Red Hat Product Errata RHSA-2016:1635 - Security Advisory

Issued:: 2016-07-22
Updated:: 2016-08-18

RHSA-2016:1635 - Security Advisory

Overview
Updated Packages

Synopsis

Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update

Type/Severity

Security Advisory: Important

Topic

Updated packages that provide Red Hat JBoss Web Server 3.0.3 Service Pack 1 and fixes two security issues and a bug with ajp processors are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

This release of Red Hat JBoss Web Server 3.0.3 Service Pack 1 serves as a update for Red Hat JBoss Web Server 3.0.3 httpd and tomcat.

Security Fix(es):

It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387)
It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)

Note: After this update, httpd will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable.

Red Hat would like to thank Scott Geary (VendHQ) for reporting these issues.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically.

After installing the updated packages, follow the instructions in this
knowledgebase article to configure Tomcat:

https://access.redhat.com/solutions/2435491

Affected Products

JBoss Enterprise Web Server 3 for RHEL 7 x86_64

Fixes

BZ - 1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header
BZ - 1353809 - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header

CVEs

References

http://www.redhat.com/security/updates/classification/#normal

Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Web Server 3 for RHEL 7

SRPM
httpd24-2.4.6-62.ep7.el7.src.rpm	SHA-256: 0c228df1d6abed66d87f76096790cd05c3b63564d512f385b1575c7a7690e77f
tomcat7-7.0.59-51_patch_01.ep7.el7.src.rpm	SHA-256: 57bce28fb7293218fa2bfb0bf9e77b5f3188ab6ef95b289c4e822cbe0551c8f6
tomcat8-8.0.18-62_patch_01.ep7.el7.src.rpm	SHA-256: 35f112dc03afd8ecda822b406256f7bc01f08a5da623a3b2377fb2d4362454c2
x86_64
httpd24-2.4.6-62.ep7.el7.x86_64.rpm	SHA-256: c4ba5053aa7d53ac7f4a20ef3ff994a550ed87328a341c8d0a517470a8c3ce38
httpd24-debuginfo-2.4.6-62.ep7.el7.x86_64.rpm	SHA-256: b09a773b0b1266575b88b284824d45353347e4ca515499ad28c035155fca83f9
httpd24-devel-2.4.6-62.ep7.el7.x86_64.rpm	SHA-256: 56d10ab35ba1da5e84a0403c59da9b589c18628a8736ea2b9850958d5e573c3b
httpd24-manual-2.4.6-62.ep7.el7.noarch.rpm	SHA-256: 21477fc0be8233c7a42d2f014fa02471cd8953531e8345441b0c212240143e84
httpd24-tools-2.4.6-62.ep7.el7.x86_64.rpm	SHA-256: 137696662abe397a311712a4d65a9c91ddaf0aecbc49728ae2032f2eaf381bca
mod_ldap24-2.4.6-62.ep7.el7.x86_64.rpm	SHA-256: 9b26a512aaa9dfd788dc3530fcaa3d30baeaa6008930ea568c96ce99956a0e9f
mod_proxy24_html-2.4.6-62.ep7.el7.x86_64.rpm	SHA-256: 20f807890b529ec0a7288f9cf378ac36b3eee41013ef5f3de64bdf869743b67b
mod_session24-2.4.6-62.ep7.el7.x86_64.rpm	SHA-256: a50b4205ec5ddf07cb03b0b66b027605c78e7f87512c4cb9489b69e01847a742
mod_ssl24-2.4.6-62.ep7.el7.x86_64.rpm	SHA-256: 3c44df54acf132aee51f1530b830c28eda5b805d93335acdfa48091764205d16
tomcat7-7.0.59-51_patch_01.ep7.el7.noarch.rpm	SHA-256: 26e60b173d71e3e9dc8f65bf2ebf54507bbf90a4b2da86c338b16aee77385f9e
tomcat7-admin-webapps-7.0.59-51_patch_01.ep7.el7.noarch.rpm	SHA-256: 4cc3c4c8b5684943658810e537afa62bab1235cb5703339deac7aae5c48b20c2
tomcat7-docs-webapp-7.0.59-51_patch_01.ep7.el7.noarch.rpm	SHA-256: 0b634f239b1cfd4c0a34f2331b293d03675b59d265ec74765879167a204f4279
tomcat7-el-2.2-api-7.0.59-51_patch_01.ep7.el7.noarch.rpm	SHA-256: 9446ca67f0f952fbecec6bccb61c1f770cd83471c9948863d71e5149b6119a6d
tomcat7-javadoc-7.0.59-51_patch_01.ep7.el7.noarch.rpm	SHA-256: a1ca39ee354af507b09f76b7753ed929b705530003ad003090714a163a915741
tomcat7-jsp-2.2-api-7.0.59-51_patch_01.ep7.el7.noarch.rpm	SHA-256: bb72be2420868aaecc2b5cd3279f52fbab8eee9c79c4e64209658c16057991de
tomcat7-lib-7.0.59-51_patch_01.ep7.el7.noarch.rpm	SHA-256: 33d016f3a7c059431058ba81ae40d2c877eaf89dac4ed7c54a6ee0a342e5b02e
tomcat7-log4j-7.0.59-51_patch_01.ep7.el7.noarch.rpm	SHA-256: 9ed755e3f655e0a916bf8ec1c0fa522a298817c096cfe0b47d11e601e07efa0d
tomcat7-servlet-3.0-api-7.0.59-51_patch_01.ep7.el7.noarch.rpm	SHA-256: 636e21984bfffdf7bef06fbda4eb790fc6fd3b5b525b926099507333aeba6a4e
tomcat7-webapps-7.0.59-51_patch_01.ep7.el7.noarch.rpm	SHA-256: 4d2b12bd4d853fb0aab7200dd954605d3b3146b5f1bd095929a773f3a210420a
tomcat8-8.0.18-62_patch_01.ep7.el7.noarch.rpm	SHA-256: 4fa624d87c7e0f2c70d00a06db473ce6b0952f279cfa071f20c06201f0526992
tomcat8-admin-webapps-8.0.18-62_patch_01.ep7.el7.noarch.rpm	SHA-256: 3be878131edc5361f96c64dd48790046dd6d29a5aab706ae00ede552483b04ce
tomcat8-docs-webapp-8.0.18-62_patch_01.ep7.el7.noarch.rpm	SHA-256: 375a4eea482e466fc7af8aa26e2e253a18cd72c325da4279f6b8f9dd9203811c
tomcat8-el-2.2-api-8.0.18-62_patch_01.ep7.el7.noarch.rpm	SHA-256: 4318df927e5da083fe9f46bbc13c936159ad38fc6208b8225d81b7126e2069c1
tomcat8-javadoc-8.0.18-62_patch_01.ep7.el7.noarch.rpm	SHA-256: d5972773ca1c6f0ddeecd1bc6c9c1eb3ef0312f0010d15a686c3acbe96c966ac
tomcat8-jsp-2.3-api-8.0.18-62_patch_01.ep7.el7.noarch.rpm	SHA-256: 2ea451c6f553e523a8f6f6f6530217c2937e778f730d6eb80cf10ae5b066ef96
tomcat8-lib-8.0.18-62_patch_01.ep7.el7.noarch.rpm	SHA-256: eecb7d5edf8da20d2b6bf21fdf8e272432c32be78e8b51e0f630d8f4bbfb72d9
tomcat8-log4j-8.0.18-62_patch_01.ep7.el7.noarch.rpm	SHA-256: 74f97f3fb1c3d0be654bd564fd38773c5fdefef7e43e9f97dffd7e96da223495
tomcat8-servlet-3.1-api-8.0.18-62_patch_01.ep7.el7.noarch.rpm	SHA-256: 9176e836df815ab2f957c6836cd4448f2bb1ce5779ffb6544832ca9cea6b5160
tomcat8-webapps-8.0.18-62_patch_01.ep7.el7.noarch.rpm	SHA-256: 309e20c4af7f52b039273a88ef5095c6b8e33f29a1a788d9ebb4b84b104a4540

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

Services

Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories