Red Hat Product Errata RHSA-2019:2205 - Security Advisory

Issued:: 2019-08-06
Updated:: 2019-08-06

RHSA-2019:2205 - Security Advisory

Overview
Updated Packages

Synopsis

Moderate: tomcat security, bug fix, and enhancement update

Type/Severity

Security Advisory: Moderate

Red Hat Insights patch analysis

Identify and remediate systems affected by this advisory.

View affected systems

Topic

An update for tomcat is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Description

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

Security Fix(es):

tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources (CVE-2018-1304)
tomcat: Late application of security constraints can lead to resource exposure for unauthorised users (CVE-2018-1305)
tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)
tomcat: Host name verification missing in WebSocket client (CVE-2018-8034)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.7 Release Notes linked from the References section.

Solution

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

Affected Products

Red Hat Enterprise Linux Server 7 x86_64
Red Hat Enterprise Linux Workstation 7 x86_64
Red Hat Enterprise Linux Desktop 7 x86_64
Red Hat Enterprise Linux for IBM z Systems 7 s390x
Red Hat Enterprise Linux for Power, big endian 7 ppc64
Red Hat Enterprise Linux for Scientific Computing 7 x86_64
Red Hat Enterprise Linux for Power, little endian 7 ppc64le

Fixes

BZ - 1472950 - shutdown_wait option is not working for Tomcat
BZ - 1548282 - CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users
BZ - 1548289 - CVE-2018-1304 tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources
BZ - 1579611 - CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
BZ - 1588703 - Backport of Negative maxCookieCount value causes exception for Tomcat
BZ - 1607580 - CVE-2018-8034 tomcat: Host name verification missing in WebSocket client

CVEs

References

Note: More recent versions of these packages may be available. Click a package name for more details.

Red Hat Enterprise Linux Server 7

SRPM
tomcat-7.0.76-9.el7.src.rpm	SHA-256: c4213e3009807a20571e519203885be844b3236e41b19951d90c97a7244f9fb6
x86_64
tomcat-7.0.76-9.el7.noarch.rpm	SHA-256: aee9243be51529e5da130ec183af47ca1811badf002e2c4805d61783d4f523a0
tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm	SHA-256: 07b1041cbfe496309549b8ea826d29da2e0ba6ebd4f4a145e5ceade597804061
tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm	SHA-256: 8a1f7241456a932b2640cda57551bb0e23f61d688b8215b00ad7aa8b880a582c
tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm	SHA-256: 2db646e817a899b968f7f28e2ddc5edcf3cc7b91411378a2d02debe312fedaea
tomcat-javadoc-7.0.76-9.el7.noarch.rpm	SHA-256: e927268deba6eef7364fb67b187d04c4ba65d06e6bfac3e91db31e63ba09ffa0
tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm	SHA-256: 5db74cd8f31892f98c74334c7137edf39860a708ebaf605c8bf8a61396ebb622
tomcat-jsvc-7.0.76-9.el7.noarch.rpm	SHA-256: 7a21cb8fefcf44ba014eba0e20349fefc953ee678cb6c5249b169af88b5dc23d
tomcat-lib-7.0.76-9.el7.noarch.rpm	SHA-256: f41d17640f400d1cd973ab8f7539526c19f094573a1ce98b76712909a40aa555
tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm	SHA-256: 1433b0cc8c85dbf0c69dbe4c3da7d9ca8a95a565c0c3e7886fc9ceff639e5483
tomcat-webapps-7.0.76-9.el7.noarch.rpm	SHA-256: 8529d854dbef7038551a7b7ec55656723505a310091b698269c25b0a9d4505ab

Red Hat Enterprise Linux Workstation 7

SRPM
tomcat-7.0.76-9.el7.src.rpm	SHA-256: c4213e3009807a20571e519203885be844b3236e41b19951d90c97a7244f9fb6
x86_64
tomcat-7.0.76-9.el7.noarch.rpm	SHA-256: aee9243be51529e5da130ec183af47ca1811badf002e2c4805d61783d4f523a0
tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm	SHA-256: 07b1041cbfe496309549b8ea826d29da2e0ba6ebd4f4a145e5ceade597804061
tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm	SHA-256: 8a1f7241456a932b2640cda57551bb0e23f61d688b8215b00ad7aa8b880a582c
tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm	SHA-256: 2db646e817a899b968f7f28e2ddc5edcf3cc7b91411378a2d02debe312fedaea
tomcat-javadoc-7.0.76-9.el7.noarch.rpm	SHA-256: e927268deba6eef7364fb67b187d04c4ba65d06e6bfac3e91db31e63ba09ffa0
tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm	SHA-256: 5db74cd8f31892f98c74334c7137edf39860a708ebaf605c8bf8a61396ebb622
tomcat-jsvc-7.0.76-9.el7.noarch.rpm	SHA-256: 7a21cb8fefcf44ba014eba0e20349fefc953ee678cb6c5249b169af88b5dc23d
tomcat-lib-7.0.76-9.el7.noarch.rpm	SHA-256: f41d17640f400d1cd973ab8f7539526c19f094573a1ce98b76712909a40aa555
tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm	SHA-256: 1433b0cc8c85dbf0c69dbe4c3da7d9ca8a95a565c0c3e7886fc9ceff639e5483
tomcat-webapps-7.0.76-9.el7.noarch.rpm	SHA-256: 8529d854dbef7038551a7b7ec55656723505a310091b698269c25b0a9d4505ab

Red Hat Enterprise Linux Desktop 7

SRPM
tomcat-7.0.76-9.el7.src.rpm	SHA-256: c4213e3009807a20571e519203885be844b3236e41b19951d90c97a7244f9fb6
x86_64
tomcat-7.0.76-9.el7.noarch.rpm	SHA-256: aee9243be51529e5da130ec183af47ca1811badf002e2c4805d61783d4f523a0
tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm	SHA-256: 07b1041cbfe496309549b8ea826d29da2e0ba6ebd4f4a145e5ceade597804061
tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm	SHA-256: 8a1f7241456a932b2640cda57551bb0e23f61d688b8215b00ad7aa8b880a582c
tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm	SHA-256: 2db646e817a899b968f7f28e2ddc5edcf3cc7b91411378a2d02debe312fedaea
tomcat-javadoc-7.0.76-9.el7.noarch.rpm	SHA-256: e927268deba6eef7364fb67b187d04c4ba65d06e6bfac3e91db31e63ba09ffa0
tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm	SHA-256: 5db74cd8f31892f98c74334c7137edf39860a708ebaf605c8bf8a61396ebb622
tomcat-jsvc-7.0.76-9.el7.noarch.rpm	SHA-256: 7a21cb8fefcf44ba014eba0e20349fefc953ee678cb6c5249b169af88b5dc23d
tomcat-lib-7.0.76-9.el7.noarch.rpm	SHA-256: f41d17640f400d1cd973ab8f7539526c19f094573a1ce98b76712909a40aa555
tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm	SHA-256: 1433b0cc8c85dbf0c69dbe4c3da7d9ca8a95a565c0c3e7886fc9ceff639e5483
tomcat-webapps-7.0.76-9.el7.noarch.rpm	SHA-256: 8529d854dbef7038551a7b7ec55656723505a310091b698269c25b0a9d4505ab

Red Hat Enterprise Linux for IBM z Systems 7

SRPM
tomcat-7.0.76-9.el7.src.rpm	SHA-256: c4213e3009807a20571e519203885be844b3236e41b19951d90c97a7244f9fb6
s390x
tomcat-7.0.76-9.el7.noarch.rpm	SHA-256: aee9243be51529e5da130ec183af47ca1811badf002e2c4805d61783d4f523a0
tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm	SHA-256: 07b1041cbfe496309549b8ea826d29da2e0ba6ebd4f4a145e5ceade597804061
tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm	SHA-256: 8a1f7241456a932b2640cda57551bb0e23f61d688b8215b00ad7aa8b880a582c
tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm	SHA-256: 2db646e817a899b968f7f28e2ddc5edcf3cc7b91411378a2d02debe312fedaea
tomcat-javadoc-7.0.76-9.el7.noarch.rpm	SHA-256: e927268deba6eef7364fb67b187d04c4ba65d06e6bfac3e91db31e63ba09ffa0
tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm	SHA-256: 5db74cd8f31892f98c74334c7137edf39860a708ebaf605c8bf8a61396ebb622
tomcat-jsvc-7.0.76-9.el7.noarch.rpm	SHA-256: 7a21cb8fefcf44ba014eba0e20349fefc953ee678cb6c5249b169af88b5dc23d
tomcat-lib-7.0.76-9.el7.noarch.rpm	SHA-256: f41d17640f400d1cd973ab8f7539526c19f094573a1ce98b76712909a40aa555
tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm	SHA-256: 1433b0cc8c85dbf0c69dbe4c3da7d9ca8a95a565c0c3e7886fc9ceff639e5483
tomcat-webapps-7.0.76-9.el7.noarch.rpm	SHA-256: 8529d854dbef7038551a7b7ec55656723505a310091b698269c25b0a9d4505ab

Red Hat Enterprise Linux for Power, big endian 7

SRPM
tomcat-7.0.76-9.el7.src.rpm	SHA-256: c4213e3009807a20571e519203885be844b3236e41b19951d90c97a7244f9fb6
ppc64
tomcat-7.0.76-9.el7.noarch.rpm	SHA-256: aee9243be51529e5da130ec183af47ca1811badf002e2c4805d61783d4f523a0
tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm	SHA-256: 07b1041cbfe496309549b8ea826d29da2e0ba6ebd4f4a145e5ceade597804061
tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm	SHA-256: 8a1f7241456a932b2640cda57551bb0e23f61d688b8215b00ad7aa8b880a582c
tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm	SHA-256: 2db646e817a899b968f7f28e2ddc5edcf3cc7b91411378a2d02debe312fedaea
tomcat-javadoc-7.0.76-9.el7.noarch.rpm	SHA-256: e927268deba6eef7364fb67b187d04c4ba65d06e6bfac3e91db31e63ba09ffa0
tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm	SHA-256: 5db74cd8f31892f98c74334c7137edf39860a708ebaf605c8bf8a61396ebb622
tomcat-jsvc-7.0.76-9.el7.noarch.rpm	SHA-256: 7a21cb8fefcf44ba014eba0e20349fefc953ee678cb6c5249b169af88b5dc23d
tomcat-lib-7.0.76-9.el7.noarch.rpm	SHA-256: f41d17640f400d1cd973ab8f7539526c19f094573a1ce98b76712909a40aa555
tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm	SHA-256: 1433b0cc8c85dbf0c69dbe4c3da7d9ca8a95a565c0c3e7886fc9ceff639e5483
tomcat-webapps-7.0.76-9.el7.noarch.rpm	SHA-256: 8529d854dbef7038551a7b7ec55656723505a310091b698269c25b0a9d4505ab

Red Hat Enterprise Linux for Scientific Computing 7

SRPM
tomcat-7.0.76-9.el7.src.rpm	SHA-256: c4213e3009807a20571e519203885be844b3236e41b19951d90c97a7244f9fb6
x86_64
tomcat-7.0.76-9.el7.noarch.rpm	SHA-256: aee9243be51529e5da130ec183af47ca1811badf002e2c4805d61783d4f523a0
tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm	SHA-256: 07b1041cbfe496309549b8ea826d29da2e0ba6ebd4f4a145e5ceade597804061
tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm	SHA-256: 8a1f7241456a932b2640cda57551bb0e23f61d688b8215b00ad7aa8b880a582c
tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm	SHA-256: 2db646e817a899b968f7f28e2ddc5edcf3cc7b91411378a2d02debe312fedaea
tomcat-javadoc-7.0.76-9.el7.noarch.rpm	SHA-256: e927268deba6eef7364fb67b187d04c4ba65d06e6bfac3e91db31e63ba09ffa0
tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm	SHA-256: 5db74cd8f31892f98c74334c7137edf39860a708ebaf605c8bf8a61396ebb622
tomcat-jsvc-7.0.76-9.el7.noarch.rpm	SHA-256: 7a21cb8fefcf44ba014eba0e20349fefc953ee678cb6c5249b169af88b5dc23d
tomcat-lib-7.0.76-9.el7.noarch.rpm	SHA-256: f41d17640f400d1cd973ab8f7539526c19f094573a1ce98b76712909a40aa555
tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm	SHA-256: 1433b0cc8c85dbf0c69dbe4c3da7d9ca8a95a565c0c3e7886fc9ceff639e5483
tomcat-webapps-7.0.76-9.el7.noarch.rpm	SHA-256: 8529d854dbef7038551a7b7ec55656723505a310091b698269c25b0a9d4505ab

Red Hat Enterprise Linux for Power, little endian 7

SRPM
tomcat-7.0.76-9.el7.src.rpm	SHA-256: c4213e3009807a20571e519203885be844b3236e41b19951d90c97a7244f9fb6
ppc64le
tomcat-7.0.76-9.el7.noarch.rpm	SHA-256: aee9243be51529e5da130ec183af47ca1811badf002e2c4805d61783d4f523a0
tomcat-admin-webapps-7.0.76-9.el7.noarch.rpm	SHA-256: 07b1041cbfe496309549b8ea826d29da2e0ba6ebd4f4a145e5ceade597804061
tomcat-docs-webapp-7.0.76-9.el7.noarch.rpm	SHA-256: 8a1f7241456a932b2640cda57551bb0e23f61d688b8215b00ad7aa8b880a582c
tomcat-el-2.2-api-7.0.76-9.el7.noarch.rpm	SHA-256: 2db646e817a899b968f7f28e2ddc5edcf3cc7b91411378a2d02debe312fedaea
tomcat-javadoc-7.0.76-9.el7.noarch.rpm	SHA-256: e927268deba6eef7364fb67b187d04c4ba65d06e6bfac3e91db31e63ba09ffa0
tomcat-jsp-2.2-api-7.0.76-9.el7.noarch.rpm	SHA-256: 5db74cd8f31892f98c74334c7137edf39860a708ebaf605c8bf8a61396ebb622
tomcat-jsvc-7.0.76-9.el7.noarch.rpm	SHA-256: 7a21cb8fefcf44ba014eba0e20349fefc953ee678cb6c5249b169af88b5dc23d
tomcat-lib-7.0.76-9.el7.noarch.rpm	SHA-256: f41d17640f400d1cd973ab8f7539526c19f094573a1ce98b76712909a40aa555
tomcat-servlet-3.0-api-7.0.76-9.el7.noarch.rpm	SHA-256: 1433b0cc8c85dbf0c69dbe4c3da7d9ca8a95a565c0c3e7886fc9ceff639e5483
tomcat-webapps-7.0.76-9.el7.noarch.rpm	SHA-256: 8529d854dbef7038551a7b7ec55656723505a310091b698269c25b0a9d4505ab

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/.

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation