat
    • Browser Support Policy
    • Accessibility
    • Awards and Recognition
    • Colophon

    Related Sites

    • redhat.com
    • openshift.com
    • developers.redhat.com
    • connect.redhat.com
    • cloud.redhat.com

    About

    • Red Hat Subscription Value
    • About Red Hat
    • Red Hat Jobs
    Copyright © 2021 Red Hat, Inc.
    • Privacy Statement
    • Customer Portal Terms of Use
    • All Policies and Guidelines
    Red Hat Summit
    Twitter Facebook