Skip to navigation Skip to main content

Utilities

  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
Red Hat Customer Portal
  • Subscriptions
  • Downloads
  • Red Hat Console
  • Get Support
  • Products

    Top Products

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Products

    Downloads and Containers

    • Downloads
    • Packages
    • Containers

    Top Resources

    • Documentation
    • Product Life Cycles
    • Product Compliance
    • Errata
  • Knowledge

    Red Hat Knowledge Center

    • Knowledgebase Solutions
    • Knowledgebase Articles
    • Customer Portal Labs
    • Errata

    Top Product Docs

    • Red Hat Enterprise Linux
    • Red Hat OpenShift
    • Red Hat Ansible Automation Platform
    All Product Docs

    Training and Certification

    • About
    • Course Index
    • Certification Index
    • Skill Assessment
  • Security

    Red Hat Product Security Center

    • Security Updates
    • Security Advisories
    • Red Hat CVE Database
    • Errata

    References

    • Security Bulletins
    • Security Measurement
    • Severity Ratings
    • Security Data

    Top Resources

    • Security Labs
    • Backporting Policies
    • Security Blog
  • Support

    Red Hat Support

    • Support Cases
    • Troubleshoot
    • Get Support
    • Contact Red Hat Support

    Red Hat Community Support

    • Customer Portal Community
    • Community Discussions
    • Red Hat Accelerator Program

    Top Resources

    • Product Life Cycles
    • Customer Portal Labs
    • Red Hat JBoss Supported Configurations
    • Red Hat Insights
Or troubleshoot an issue.

Select Your Language

  • English
  • Français
  • 한국어
  • 日本語
  • 中文 (中国)

Infrastructure and Management

  • Red Hat Enterprise Linux
  • Red Hat Satellite
  • Red Hat Subscription Management
  • Red Hat Insights
  • Red Hat Ansible Automation Platform

Cloud Computing

  • Red Hat OpenShift
  • Red Hat OpenStack Platform
  • Red Hat OpenShift
  • Red Hat OpenShift AI
  • Red Hat OpenShift Dedicated
  • Red Hat Advanced Cluster Security for Kubernetes
  • Red Hat Advanced Cluster Management for Kubernetes
  • Red Hat Quay
  • Red Hat OpenShift Dev Spaces
  • Red Hat OpenShift Service on AWS

Storage

  • Red Hat Gluster Storage
  • Red Hat Hyperconverged Infrastructure
  • Red Hat Ceph Storage
  • Red Hat OpenShift Data Foundation

Runtimes

  • Red Hat Runtimes
  • Red Hat JBoss Enterprise Application Platform
  • Red Hat Data Grid
  • Red Hat JBoss Web Server
  • Red Hat build of Keycloak
  • Red Hat support for Spring Boot
  • Red Hat build of Node.js
  • Red Hat build of Quarkus

Integration and Automation

  • Red Hat Application Foundations
  • Red Hat Fuse
  • Red Hat AMQ
  • Red Hat 3scale API Management
All Products
Red Hat Product Errata RHSA-2016:1649 - Security Advisory
Issued:
2016-08-22
Updated:
2016-08-22

RHSA-2016:1649 - Security Advisory

  • Overview
  • Updated Packages

Synopsis

Important: Red Hat JBoss Web Server 2.1.1 security update on RHEL 6

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat JBoss Enterprise Web Server 2.1 for
RHEL 6.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

Description

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

This release serves as a replacement for Red Hat JBoss Web Server 2.1.0,
and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.1
Release Notes, linked to in the References section, for information on the
most significant of these changes.

All users of Red Hat JBoss Web Server 2.1.0 on Red Hat Enterprise Linux 6
are advised to upgrade to Red Hat JBoss Web Server 2.1.1. The JBoss server
process must be restarted for this update to take effect.

Security Fix(es):

  • It was discovered that httpd used the value of the Proxy header from HTTP

requests to initialize the HTTP_PROXY environment variable for CGI scripts,
which in turn was incorrectly used by certain HTTP client implementations
to configure the proxy for outgoing HTTP requests. A remote attacker could
possibly use this flaw to redirect HTTP requests performed by a CGI script
to an attacker-controlled proxy via a malicious HTTP request.
(CVE-2016-5387)

  • An integer overflow flaw, leading to a buffer overflow, was found in the

way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of
input data. A remote attacker could use this flaw to crash an application
using OpenSSL or, possibly, execute arbitrary code with the permissions of
the user running that application. (CVE-2016-2105)

  • An integer overflow flaw, leading to a buffer overflow, was found in the

way the EVP_EncryptUpdate() function of OpenSSL parsed very large amounts
of input data. A remote attacker could use this flaw to crash an
application using OpenSSL or, possibly, execute arbitrary code with the
permissions of the user running that application. (CVE-2016-2106)

  • It was discovered that it is possible to remotely Segfault Apache http

server with a specially crafted string sent to the mod_cluster via service
messages (MCMP). (CVE-2016-3110)

Red Hat would like to thank Scott Geary (VendHQ) for reporting
CVE-2016-5387; the OpenSSL project for reporting CVE-2016-2105 and
CVE-2016-2106; and Michal Karm Babacek for reporting CVE-2016-3110.
Upstream acknowledges Guido Vranken as the original reporter of
CVE-2016-2105 and CVE-2016-2106.

Solution

Before applying the update, back up your existing Red Hat JBoss Web Server
installation (including all applications and configuration files).

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

For the update to take effect, all services linked to the OpenSSL library
must be restarted, or the system rebooted. After installing the updated
packages, the httpd daemon will be restarted automatically.

Refer to the Red Hat JBoss Enterprise Web Server 2.1.1 Release Notes for a
list of non security related fixes.

Affected Products

  • JBoss Enterprise Web Server 2 for RHEL 6 x86_64
  • JBoss Enterprise Web Server 2 for RHEL 6 i386

Fixes

  • BZ - 1326320 - CVE-2016-3110 mod_cluster: remotely Segfault Apache http server
  • BZ - 1331441 - CVE-2016-2105 openssl: EVP_EncodeUpdate overflow
  • BZ - 1331536 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow
  • BZ - 1337155 - CVE-2016-2106 openssl: EVP_EncryptUpdate overflow [jbews-2.1.0]
  • BZ - 1337396 - EWS 2.1.1 Tracker Bug for EL6
  • BZ - 1338646 - CVE-2016-3110 mod_cluster: remotely Segfault Apache http server
  • BZ - 1353755 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header
  • BZ - 1358118 - CVE-2016-5387 Apache HTTPD: sets environmental variable based on user supplied Proxy request header [jbews-2.1.0]
  • BZ - 1366541 - RPM: RHEL6: httpd service is not starting, LD_LIBRARY_PATH needs to be set

CVEs

  • CVE-2016-2105
  • CVE-2016-2106
  • CVE-2016-3110
  • CVE-2016-5387

References

  • https://access.redhat.com/security/updates/classification/#important
  • https://access.redhat.com/documentation/en-US/Red_Hat_JBoss_Web_Server/2.1/html/2.1.1_Release_Notes/index.html
  • https://access.redhat.com/site/documentation/
  • https://access.redhat.com/site/documentation/en-US/JBoss_Enterprise_Web_Server/2/html-single/Installation_Guide/index.html
  • https://access.redhat.com/security/vulnerabilities/httpoxy
Note: More recent versions of these packages may be available. Click a package name for more details.

JBoss Enterprise Web Server 2 for RHEL 6

SRPM
httpd-2.2.26-54.ep6.el6.src.rpm SHA-256: 500e2f71d7ec5bfdc3a06bc409c1c153295dc9ac19d3cb94b104dd4636492110
jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.src.rpm SHA-256: ac5b23430a44667cd0792bb73c6f3c366d4450d6239e7025095bcc72fb165513
mod_cluster-1.2.13-1.Final_redhat_1.1.ep6.el6.src.rpm SHA-256: 3a72fb0b75092e961a40017f108538ac289199dfef358bf50597f22f64f9d505
mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.src.rpm SHA-256: 13f719c9842b1ff8c1bf8a216599ca2e53cb412fec11035cc83ae20e3fe9ade8
mod_jk-1.2.41-2.redhat_3.ep6.el6.src.rpm SHA-256: 071f674b58df13281c7c39dde9a2b14b99272795373a5ce7d628d704d191df01
tomcat-native-1.1.34-5.redhat_1.ep6.el6.src.rpm SHA-256: f36bf2dafa5e715c97cf1a516f944bb4c6f2b98be1199f15b7508191d100b8ad
x86_64
httpd-2.2.26-54.ep6.el6.x86_64.rpm SHA-256: 65a1e179b6e455b73a9aa23929f65fda99c2283cf33e0f6cb96f362efd9b2197
httpd-debuginfo-2.2.26-54.ep6.el6.x86_64.rpm SHA-256: 3da3fb3876f9510dee88118fd1ba82bd3d53af3434a4737dccb74017ab20837f
httpd-devel-2.2.26-54.ep6.el6.x86_64.rpm SHA-256: 4e5e0e62a3e47307ca75d23e9fb8a97a117163a46d11911e7f926210a86a5a43
httpd-manual-2.2.26-54.ep6.el6.x86_64.rpm SHA-256: 8b0470615c47fafc22b9b08eecde0eca9f88371822869e76bbc2935a178a17fa
httpd-tools-2.2.26-54.ep6.el6.x86_64.rpm SHA-256: 4aeb4ecadcca0e06707fd6ef87a629067f353061dd4016c2bbe2115e51f00774
jbcs-httpd24-1-3.jbcs.el6.noarch.rpm SHA-256: 4ad48d853b5aa9b54e724c78e144bbde6deeb7a04ae023cf99e7bb04f079f6ff
jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.x86_64.rpm SHA-256: 86225769181a6677c8ec92ac74db4281b41e73f0a782cb426867a50b6a0289ac
jbcs-httpd24-openssl-debuginfo-1.0.2h-4.jbcs.el6.x86_64.rpm SHA-256: 68ff1e8cb25690fdc66d3c326f689ec4fb7de56d7e4606dd9304daa3f8470c8f
jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.x86_64.rpm SHA-256: 2f558d2b55fa44f8df23471b4d6e2bb67dbf6b05348d2fbe9d414248a93e687d
jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.x86_64.rpm SHA-256: 62186db1184d1a37129d44771eeab73630109c5e3fa54f7d2e38e35ad1a98712
jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.x86_64.rpm SHA-256: 588505e83e4e8d4e75d54b7faa1d4e727159d0a98f83b2dad73b6aa2026bb379
jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.x86_64.rpm SHA-256: 744051dbab7f5ad2d3157fdfa904452f51974219f1d66ca4976012e5142a5719
jbcs-httpd24-runtime-1-3.jbcs.el6.noarch.rpm SHA-256: 8ac86a3df21bd84036eaeedcf6a780bc81d36b74924fc05a308cbb3fc0241865
mod_cluster-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm SHA-256: fb69cc69b1ddbf4253f0b8232c9ee8191b4e1c1c9baa27eb0dd247ed0a654151
mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.x86_64.rpm SHA-256: e67be895b7a3e8f2eec5211052d2dccb6dfd3323ad9884d4abe520b7c881c537
mod_cluster-native-debuginfo-1.2.13-3.Final_redhat_2.ep6.el6.x86_64.rpm SHA-256: 38e7de568c91b68ee8a1342d091311bb2497cc35d4270357c509926d6e59866e
mod_cluster-tomcat6-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm SHA-256: fe6253a930f33cf98a8eae8be88440559edabc13dbdb409a99517e9017fb6c4a
mod_cluster-tomcat7-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm SHA-256: dde11443657f40051c1b698086ad5bab49663bab081636d1a8b4571fe0aa2dc6
mod_jk-ap22-1.2.41-2.redhat_3.ep6.el6.x86_64.rpm SHA-256: dd7dd5f7bd57c078160587a45c225ed97e6f713f5ede61468611d3e69f63d9a5
mod_jk-debuginfo-1.2.41-2.redhat_3.ep6.el6.x86_64.rpm SHA-256: 34b1388be67bf179ff6ee98d8846fcba90a7ee25e6c7319295d7a560a8c15655
mod_jk-manual-1.2.41-2.redhat_3.ep6.el6.x86_64.rpm SHA-256: 11ecf9a96e1d788bb4f16492e9688d91ab564f1ec684834f599e9964258c50d1
mod_ssl-2.2.26-54.ep6.el6.x86_64.rpm SHA-256: e345df4f891e8278366a86e5db014d660c8306877aaa3357e9bb6e3af5cab6f4
tomcat-native-1.1.34-5.redhat_1.ep6.el6.x86_64.rpm SHA-256: c66e650acf0a08d8088bec04e59c683358a115185820b1801ca677b7d612f71b
tomcat-native-debuginfo-1.1.34-5.redhat_1.ep6.el6.x86_64.rpm SHA-256: 455595542fd516d940594e0fec5577b74b40d4b4217204a5c36fc50c42c60673
i386
httpd-2.2.26-54.ep6.el6.i386.rpm SHA-256: 2ef8cdddf64eee31651657bad31abec8e607dc46b7f4c698351d74a261462d61
httpd-debuginfo-2.2.26-54.ep6.el6.i386.rpm SHA-256: 43d35837e635dbdf030317c601a8f8678c4a4f331a4c17fe87188c2967eaae62
httpd-devel-2.2.26-54.ep6.el6.i386.rpm SHA-256: 04722287bb04ab20e50386340906e15279f5acc197ec64adf1ebbc406586e335
httpd-manual-2.2.26-54.ep6.el6.i386.rpm SHA-256: 953df274cb9193c9cab480f8ecd8af48dda6e2d63de6bd4a3dd39e2c0499cd9a
httpd-tools-2.2.26-54.ep6.el6.i386.rpm SHA-256: ea1765628eb3e4d08020227c0506b5b3adfa021b31e774f8879af06921b3ecff
jbcs-httpd24-1-3.jbcs.el6.noarch.rpm SHA-256: 4ad48d853b5aa9b54e724c78e144bbde6deeb7a04ae023cf99e7bb04f079f6ff
jbcs-httpd24-openssl-1.0.2h-4.jbcs.el6.i686.rpm SHA-256: 45b0aad95e6c5e6031e26e36865970c1948cf1a881b0c4e5680468e1a06c49d7
jbcs-httpd24-openssl-debuginfo-1.0.2h-4.jbcs.el6.i686.rpm SHA-256: 6f8c0fb615c0a1e7915246031f4828dc3cc534fe1f95ab63f5151210d941e2c5
jbcs-httpd24-openssl-devel-1.0.2h-4.jbcs.el6.i686.rpm SHA-256: f5ddc2a4bc86f5ec40f932aceeaf4d87eb1c012a300b4e2ffd11bfd2fecd7ba8
jbcs-httpd24-openssl-libs-1.0.2h-4.jbcs.el6.i686.rpm SHA-256: ec9f2c353d7f1b3ebbe453ff5eb170304839f6ba4b98d903b1008100e98faa60
jbcs-httpd24-openssl-perl-1.0.2h-4.jbcs.el6.i686.rpm SHA-256: e093d1532b16a8ad66a36413fcbfcd0e2b190d555c40308ca70f984cfa35d22d
jbcs-httpd24-openssl-static-1.0.2h-4.jbcs.el6.i686.rpm SHA-256: 4e06824b17e7bfe3a69c968517b2573bb38977b93ed1cc6ec3bd9616ab3c4101
jbcs-httpd24-runtime-1-3.jbcs.el6.noarch.rpm SHA-256: 8ac86a3df21bd84036eaeedcf6a780bc81d36b74924fc05a308cbb3fc0241865
mod_cluster-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm SHA-256: fb69cc69b1ddbf4253f0b8232c9ee8191b4e1c1c9baa27eb0dd247ed0a654151
mod_cluster-native-1.2.13-3.Final_redhat_2.ep6.el6.i386.rpm SHA-256: ed043fcb58bce264b360afbd457eddfd9039dab8ff491d8f46ccdf567c6e6caf
mod_cluster-native-debuginfo-1.2.13-3.Final_redhat_2.ep6.el6.i386.rpm SHA-256: a06b33e6dfcd78d7ff1963e0ca9fb88741a4edb554aaaaa177f1a9136711fc3f
mod_cluster-tomcat6-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm SHA-256: fe6253a930f33cf98a8eae8be88440559edabc13dbdb409a99517e9017fb6c4a
mod_cluster-tomcat7-1.2.13-1.Final_redhat_1.1.ep6.el6.noarch.rpm SHA-256: dde11443657f40051c1b698086ad5bab49663bab081636d1a8b4571fe0aa2dc6
mod_jk-ap22-1.2.41-2.redhat_3.ep6.el6.i386.rpm SHA-256: a8038e44ab60da75b612201793949a5079c6863f0337536589166885649d85c5
mod_jk-debuginfo-1.2.41-2.redhat_3.ep6.el6.i386.rpm SHA-256: 98ad935948ca7819fce791fe988e1d4b12ce197e5c7454dd1fa65599e4c30995
mod_jk-manual-1.2.41-2.redhat_3.ep6.el6.i386.rpm SHA-256: bb2f5b6bb3907d866e3fea62aea319730aa06a55f13f716ce2cecfc418f8d334
mod_ssl-2.2.26-54.ep6.el6.i386.rpm SHA-256: 2a5fd27067edc19626604ef553a5490f8a7eba49da369c3043d7a4a7c306779e
tomcat-native-1.1.34-5.redhat_1.ep6.el6.i386.rpm SHA-256: d6e7500e9781ff94436a46aec1b0facc37d61429f80bcc9d4696ecfafe7aaac4
tomcat-native-debuginfo-1.1.34-5.redhat_1.ep6.el6.i386.rpm SHA-256: a2bb8ecb48861a5815d360970464530e3b6feacd008240b3812847f6c771715a

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Red Hat LinkedIn YouTube Facebook X, formerly Twitter

Quick Links

  • Downloads
  • Subscriptions
  • Support Cases
  • Customer Service
  • Product Documentation

Help

  • Contact Us
  • Customer Portal FAQ
  • Log-in Assistance

Site Info

  • Trust Red Hat
  • Browser Support Policy
  • Accessibility
  • Awards and Recognition
  • Colophon

Related Sites

  • redhat.com
  • developers.redhat.com
  • connect.redhat.com
  • cloud.redhat.com

Red Hat legal and privacy links

  • About Red Hat
  • Jobs
  • Events
  • Locations
  • Contact Red Hat
  • Red Hat Blog
  • Inclusion at Red Hat
  • Cool Stuff Store
  • Red Hat Summit
© 2025 Red Hat, Inc.

Red Hat legal and privacy links

  • Privacy statement
  • Terms of use
  • All policies and guidelines
  • Digital accessibility