Red Hat Product Errata RHSA-2017:1801 - Security Advisory
Issued:
2017-07-25
Updated:
2017-07-25

RHSA-2017:1801 - Security Advisory

Synopsis

Important: Red Hat JBoss Web Server 3.1.0 Service Pack 1 security update

Type/Severity

Security Advisory: Important

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update is now available for Red Hat JBoss Web Server 3.1 for RHEL 6 and Red Hat JBoss Web Server 3.1 for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector (mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat Native library.

This release of Red Hat JBoss Web Server 3.1 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes, which are documented in the Release Notes document linked to in the References.

Security Fix(es):

  • It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application. (CVE-2017-5645)
  • A vulnerability was discovered in tomcat's handling of pipelined requests when "Sendfile" was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure. (CVE-2017-5647)
  • A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)
  • A vulnerability was discovered in tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application. (CVE-2017-5648)

Solution

Before applying the update, back up your existing Red Hat JBoss Web Server installation (including all applications and configuration files).

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

  • JBoss Enterprise Web Server 3 for RHEL 7 x86_64
  • JBoss Enterprise Web Server 3 for RHEL 6 x86_64
  • JBoss Enterprise Web Server 3 for RHEL 6 i386

Fixes

  • BZ - 1441205 - CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used
  • BZ - 1441223 - CVE-2017-5648 tomcat: Calls to application listeners did not use the appropriate facade object
  • BZ - 1443635 - CVE-2017-5645 log4j: Socket receiver deserialization vulnerability
  • BZ - 1459158 - CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism

JBoss Enterprise Web Server 3 for RHEL 7

SRPM
log4j-eap6-1.2.16-12.redhat_3.1.ep6.el7.src.rpm SHA-256: e3bfb9fb8def81c71f1540b646eb181ddef6662e7fdcc465a2c86fdd0b3989e6
tomcat-native-1.2.8-10.redhat_10.ep7.el7.src.rpm SHA-256: f79fc134ef839e68b99ec64f03d3e65c496cf1611f65bcb4937fcffcb981dda3
tomcat7-7.0.70-22.ep7.el7.src.rpm SHA-256: e1bf3992e4974fc41c93a10050c59bba9a06fc6e423485affbfa3c3883186360
tomcat8-8.0.36-24.ep7.el7.src.rpm SHA-256: ad4d340dbfd976b146e8e3dd63952120e2ecc649ba8b17a15882a90ad1d3face
x86_64
log4j-eap6-1.2.16-12.redhat_3.1.ep6.el7.noarch.rpm SHA-256: 1bc40fdc3d28ba368f8425077eec0375d62553bb6e677b717ea8ff55831b6842
tomcat-native-1.2.8-10.redhat_10.ep7.el7.x86_64.rpm SHA-256: 4cf66fd3541e55620f745a193e313397d9d15d3eaaa30440b957a195a0559dac
tomcat-native-debuginfo-1.2.8-10.redhat_10.ep7.el7.x86_64.rpm SHA-256: 8507ea73bbfd9995ae8350a236b4d3636c01e95a00acfbb0fad4af3166974346
tomcat7-7.0.70-22.ep7.el7.noarch.rpm SHA-256: 49736696cd29d57daeb185faef7fe1917cc7b9bb2b8ada4bb7ba558f9be30d9e
tomcat7-admin-webapps-7.0.70-22.ep7.el7.noarch.rpm SHA-256: 03c2a0d4d58cbd644d466e9966615317ac09d92f2eb60c341a243c6f4ed89c52
tomcat7-docs-webapp-7.0.70-22.ep7.el7.noarch.rpm SHA-256: fb3d8bb31f1c419746c7b147d111ed138e59e8a8e362f87d7444c8c2cc16fe7c
tomcat7-el-2.2-api-7.0.70-22.ep7.el7.noarch.rpm SHA-256: 1e2983184b91f93fa07c0b666f64d4a207708db006c959708f23630c2af038e4
tomcat7-javadoc-7.0.70-22.ep7.el7.noarch.rpm SHA-256: d6e904cd5dd610e71d4a4dc097dc351e0ba2e91cf07d0dca08e203ce82f2d940
tomcat7-jsp-2.2-api-7.0.70-22.ep7.el7.noarch.rpm SHA-256: 6cb72800a3d9f6fa7c61ec304e5c49e739bb68edff3e23d5a4947cccff8387dc
tomcat7-jsvc-7.0.70-22.ep7.el7.noarch.rpm SHA-256: f4fa7f31be8f004542d40f06752b835b91a1882e01574efbcc988e1ca5e702c1
tomcat7-lib-7.0.70-22.ep7.el7.noarch.rpm SHA-256: 545ba54b95f5d2ae0796bccead315640854cfeabc1ccd6451c51aca30a52c5a8
tomcat7-log4j-7.0.70-22.ep7.el7.noarch.rpm SHA-256: c6e52f7813b7073877ff9370ff138551b071bddfcc28c9d32cc8dc6fb2df4050
tomcat7-selinux-7.0.70-22.ep7.el7.noarch.rpm SHA-256: bb67f8a8550dbee6bb136f17a2cdcfca738b4aac45c1badf60039f905af173c4
tomcat7-servlet-3.0-api-7.0.70-22.ep7.el7.noarch.rpm SHA-256: 8dbd3f56046107f5ae0de4bbf634f5d1c491e2ffd5ee8eb44c6a1ce67e6dfa2f
tomcat7-webapps-7.0.70-22.ep7.el7.noarch.rpm SHA-256: 64356489d7cd95b3725ceff76d14dc1092f186340ec3d8a293e6cbf91236aa88
tomcat8-8.0.36-24.ep7.el7.noarch.rpm SHA-256: 538073b7e2dab28b2b20fdb9abc994f99eddf217c04150bb41b5519abad79489
tomcat8-admin-webapps-8.0.36-24.ep7.el7.noarch.rpm SHA-256: 9e5c807e6a0971657eafbec48b8361cdb7e3c3e96b9f84481ea34e6b27dd9514
tomcat8-docs-webapp-8.0.36-24.ep7.el7.noarch.rpm SHA-256: 7ba85962ca57970d6f283ca1b2b654b8e82115469eb3e0d17410420f039fa550
tomcat8-el-2.2-api-8.0.36-24.ep7.el7.noarch.rpm SHA-256: d583978bc6e19552f9a2e62b117f6e74f1de4d5e7e4bac3b27defe60326ada96
tomcat8-javadoc-8.0.36-24.ep7.el7.noarch.rpm SHA-256: d60e2579ce5b6fd8ed7ae3c2ca6a109b544583e7186477318a8059268b70acfe
tomcat8-jsp-2.3-api-8.0.36-24.ep7.el7.noarch.rpm SHA-256: e1db3959e56dcafab78cb94a860cb60b1eafbf5009facff4743e2e641ce4fc47
tomcat8-jsvc-8.0.36-24.ep7.el7.noarch.rpm SHA-256: 8d688cfb69276b78b9a58503ef8f4fd8fd4d991971a7098ab77b904098a0f485
tomcat8-lib-8.0.36-24.ep7.el7.noarch.rpm SHA-256: cf0133c7cb7b89f8e33c4b3adc3171634f0aa4deb29f1e454baed3830ee8e0a6
tomcat8-log4j-8.0.36-24.ep7.el7.noarch.rpm SHA-256: fa26f1036ce8d60937119955161f4eaf2b0d4c123fea6de549084943fa641cbe
tomcat8-selinux-8.0.36-24.ep7.el7.noarch.rpm SHA-256: bda94d961513290cc0c4512a6a196f258316f2937557f08159bdb52232e63a65
tomcat8-servlet-3.1-api-8.0.36-24.ep7.el7.noarch.rpm SHA-256: da6814475a56631830400eb6970003a1d8f727bfd01537f8218c1cbc306d2c3e
tomcat8-webapps-8.0.36-24.ep7.el7.noarch.rpm SHA-256: 0d4693a39b2921d836dedcad974a0c8757ee10fd47828cd88aa6d98f15d97a1e

JBoss Enterprise Web Server 3 for RHEL 6

SRPM
log4j-eap6-1.2.16-12.redhat_3.1.ep6.el6.src.rpm SHA-256: 3b766ad81abfc30b8320185dc174b80f1aacfaa157e1e716e06d5cade1144e75
tomcat-native-1.2.8-10.redhat_10.ep7.el6.src.rpm SHA-256: c066d740d2c239afeb6bb329e211b5a451144d813f81f44987b45560d547d893
tomcat7-7.0.70-22.ep7.el6.src.rpm SHA-256: 2284c9ee1d157df6beb278f5b440a85bc63eb803da3c44a723f975e3c491f11b
tomcat8-8.0.36-24.ep7.el6.src.rpm SHA-256: 83c8a0a5e9607d2fda7722f2f6c4c6c545634bb2fe2a167d6dcea229ef7de484
x86_64
log4j-eap6-1.2.16-12.redhat_3.1.ep6.el6.noarch.rpm SHA-256: 5dff2cd8b71d00b0c77c10dbf542f7af5a931dcfaad202d041a07d9648d82653
tomcat-native-1.2.8-10.redhat_10.ep7.el6.x86_64.rpm SHA-256: a51cedebf29564139aad17e4734b6414810ddcbd79e2e931c8bd35fcd71bf35b
tomcat-native-debuginfo-1.2.8-10.redhat_10.ep7.el6.x86_64.rpm SHA-256: 51aa1a65fc52254a13a1fea23360724597eb6796fb2f79517277aa81d78af7ab
tomcat7-7.0.70-22.ep7.el6.noarch.rpm SHA-256: 05882be986c326b238be0a697d15354ca738420caaf57a723361b2396dcb9675
tomcat7-admin-webapps-7.0.70-22.ep7.el6.noarch.rpm SHA-256: 35a07ec53659c32be6a9c4c7d7af1d229ce34fafd5c62931bc0a9db43a09675a
tomcat7-docs-webapp-7.0.70-22.ep7.el6.noarch.rpm SHA-256: 054c610e2396b46d3bc8a78be52a43e7f9b35af46376a6b7daea4c4dd74d4b7b
tomcat7-el-2.2-api-7.0.70-22.ep7.el6.noarch.rpm SHA-256: 3b5a8c154dcc8831cb70698c28b42b0718ab06222ae6f9e65356db9d906b4910
tomcat7-javadoc-7.0.70-22.ep7.el6.noarch.rpm SHA-256: 394af56e44928398c09c287c37ad61e2d2583b822b98e716089a2c465053d49e
tomcat7-jsp-2.2-api-7.0.70-22.ep7.el6.noarch.rpm SHA-256: b8bad8f6478eaff697f9181f12140e58f01f50995501e8e6d562e3c204dcc1ea
tomcat7-jsvc-7.0.70-22.ep7.el6.noarch.rpm SHA-256: 34a7f199c746b9a16a9926895a5075613d2f2c4d392b25a6af47b9df11d0e31d
tomcat7-lib-7.0.70-22.ep7.el6.noarch.rpm SHA-256: 5a4ae7fc9c15327dbf8b6d4e45d1963e67c8e33660bd8fa2a91043feba45c793
tomcat7-log4j-7.0.70-22.ep7.el6.noarch.rpm SHA-256: f3283af232b3600307f9681cc07243d379265d6c32db6e9a96d8185dc1b30070
tomcat7-selinux-7.0.70-22.ep7.el6.noarch.rpm SHA-256: b68ddc20253e6f0e87b87300c55bdaa33edfca5bfd359d848bd62b35d4ad4ed3
tomcat7-servlet-3.0-api-7.0.70-22.ep7.el6.noarch.rpm SHA-256: ae687340ad4a7582388d437721755771e213d233a57d1ff119ed7adff5670eaf
tomcat7-webapps-7.0.70-22.ep7.el6.noarch.rpm SHA-256: b78646cc3639ebbd728b75ad8dc3daa310fc647aa97cb9e4dc377c770a5ec28a
tomcat8-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 1f2b6ed15ddc9f3f9de264e1e140710c3191d3d9808cce1a6675a13a6cbb7ca2
tomcat8-admin-webapps-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 9c1725bc43797838d34268798019cd85dfbc48087a61479d211217b707333df2
tomcat8-docs-webapp-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 9e98bb7e0b2e3287698ace78cad17b07484ac069f4d4d2775263032f382ca783
tomcat8-el-2.2-api-8.0.36-24.ep7.el6.noarch.rpm SHA-256: e62de1555e025cc0891fdb2137759cdd89eac8eeb6abdb0c4b0c3499bf03680f
tomcat8-javadoc-8.0.36-24.ep7.el6.noarch.rpm SHA-256: e133639683f546fdc43030022238b4bdc76d46a1e321ed88dbf52e681d9165ad
tomcat8-jsp-2.3-api-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 71d6e08920ce9f488edc239cf4cea27885827647078cd14dff94b850d31e1ec0
tomcat8-jsvc-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 71d83a3610f4e968c0037320845b23035a73c80e24eb8d4c89af49161e47e171
tomcat8-lib-8.0.36-24.ep7.el6.noarch.rpm SHA-256: d23a047bc93587b08f240cbdbc914c9fb2b4c967370e4c8fbbe24061efbdd35f
tomcat8-log4j-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 2769efeb0dfa560146d93ebb5eada53a8705d435f52f0f31aeb7e2f3d427c2b6
tomcat8-selinux-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 133d5508c39c4b943ad650265eb05c763a6463b90017393552538aae9fb9dca5
tomcat8-servlet-3.1-api-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 00a485deac61e99236e0c9ab1d8d833296baea57b8e6673cb4e2d70bc80bc2dc
tomcat8-webapps-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 43917ef745f159fc0ff633205becbea36b6a1078eb5e28e489c71a6ba5438470
i386
log4j-eap6-1.2.16-12.redhat_3.1.ep6.el6.noarch.rpm SHA-256: 5dff2cd8b71d00b0c77c10dbf542f7af5a931dcfaad202d041a07d9648d82653
tomcat-native-1.2.8-10.redhat_10.ep7.el6.i686.rpm SHA-256: 7b8574768c39a238e198ab95e843ffd9972c771562ece713dce938befe0bd5e2
tomcat-native-debuginfo-1.2.8-10.redhat_10.ep7.el6.i686.rpm SHA-256: 9ae3381af04c3ad7df7972736289d6b7ba48708c633dab0f3e9686c9191c3eb5
tomcat7-7.0.70-22.ep7.el6.noarch.rpm SHA-256: 05882be986c326b238be0a697d15354ca738420caaf57a723361b2396dcb9675
tomcat7-admin-webapps-7.0.70-22.ep7.el6.noarch.rpm SHA-256: 35a07ec53659c32be6a9c4c7d7af1d229ce34fafd5c62931bc0a9db43a09675a
tomcat7-docs-webapp-7.0.70-22.ep7.el6.noarch.rpm SHA-256: 054c610e2396b46d3bc8a78be52a43e7f9b35af46376a6b7daea4c4dd74d4b7b
tomcat7-el-2.2-api-7.0.70-22.ep7.el6.noarch.rpm SHA-256: 3b5a8c154dcc8831cb70698c28b42b0718ab06222ae6f9e65356db9d906b4910
tomcat7-javadoc-7.0.70-22.ep7.el6.noarch.rpm SHA-256: 394af56e44928398c09c287c37ad61e2d2583b822b98e716089a2c465053d49e
tomcat7-jsp-2.2-api-7.0.70-22.ep7.el6.noarch.rpm SHA-256: b8bad8f6478eaff697f9181f12140e58f01f50995501e8e6d562e3c204dcc1ea
tomcat7-jsvc-7.0.70-22.ep7.el6.noarch.rpm SHA-256: 34a7f199c746b9a16a9926895a5075613d2f2c4d392b25a6af47b9df11d0e31d
tomcat7-lib-7.0.70-22.ep7.el6.noarch.rpm SHA-256: 5a4ae7fc9c15327dbf8b6d4e45d1963e67c8e33660bd8fa2a91043feba45c793
tomcat7-log4j-7.0.70-22.ep7.el6.noarch.rpm SHA-256: f3283af232b3600307f9681cc07243d379265d6c32db6e9a96d8185dc1b30070
tomcat7-selinux-7.0.70-22.ep7.el6.noarch.rpm SHA-256: b68ddc20253e6f0e87b87300c55bdaa33edfca5bfd359d848bd62b35d4ad4ed3
tomcat7-servlet-3.0-api-7.0.70-22.ep7.el6.noarch.rpm SHA-256: ae687340ad4a7582388d437721755771e213d233a57d1ff119ed7adff5670eaf
tomcat7-webapps-7.0.70-22.ep7.el6.noarch.rpm SHA-256: b78646cc3639ebbd728b75ad8dc3daa310fc647aa97cb9e4dc377c770a5ec28a
tomcat8-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 1f2b6ed15ddc9f3f9de264e1e140710c3191d3d9808cce1a6675a13a6cbb7ca2
tomcat8-admin-webapps-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 9c1725bc43797838d34268798019cd85dfbc48087a61479d211217b707333df2
tomcat8-docs-webapp-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 9e98bb7e0b2e3287698ace78cad17b07484ac069f4d4d2775263032f382ca783
tomcat8-el-2.2-api-8.0.36-24.ep7.el6.noarch.rpm SHA-256: e62de1555e025cc0891fdb2137759cdd89eac8eeb6abdb0c4b0c3499bf03680f
tomcat8-javadoc-8.0.36-24.ep7.el6.noarch.rpm SHA-256: e133639683f546fdc43030022238b4bdc76d46a1e321ed88dbf52e681d9165ad
tomcat8-jsp-2.3-api-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 71d6e08920ce9f488edc239cf4cea27885827647078cd14dff94b850d31e1ec0
tomcat8-jsvc-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 71d83a3610f4e968c0037320845b23035a73c80e24eb8d4c89af49161e47e171
tomcat8-lib-8.0.36-24.ep7.el6.noarch.rpm SHA-256: d23a047bc93587b08f240cbdbc914c9fb2b4c967370e4c8fbbe24061efbdd35f
tomcat8-log4j-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 2769efeb0dfa560146d93ebb5eada53a8705d435f52f0f31aeb7e2f3d427c2b6
tomcat8-selinux-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 133d5508c39c4b943ad650265eb05c763a6463b90017393552538aae9fb9dca5
tomcat8-servlet-3.1-api-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 00a485deac61e99236e0c9ab1d8d833296baea57b8e6673cb4e2d70bc80bc2dc
tomcat8-webapps-8.0.36-24.ep7.el6.noarch.rpm SHA-256: 43917ef745f159fc0ff633205becbea36b6a1078eb5e28e489c71a6ba5438470

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.