Red Hat Product Errata RHSA-2017:3080 - Security Advisory

Issued:: 2017-10-29
Updated:: 2017-10-29

RHSA-2017:3080 - Security Advisory

Overview
Updated Packages

Synopsis

Important: tomcat6 security update

Type/Severity

Security Advisory: Important

Topic

An update for tomcat6 is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es):

A vulnerability was discovered in Tomcat's handling of pipelined requests when "Sendfile" was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure. (CVE-2017-5647)
A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)
Two vulnerabilities were discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution. (CVE-2017-12615, CVE-2017-12617)

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux Server 6 x86_64
Red Hat Enterprise Linux Server 6 i386
Red Hat Enterprise Linux Workstation 6 x86_64
Red Hat Enterprise Linux Workstation 6 i386
Red Hat Enterprise Linux Desktop 6 x86_64
Red Hat Enterprise Linux Desktop 6 i386
Red Hat Enterprise Linux for IBM z Systems 6 s390x
Red Hat Enterprise Linux for Power, big endian 6 ppc64
Red Hat Enterprise Linux for Scientific Computing 6 x86_64

Fixes

BZ - 1441205 - CVE-2017-5647 tomcat: Incorrect handling of pipelined requests when send file was used
BZ - 1459158 - CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism
BZ - 1461851 - The tomcat6 build is incompatible with the ECJ update
BZ - 1493220 - CVE-2017-12615 tomcat: Remote Code Execution via JSP Upload
BZ - 1494283 - CVE-2017-12617 tomcat: Remote Code Execution bypass for CVE-2017-12615

CVEs

References

https://access.redhat.com/security/updates/classification/#important

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 6

SRPM
tomcat6-6.0.24-111.el6_9.src.rpm	SHA-256: 294eaf38a3c902952be5afc09f1c7b8be68983019d93575b1c2ea6be2c32f8ca
x86_64
tomcat6-6.0.24-111.el6_9.noarch.rpm	SHA-256: 0fc701d317c0abf8721a43678af147a6bb1fcf2608976500ac994fce22dd5f1d
tomcat6-admin-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 39434c01329dc10ebc61f5559d5de28acdeeb353b39e09ed695d37696dfd0540
tomcat6-docs-webapp-6.0.24-111.el6_9.noarch.rpm	SHA-256: 990dab10e0c94bcbf58ffa666615e8dd6368bd8c6f82dd8263e8d76f13909295
tomcat6-el-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 7ed32a9ef31cfba4d2d7e29a00a5dac8049dc623e5cc242f98a5ba42bb413de5
tomcat6-javadoc-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1ca31f208a0a07a65ee303a8692d856ccfe3d414a54780b7ba6c7cb2e16c68b5
tomcat6-jsp-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1c76b28f3a3dbd1863ced4532563914fa669ae1cea8eff08412eefb319039bc1
tomcat6-lib-6.0.24-111.el6_9.noarch.rpm	SHA-256: 951de3e08c8b86ab330911e058c2b3c5869e917abba4660da3b90ddaf636dabb
tomcat6-servlet-2.5-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 22ae1ba25bf46d6f4fe03e42ec5b30caeaacaa7a3494d28ee08a3f36af4d12c3
tomcat6-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1a93e65e5c84f43ff6f611a5333abd2d9d35b940953f34e9b13c529039b6059a
i386
tomcat6-6.0.24-111.el6_9.noarch.rpm	SHA-256: 0fc701d317c0abf8721a43678af147a6bb1fcf2608976500ac994fce22dd5f1d
tomcat6-admin-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 39434c01329dc10ebc61f5559d5de28acdeeb353b39e09ed695d37696dfd0540
tomcat6-docs-webapp-6.0.24-111.el6_9.noarch.rpm	SHA-256: 990dab10e0c94bcbf58ffa666615e8dd6368bd8c6f82dd8263e8d76f13909295
tomcat6-el-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 7ed32a9ef31cfba4d2d7e29a00a5dac8049dc623e5cc242f98a5ba42bb413de5
tomcat6-javadoc-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1ca31f208a0a07a65ee303a8692d856ccfe3d414a54780b7ba6c7cb2e16c68b5
tomcat6-jsp-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1c76b28f3a3dbd1863ced4532563914fa669ae1cea8eff08412eefb319039bc1
tomcat6-lib-6.0.24-111.el6_9.noarch.rpm	SHA-256: 951de3e08c8b86ab330911e058c2b3c5869e917abba4660da3b90ddaf636dabb
tomcat6-servlet-2.5-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 22ae1ba25bf46d6f4fe03e42ec5b30caeaacaa7a3494d28ee08a3f36af4d12c3
tomcat6-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1a93e65e5c84f43ff6f611a5333abd2d9d35b940953f34e9b13c529039b6059a

Red Hat Enterprise Linux Workstation 6

SRPM
tomcat6-6.0.24-111.el6_9.src.rpm	SHA-256: 294eaf38a3c902952be5afc09f1c7b8be68983019d93575b1c2ea6be2c32f8ca
x86_64
tomcat6-6.0.24-111.el6_9.noarch.rpm	SHA-256: 0fc701d317c0abf8721a43678af147a6bb1fcf2608976500ac994fce22dd5f1d
tomcat6-admin-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 39434c01329dc10ebc61f5559d5de28acdeeb353b39e09ed695d37696dfd0540
tomcat6-docs-webapp-6.0.24-111.el6_9.noarch.rpm	SHA-256: 990dab10e0c94bcbf58ffa666615e8dd6368bd8c6f82dd8263e8d76f13909295
tomcat6-el-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 7ed32a9ef31cfba4d2d7e29a00a5dac8049dc623e5cc242f98a5ba42bb413de5
tomcat6-javadoc-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1ca31f208a0a07a65ee303a8692d856ccfe3d414a54780b7ba6c7cb2e16c68b5
tomcat6-jsp-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1c76b28f3a3dbd1863ced4532563914fa669ae1cea8eff08412eefb319039bc1
tomcat6-lib-6.0.24-111.el6_9.noarch.rpm	SHA-256: 951de3e08c8b86ab330911e058c2b3c5869e917abba4660da3b90ddaf636dabb
tomcat6-servlet-2.5-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 22ae1ba25bf46d6f4fe03e42ec5b30caeaacaa7a3494d28ee08a3f36af4d12c3
tomcat6-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1a93e65e5c84f43ff6f611a5333abd2d9d35b940953f34e9b13c529039b6059a
i386
tomcat6-6.0.24-111.el6_9.noarch.rpm	SHA-256: 0fc701d317c0abf8721a43678af147a6bb1fcf2608976500ac994fce22dd5f1d
tomcat6-admin-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 39434c01329dc10ebc61f5559d5de28acdeeb353b39e09ed695d37696dfd0540
tomcat6-docs-webapp-6.0.24-111.el6_9.noarch.rpm	SHA-256: 990dab10e0c94bcbf58ffa666615e8dd6368bd8c6f82dd8263e8d76f13909295
tomcat6-el-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 7ed32a9ef31cfba4d2d7e29a00a5dac8049dc623e5cc242f98a5ba42bb413de5
tomcat6-javadoc-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1ca31f208a0a07a65ee303a8692d856ccfe3d414a54780b7ba6c7cb2e16c68b5
tomcat6-jsp-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1c76b28f3a3dbd1863ced4532563914fa669ae1cea8eff08412eefb319039bc1
tomcat6-lib-6.0.24-111.el6_9.noarch.rpm	SHA-256: 951de3e08c8b86ab330911e058c2b3c5869e917abba4660da3b90ddaf636dabb
tomcat6-servlet-2.5-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 22ae1ba25bf46d6f4fe03e42ec5b30caeaacaa7a3494d28ee08a3f36af4d12c3
tomcat6-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1a93e65e5c84f43ff6f611a5333abd2d9d35b940953f34e9b13c529039b6059a

Red Hat Enterprise Linux Desktop 6

SRPM
tomcat6-6.0.24-111.el6_9.src.rpm	SHA-256: 294eaf38a3c902952be5afc09f1c7b8be68983019d93575b1c2ea6be2c32f8ca
x86_64
tomcat6-6.0.24-111.el6_9.noarch.rpm	SHA-256: 0fc701d317c0abf8721a43678af147a6bb1fcf2608976500ac994fce22dd5f1d
tomcat6-admin-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 39434c01329dc10ebc61f5559d5de28acdeeb353b39e09ed695d37696dfd0540
tomcat6-docs-webapp-6.0.24-111.el6_9.noarch.rpm	SHA-256: 990dab10e0c94bcbf58ffa666615e8dd6368bd8c6f82dd8263e8d76f13909295
tomcat6-el-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 7ed32a9ef31cfba4d2d7e29a00a5dac8049dc623e5cc242f98a5ba42bb413de5
tomcat6-javadoc-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1ca31f208a0a07a65ee303a8692d856ccfe3d414a54780b7ba6c7cb2e16c68b5
tomcat6-jsp-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1c76b28f3a3dbd1863ced4532563914fa669ae1cea8eff08412eefb319039bc1
tomcat6-lib-6.0.24-111.el6_9.noarch.rpm	SHA-256: 951de3e08c8b86ab330911e058c2b3c5869e917abba4660da3b90ddaf636dabb
tomcat6-servlet-2.5-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 22ae1ba25bf46d6f4fe03e42ec5b30caeaacaa7a3494d28ee08a3f36af4d12c3
tomcat6-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1a93e65e5c84f43ff6f611a5333abd2d9d35b940953f34e9b13c529039b6059a
i386
tomcat6-6.0.24-111.el6_9.noarch.rpm	SHA-256: 0fc701d317c0abf8721a43678af147a6bb1fcf2608976500ac994fce22dd5f1d
tomcat6-admin-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 39434c01329dc10ebc61f5559d5de28acdeeb353b39e09ed695d37696dfd0540
tomcat6-docs-webapp-6.0.24-111.el6_9.noarch.rpm	SHA-256: 990dab10e0c94bcbf58ffa666615e8dd6368bd8c6f82dd8263e8d76f13909295
tomcat6-el-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 7ed32a9ef31cfba4d2d7e29a00a5dac8049dc623e5cc242f98a5ba42bb413de5
tomcat6-javadoc-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1ca31f208a0a07a65ee303a8692d856ccfe3d414a54780b7ba6c7cb2e16c68b5
tomcat6-jsp-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1c76b28f3a3dbd1863ced4532563914fa669ae1cea8eff08412eefb319039bc1
tomcat6-lib-6.0.24-111.el6_9.noarch.rpm	SHA-256: 951de3e08c8b86ab330911e058c2b3c5869e917abba4660da3b90ddaf636dabb
tomcat6-servlet-2.5-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 22ae1ba25bf46d6f4fe03e42ec5b30caeaacaa7a3494d28ee08a3f36af4d12c3
tomcat6-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1a93e65e5c84f43ff6f611a5333abd2d9d35b940953f34e9b13c529039b6059a

Red Hat Enterprise Linux for IBM z Systems 6

SRPM
tomcat6-6.0.24-111.el6_9.src.rpm	SHA-256: 294eaf38a3c902952be5afc09f1c7b8be68983019d93575b1c2ea6be2c32f8ca
s390x
tomcat6-6.0.24-111.el6_9.noarch.rpm	SHA-256: 0fc701d317c0abf8721a43678af147a6bb1fcf2608976500ac994fce22dd5f1d
tomcat6-admin-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 39434c01329dc10ebc61f5559d5de28acdeeb353b39e09ed695d37696dfd0540
tomcat6-docs-webapp-6.0.24-111.el6_9.noarch.rpm	SHA-256: 990dab10e0c94bcbf58ffa666615e8dd6368bd8c6f82dd8263e8d76f13909295
tomcat6-el-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 7ed32a9ef31cfba4d2d7e29a00a5dac8049dc623e5cc242f98a5ba42bb413de5
tomcat6-javadoc-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1ca31f208a0a07a65ee303a8692d856ccfe3d414a54780b7ba6c7cb2e16c68b5
tomcat6-jsp-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1c76b28f3a3dbd1863ced4532563914fa669ae1cea8eff08412eefb319039bc1
tomcat6-lib-6.0.24-111.el6_9.noarch.rpm	SHA-256: 951de3e08c8b86ab330911e058c2b3c5869e917abba4660da3b90ddaf636dabb
tomcat6-servlet-2.5-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 22ae1ba25bf46d6f4fe03e42ec5b30caeaacaa7a3494d28ee08a3f36af4d12c3
tomcat6-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1a93e65e5c84f43ff6f611a5333abd2d9d35b940953f34e9b13c529039b6059a

Red Hat Enterprise Linux for Power, big endian 6

SRPM
tomcat6-6.0.24-111.el6_9.src.rpm	SHA-256: 294eaf38a3c902952be5afc09f1c7b8be68983019d93575b1c2ea6be2c32f8ca
ppc64
tomcat6-6.0.24-111.el6_9.noarch.rpm	SHA-256: 0fc701d317c0abf8721a43678af147a6bb1fcf2608976500ac994fce22dd5f1d
tomcat6-admin-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 39434c01329dc10ebc61f5559d5de28acdeeb353b39e09ed695d37696dfd0540
tomcat6-docs-webapp-6.0.24-111.el6_9.noarch.rpm	SHA-256: 990dab10e0c94bcbf58ffa666615e8dd6368bd8c6f82dd8263e8d76f13909295
tomcat6-el-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 7ed32a9ef31cfba4d2d7e29a00a5dac8049dc623e5cc242f98a5ba42bb413de5
tomcat6-javadoc-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1ca31f208a0a07a65ee303a8692d856ccfe3d414a54780b7ba6c7cb2e16c68b5
tomcat6-jsp-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1c76b28f3a3dbd1863ced4532563914fa669ae1cea8eff08412eefb319039bc1
tomcat6-lib-6.0.24-111.el6_9.noarch.rpm	SHA-256: 951de3e08c8b86ab330911e058c2b3c5869e917abba4660da3b90ddaf636dabb
tomcat6-servlet-2.5-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 22ae1ba25bf46d6f4fe03e42ec5b30caeaacaa7a3494d28ee08a3f36af4d12c3
tomcat6-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1a93e65e5c84f43ff6f611a5333abd2d9d35b940953f34e9b13c529039b6059a

Red Hat Enterprise Linux for Scientific Computing 6

SRPM
tomcat6-6.0.24-111.el6_9.src.rpm	SHA-256: 294eaf38a3c902952be5afc09f1c7b8be68983019d93575b1c2ea6be2c32f8ca
x86_64
tomcat6-6.0.24-111.el6_9.noarch.rpm	SHA-256: 0fc701d317c0abf8721a43678af147a6bb1fcf2608976500ac994fce22dd5f1d
tomcat6-admin-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 39434c01329dc10ebc61f5559d5de28acdeeb353b39e09ed695d37696dfd0540
tomcat6-docs-webapp-6.0.24-111.el6_9.noarch.rpm	SHA-256: 990dab10e0c94bcbf58ffa666615e8dd6368bd8c6f82dd8263e8d76f13909295
tomcat6-el-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 7ed32a9ef31cfba4d2d7e29a00a5dac8049dc623e5cc242f98a5ba42bb413de5
tomcat6-javadoc-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1ca31f208a0a07a65ee303a8692d856ccfe3d414a54780b7ba6c7cb2e16c68b5
tomcat6-jsp-2.1-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1c76b28f3a3dbd1863ced4532563914fa669ae1cea8eff08412eefb319039bc1
tomcat6-lib-6.0.24-111.el6_9.noarch.rpm	SHA-256: 951de3e08c8b86ab330911e058c2b3c5869e917abba4660da3b90ddaf636dabb
tomcat6-servlet-2.5-api-6.0.24-111.el6_9.noarch.rpm	SHA-256: 22ae1ba25bf46d6f4fe03e42ec5b30caeaacaa7a3494d28ee08a3f36af4d12c3
tomcat6-webapps-6.0.24-111.el6_9.noarch.rpm	SHA-256: 1a93e65e5c84f43ff6f611a5333abd2d9d35b940953f34e9b13c529039b6059a

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Red Hat Customer Portal Labs

Additional Tools

Red Hat Insights

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories