Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Containers
  • Support Cases
  • Products & Services

    Products

    Support

    • Production Support
    • Development Support
    • Product Life Cycles

    Services

    • Consulting
    • Technical Account Management
    • Training & Certifications

    Documentation

    • Red Hat Enterprise Linux
    • Red Hat JBoss Enterprise Application Platform
    • Red Hat OpenStack Platform
    • Red Hat OpenShift Container Platform
    All Documentation

    Ecosystem Catalog

    • Red Hat Partner Ecosystem
    • Partner Resources
  • Tools

    Tools

    • Troubleshoot a product issue
    • Packages
    • Errata

    Customer Portal Labs

    • Configuration
    • Deployment
    • Security
    • Troubleshoot
    All labs

    Red Hat Insights

    Increase visibility into IT operations to detect and resolve technical issues before they impact your business.

    Learn More
    Go to Insights
  • Security

    Red Hat Product Security Center

    Engage with our Red Hat Product Security team, access security updates, and ensure your environments are not exposed to any known security vulnerabilities.

    Product Security Center

    Security Updates

    • Security Advisories
    • Red Hat CVE Database
    • Security Labs

    Keep your systems secure with Red Hat's specialized responses to security vulnerabilities.

    View Responses

    Resources

    • Security Blog
    • Security Measurement
    • Severity Ratings
    • Backporting Policies
    • Product Signing (GPG) Keys
  • Community

    Customer Portal Community

    • Discussions
    • Private Groups
    Community Activity

    Customer Events

    • Red Hat Convergence
    • Red Hat Summit

    Stories

    • Red Hat Subscription Value
    • You Asked. We Acted.
    • Open Source Communities
Or troubleshoot an issue.

Select Your Language

  • English
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Virtualization
  • Red Hat Identity Management
  • Red Hat Directory Server
  • Red Hat Certificate System
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Update Infrastructure
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat CloudForms
  • Red Hat OpenStack Platform
  • Red Hat OpenShift Container Platform
  • Red Hat OpenShift Data Science
  • Red Hat OpenShift Online
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat CodeReady Workspaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat Single Sign On
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Thorntail
  • Red Hat build of Eclipse Vert.x
  • Red Hat build of OpenJDK
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Integration
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
  • Red Hat JBoss Data Virtualization
  • Red Hat Process Automation
  • Red Hat Process Automation Manager
  • Red Hat Decision Manager
All Products
Red Hat Product Errata RHSA-2016:1636 - Security Advisory
Issued:
2016-07-22
Updated:
2016-08-18

RHSA-2016:1636 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: Red Hat JBoss Web Server 3.0.3 Service Pack 1 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

Updated packages that provide Red Hat JBoss Web Server 3.0.3 Service Pack 1 and fixes two security issues and a bug with ajp processors are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

This release of Red Hat JBoss Web Server 3.0.3 Service Pack 1 serves as a update for Red Hat JBoss Web Server 3.0.3 httpd and tomcat.

Security Fix(es):

  • It was discovered that httpd used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5387)
  • It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)

Note: After this update, httpd will no longer pass the value of the Proxy request header to scripts via the HTTP_PROXY environment variable.

Red Hat would like to thank Scott Geary (VendHQ) for reporting these issues.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

After installing the updated packages, the httpd daemon will be restarted automatically.

After installing the updated packages, follow the instructions in this knowledgebase article to configure Tomcat:

https://access.redhat.com/solutions/2435491

Affected Products

  • JBoss Enterprise Web Server 3 for RHEL 6 x86_64
  • JBoss Enterprise Web Server 3 for RHEL 6 i386

Fixes

  • BZ - 1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header
  • BZ - 1353809 - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header

CVEs

  • CVE-2016-5387
  • CVE-2016-5388

References

  • http://www.redhat.com/security/updates/classification/#normal
Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Web Server 3 for RHEL 6

SRPM
httpd24-2.4.6-62.ep7.el6.src.rpm SHA-256: 1bd4f719b19b887d57a409d0bf542d87a5beb70c637d23f23b5c00936a186754
tomcat7-7.0.59-51_patch_01.ep7.el6.src.rpm SHA-256: 83ea641f623e0fe6b87be39fcb4794649d74e43b3c3e9bd6cff26a0a2f1ab75f
tomcat8-8.0.18-62_patch_01.ep7.el6.src.rpm SHA-256: f7a7fb3f4745a28a3e5074a412f73a20f01525c67f695738eff06ab003eaf94f
x86_64
httpd24-2.4.6-62.ep7.el6.x86_64.rpm SHA-256: 169994ca80f1c3f9cfffff0fe9d924b629cf5ba1d88dfa74af6ffc72affab152
httpd24-debuginfo-2.4.6-62.ep7.el6.x86_64.rpm SHA-256: 4a30187f0be18eda8419a7a92aea090e8039c40a078c41f7963378f5914da3e1
httpd24-devel-2.4.6-62.ep7.el6.x86_64.rpm SHA-256: 3f23f21569f263705e32f5350ab8bb683bd6ade57a1957eb9b41a6891303e600
httpd24-manual-2.4.6-62.ep7.el6.noarch.rpm SHA-256: ea114b9de422e532601741b68a59e7dcf4a4420b2b79c17815adce131c5a9781
httpd24-tools-2.4.6-62.ep7.el6.x86_64.rpm SHA-256: 830b2c11570a4356b98f8818cf294fc19409501129d400f01b9ae345f893cf3f
mod_ldap24-2.4.6-62.ep7.el6.x86_64.rpm SHA-256: 5b50a3e2dd646da52317ce07deb98a9010b73089de51e13996a823bb24ae79be
mod_proxy24_html-2.4.6-62.ep7.el6.x86_64.rpm SHA-256: 154f5e5123ddf3f3c6e4d4f372a41b86d4a12eeb7755d4cf1dffefce42cc36d7
mod_session24-2.4.6-62.ep7.el6.x86_64.rpm SHA-256: 96d517cb4acefa88eae5f8e1d1fc8a5f56800a454b956515e851bf7549a80a8b
mod_ssl24-2.4.6-62.ep7.el6.x86_64.rpm SHA-256: 6ac3f33d41622e185e0d794e4665044ee956cd340cd815749cfb00311a5c4189
tomcat7-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: 8c4d5c9106ca5a2319c3fdf3398bc39eefc275edd4418869e33365d71c31fbca
tomcat7-admin-webapps-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: d25531ef5b7798f3946b7c6dbada8c48a7266cf39ba2f6ee74a59754c670e537
tomcat7-docs-webapp-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: 8434bdbf2d6b66748560eeddad9d4e0f0663c4681fbf0f938d33471686ad397e
tomcat7-el-2.2-api-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: 5ed9dfb162be5788138ff9220c80538bc589a1ef952b3308a3c2be2e86360f9c
tomcat7-javadoc-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: 32ebd13b139aba4ba0da54a866718b3364b5aff8e45df91891a03885d1348ca7
tomcat7-jsp-2.2-api-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: f345cce9a3036b5db98d7993eadf23b3b59c63802ffb17a3cdc6ee33330e8c5c
tomcat7-lib-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: 92be928909bb20237e28bd3a4fecac435c667549e414e65b2dec597598919644
tomcat7-log4j-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: 3cc66e69770688acb8c45f925a9f129203d72e5a3fbfb704e2782aefcc64861b
tomcat7-servlet-3.0-api-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: 48f209fedfef07c66f7ac41346d35b47b0a8ab552ad6d08a129f283c23cd94bf
tomcat7-webapps-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: 53a8d1e4a561d6cb9c047ab453836e60fd4a7509ad3944df4cdfb3ed5af74248
tomcat8-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: 4aae0b021c49146349960d0f1482a6eca3bbd412320aac18db486546f144d705
tomcat8-admin-webapps-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: 5e5588633d48e710e879856b229b924821bdfb69fe691f1f44fff00db31e28a7
tomcat8-docs-webapp-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: 03a4e0e0bb60f4ce4042d9d3d9ec996c17483fe7f133fa4d64c970066807b307
tomcat8-el-2.2-api-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: 035130a0dfc43415bb18c4dfcd686e7fadd3f0a0d21be60e32ae66f059482f16
tomcat8-javadoc-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: ee54f1c075a614e3c8a85c95c0355782818e3a663b6b6f070952a5da58ae28ac
tomcat8-jsp-2.3-api-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: 6548de5ebc397fe286393783e03e2a9aea27973145a2f45dc1d7ff6cb12795fe
tomcat8-lib-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: c67cb504a97a88ea32e6f92107cd26351e8648b47e05ff738d8b31bd754292a0
tomcat8-log4j-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: e7c420b2bca8d778ab689d5289541d7cb388f9ab5b136ec277ab88d97f51029f
tomcat8-servlet-3.1-api-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: be989e895e7b10d2a6203f868c60637c2b314c85240c30a47a2b57a433ef90eb
tomcat8-webapps-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: f7823ea77cff53976fe8af1c433e06058d5badd6f10aef9ed50aa056cb19ca30
i386
httpd24-2.4.6-62.ep7.el6.i686.rpm SHA-256: b4846039ba31bbc965ae0e96e67f4ff7fa2b61b9f5b96c7f65dde50423015dcb
httpd24-debuginfo-2.4.6-62.ep7.el6.i686.rpm SHA-256: 263358432f82b5cd72e20dce63bd99fc01532af400b8fb072fe919ebe8202b4d
httpd24-devel-2.4.6-62.ep7.el6.i686.rpm SHA-256: 5f3e2fafafce4648a0a8a413d65fdbfa5732d1ba8376400c91bc97f7a48e5246
httpd24-manual-2.4.6-62.ep7.el6.noarch.rpm SHA-256: ea114b9de422e532601741b68a59e7dcf4a4420b2b79c17815adce131c5a9781
httpd24-tools-2.4.6-62.ep7.el6.i686.rpm SHA-256: f7b3024ad26ecadab51694386e59147e1d6f6749a64cafc967f3fa7214a6ca48
mod_ldap24-2.4.6-62.ep7.el6.i686.rpm SHA-256: 8343410257a3659b8bbf37119c516a209429c19e1ab545a2b5f42798975d4cc6
mod_proxy24_html-2.4.6-62.ep7.el6.i686.rpm SHA-256: 2e9e86ee4e9d3311e6e42c7d6e94697fc0c489665b545d60595f2cddd78f57fe
mod_session24-2.4.6-62.ep7.el6.i686.rpm SHA-256: 1fa71f64c1f17f218527f3117859fb0f83cdb342deb33bb9e2c0f29739a5b4d1
mod_ssl24-2.4.6-62.ep7.el6.i686.rpm SHA-256: 3850556930853c183174fdc6d7e34a73cf83583abe30ad071b4bc0cfd77c7f2a
tomcat7-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: 8c4d5c9106ca5a2319c3fdf3398bc39eefc275edd4418869e33365d71c31fbca
tomcat7-admin-webapps-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: d25531ef5b7798f3946b7c6dbada8c48a7266cf39ba2f6ee74a59754c670e537
tomcat7-docs-webapp-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: 8434bdbf2d6b66748560eeddad9d4e0f0663c4681fbf0f938d33471686ad397e
tomcat7-el-2.2-api-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: 5ed9dfb162be5788138ff9220c80538bc589a1ef952b3308a3c2be2e86360f9c
tomcat7-javadoc-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: 32ebd13b139aba4ba0da54a866718b3364b5aff8e45df91891a03885d1348ca7
tomcat7-jsp-2.2-api-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: f345cce9a3036b5db98d7993eadf23b3b59c63802ffb17a3cdc6ee33330e8c5c
tomcat7-lib-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: 92be928909bb20237e28bd3a4fecac435c667549e414e65b2dec597598919644
tomcat7-log4j-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: 3cc66e69770688acb8c45f925a9f129203d72e5a3fbfb704e2782aefcc64861b
tomcat7-servlet-3.0-api-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: 48f209fedfef07c66f7ac41346d35b47b0a8ab552ad6d08a129f283c23cd94bf
tomcat7-webapps-7.0.59-51_patch_01.ep7.el6.noarch.rpm SHA-256: 53a8d1e4a561d6cb9c047ab453836e60fd4a7509ad3944df4cdfb3ed5af74248
tomcat8-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: 4aae0b021c49146349960d0f1482a6eca3bbd412320aac18db486546f144d705
tomcat8-admin-webapps-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: 5e5588633d48e710e879856b229b924821bdfb69fe691f1f44fff00db31e28a7
tomcat8-docs-webapp-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: 03a4e0e0bb60f4ce4042d9d3d9ec996c17483fe7f133fa4d64c970066807b307
tomcat8-el-2.2-api-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: 035130a0dfc43415bb18c4dfcd686e7fadd3f0a0d21be60e32ae66f059482f16
tomcat8-javadoc-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: ee54f1c075a614e3c8a85c95c0355782818e3a663b6b6f070952a5da58ae28ac
tomcat8-jsp-2.3-api-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: 6548de5ebc397fe286393783e03e2a9aea27973145a2f45dc1d7ff6cb12795fe
tomcat8-lib-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: c67cb504a97a88ea32e6f92107cd26351e8648b47e05ff738d8b31bd754292a0
tomcat8-log4j-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: e7c420b2bca8d778ab689d5289541d7cb388f9ab5b136ec277ab88d97f51029f
tomcat8-servlet-3.1-api-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: be989e895e7b10d2a6203f868c60637c2b314c85240c30a47a2b57a433ef90eb
tomcat8-webapps-8.0.18-62_patch_01.ep7.el6.noarch.rpm SHA-256: f7823ea77cff53976fe8af1c433e06058d5badd6f10aef9ed50aa056cb19ca30

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

About

  • Red Hat Subscription Value
  • About Red Hat
  • Red Hat Jobs
2023
  • Privacy Statement
  • Customer Portal Terms of Use
  • All Policies and Guidelines
Twitter Facebook