Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2016:1648 - Security Advisory
Issued:
2016-08-22
Updated:
2016-08-22

RHSA-2016:1648 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: Red Hat JBoss Web Server 2.1.1 security update on RHEL 7

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat JBoss Enterprise Web Server 2.1 for
RHEL 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

This release serves as a replacement for Red Hat JBoss Web Server 2.1.0,
and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.1
Release Notes for information on the most significant of these changes,
available shortly from https://access.redhat.com/site/documentation/

All users of Red Hat JBoss Web Server 2.1.0 on Red Hat Enterprise Linux 7
are advised to upgrade to Red Hat JBoss Web Server 2.1.1. The JBoss server
process must be restarted for this update to take effect.

Security Fix(es):

  • It was discovered that httpd used the value of the Proxy header from HTTP

requests to initialize the HTTP_PROXY environment variable for CGI scripts,
which in turn was incorrectly used by certain HTTP client implementations
to configure the proxy for outgoing HTTP requests. A remote attacker could
possibly use this flaw to redirect HTTP requests performed by a CGI script
to an attacker-controlled proxy via a malicious HTTP request.
(CVE-2016-5387)

  • An integer overflow flaw, leading to a buffer overflow, was found in the

way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of
input data. A remote attacker could use this flaw to crash an application
using OpenSSL or, possibly, execute arbitrary code with the permissions of
the user running that application. (CVE-2016-2105)

  • An integer overflow flaw, leading to a buffer overflow, was found in the

way the EVP_EncryptUpdate() function of OpenSSL parsed very large amounts
of input data. A remote attacker could use this flaw to crash an
application using OpenSSL or, possibly, execute arbitrary code with the
permissions of the user running that application. (CVE-2016-2106)

  • It was discovered that it is possible to remotely Segfault Apache http

server with a specially crafted string sent to the mod_cluster via service
messages (MCMP). (CVE-2016-3110)

Red Hat would like to thank Scott Geary (VendHQ) for reporting
CVE-2016-5387; the OpenSSL project for reporting CVE-2016-2105 and
CVE-2016-2106; and Michal Karm Babacek for reporting CVE-2016-3110.
Upstream acknowledges Guido Vranken as the original reporter of
CVE-2016-2105 and CVE-2016-2106.

Solution

Before applying the update, back up your existing Red Hat JBoss Web Server
installation (including all applications and configuration files).

Note: Do not install Red Hat JBoss Web Server 2 on a host which has Red Hat
JBoss Web Server 1 installed.

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library
must be restarted, or the system rebooted. After installing the updated
packages, the httpd daemon will be restarted automatically.

Refer to the Red Hat JBoss Enterprise Web Server 2.1.1 Release Notes for a list of non security related fixes..

Affected Products

  • JBoss Enterprise Web Server 2 for RHEL 7 x86_64

Fixes

  • BZ - 1326320 - CVE-2016-3110 mod_cluster: remotely Segfault Apache http server
  • BZ - 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow
  • BZ - 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow
  • BZ - 1337151 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow [jbews-2.1.0]
  • BZ - 1337155 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow [jbews-2.1.0]
  • BZ - 1337397 - EWS 2.1.1 Tracker Bug for EL7
  • BZ - 1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header
  • BZ - 1358118 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header [jbews-2.1.0]

CVEs

  • CVE-2016-2105
  • CVE-2016-2106
  • CVE-2016-3110
  • CVE-2016-5387

References

  • http://www.redhat.com/security/updates/classification/#normal
Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Web Server 2 for RHEL 7

SRPM
httpd22-2.2.26-56.ep6.el7.src.rpm SHA-256: 4b42054740af7fedba6bf2d26985bebb71e3b8ab6188630255325c1a915e480b
jbcs-httpd24-openssl-1.0.2h-4.jbcs.el7.src.rpm SHA-256: 4295e8c56269acea32fb99202b46e4ac7bd71ffa504354a419fc22a930b58785
mod_cluster-1.2.13-1.Final_redhat_1.1.ep6.el7.src.rpm SHA-256: bed014e0d4f72b82a404a3d594b19c9787ae832e0e9d3b1f5b64618e0c553a8b
mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el7.src.rpm SHA-256: e20f7ba3b23dcd4656af336bb092d80494e7843798e4dea2e775251e94af0ef2
mod_jk-1.2.41-2.redhat_3.ep6.el7.src.rpm SHA-256: c40e608f452bce3d3cffc55a31caebe5240d0c972acc47c573f068b43cc3c1d4
tomcat-native-1.1.34-5.redhat_1.ep6.el7.src.rpm SHA-256: 7429935fea0049b2b44f0f3e31dd24ab45aaeb2b98c887b51ac0184a42215690
x86_64
httpd22-2.2.26-56.ep6.el7.x86_64.rpm SHA-256: 6b53d3c229b16cc6d5358e214212a9f9ad710c8e6f0b3c5457f316a2b76269e9
httpd22-debuginfo-2.2.26-56.ep6.el7.x86_64.rpm SHA-256: e1dd83b41f975b03248d8c34da82c1f2d5e4faf8c4f4ebb710e0d857bde9aa05
httpd22-devel-2.2.26-56.ep6.el7.x86_64.rpm SHA-256: d7732c2796c767bddaadae76cb4f944fa690eefd8ab311c1ad682eb52844851e
httpd22-manual-2.2.26-56.ep6.el7.x86_64.rpm SHA-256: 0391b89de77559c9188c0312fa686f73ec3b868dc8802595ac0642d56dfabdbc
httpd22-tools-2.2.26-56.ep6.el7.x86_64.rpm SHA-256: 5dbd1f7bf1b0e26882e956a516ad0d88b80318bfbbcb43423a7dcf7518f7c408
jbcs-httpd24-1-3.jbcs.el7.noarch.rpm SHA-256: ac5aa551499349fd4cdbd8910b8ae731747a8acb211cc1689fa3a9297d7ee846
jbcs-httpd24-openssl-1.0.2h-4.jbcs.el7.x86_64.rpm SHA-256: 1eea6faf5ca30a93c4c0d452f44c8af731c39b4ed3afa73b88c58b5c47552c11
jbcs-httpd24-openssl-debuginfo-1.0.2h-4.jbcs.el7.x86_64.rpm SHA-256: 0d3506957277b52422aa040b1f70f0201ee8794961f5f8f127acdd63cd0b3487
jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el7.x86_64.rpm SHA-256: 6d002fbd8d249732032277703120ae8bc9ce927747ed7fb3f0e91a1b5e1c35c5
jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el7.x86_64.rpm SHA-256: c1e9130fd325b03b504f852275b1cd70c9469669e822f65dc19ba37431af3831
jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el7.x86_64.rpm SHA-256: 0595b2fd5314af0da9d3f7d124e5fc5b2ab68798246d1af110660f123e2121c9
jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el7.x86_64.rpm SHA-256: efe71bd0ea8590353e18266d95b782680a35419612de40700609a02061b4de61
jbcs-httpd24-runtime-1-3.jbcs.el7.noarch.rpm SHA-256: 1bb60d9b671f354d8f756467c985d3247e521173098a4194c89eb90d08ac8107
mod_cluster-1.2.13-1.Final_redhat_1.1.ep6.el7.noarch.rpm SHA-256: 0b2dd0cebdc66e226529fa6b705b6a0e329038dbae05037f647f85b76a5d968e
mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el7.x86_64.rpm SHA-256: a860e650f37f9f751ac479a7592492aa92766a0372d0ea50bce0dcd7ab3f531c
mod_cluster-native-debuginfo-1.2.13-3.Final_redhat_2.ep6.el7.x86_64.rpm SHA-256: b1d7c67fd835a16643247a79f2956f160145758cbd754e2c2a4de0c312927f6f
mod_cluster-tomcat6-1.2.13-1.Final_redhat_1.1.ep6.el7.noarch.rpm SHA-256: 2b376dcc40ff438d83f9d1719d0bd4fcaa100da312206e0108ab24384585e83f
mod_cluster-tomcat7-1.2.13-1.Final_redhat_1.1.ep6.el7.noarch.rpm SHA-256: 091d0000a468cb38c28b1efea8b715193f5a6f80414016411a6a9e9eaeef2fdc
mod_jk-ap22-1.2.41-2.redhat_3.ep6.el7.x86_64.rpm SHA-256: dcf3f1b1391c0621cbf7bbd2e926a6dbd6a04128a700081c7d3a7ee6d640fbea
mod_jk-debuginfo-1.2.41-2.redhat_3.ep6.el7.x86_64.rpm SHA-256: e6182d9ce6469cd8a674e942e8d54daf0b0bcb25b1b7278d82be2284f8f5fc02
mod_jk-manual-1.2.41-2.redhat_3.ep6.el7.x86_64.rpm SHA-256: 0cefbcfaa2d1b78054471afd14e2ce5e1760e29d11cb30ac53a4f6e0bc659564
mod_ssl22-2.2.26-56.ep6.el7.x86_64.rpm SHA-256: 06bb768fb7e24436fe4fa1fa605ae78025c12c32f338459eb20e32140a3a05a6
tomcat-native-1.1.34-5.redhat_1.ep6.el7.x86_64.rpm SHA-256: 6cdff8ea93a5c736c46dc8caab18c46fbf0b9b1e70cfdc591f1852265252948f
tomcat-native-debuginfo-1.1.34-5.redhat_1.ep6.el7.x86_64.rpm SHA-256: bfa767496bf1360e817c6fc3c411224f240416e8b81a5b232dfaed6774ac26eb

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat X (formerly Twitter)

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat, Inc.

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility