Security update for tomcat SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:0865-1 Final 1 1 2016-03-23T14:03:37Z current 2016-03-23T14:03:37Z 2016-03-23T14:03:37Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tomcat This update for tomcat fixes the following issues: Tomcat 8 was updated from 8.0.23 to 8.0.32, to fix bugs and security issues. Fixed security issues: * CVE-2015-5174: Directory traversal vulnerability in RequestUtil.java in Apache Tomcat allowed remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (bsc#967967) * CVE-2015-5346: Session fixation vulnerability in Apache Tomcat when different session settings are used for deployments of multiple versions of the same web application, might have allowed remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. (bsc#967814) * CVE-2015-5345: The Mapper component in Apache Tomcat processes redirects before considering security constraints and Filters, which allowed remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. (bsc#967965) * CVE-2015-5351: The (1) Manager and (2) Host Manager applications in Apache Tomcat established sessions and send CSRF tokens for arbitrary new requests, which allowed remote attackers to bypass a CSRF protection mechanism by using a token. (bsc#967812) * CVE-2016-0706: Apache Tomcat did not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allowed remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. (bsc#967815) * CVE-2016-0714: The session-persistence implementation in Apache Tomcat mishandled session attributes, which allowed remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. (bsc#967964) * CVE-2016-0763: The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat did not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allowed remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. (bsc#967966) The full changes can be read on: http://tomcat.apache.org/tomcat-8.0-doc/changelog.html This update was imported from the SUSE:SLE-12-SP1:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html E-Mail link for openSUSE-SU-2016:0865-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 tomcat-8.0.32-5.1 tomcat-admin-webapps-8.0.32-5.1 tomcat-docs-webapp-8.0.32-5.1 tomcat-el-3_0-api-8.0.32-5.1 tomcat-embed-8.0.32-5.1 tomcat-javadoc-8.0.32-5.1 tomcat-jsp-2_3-api-8.0.32-5.1 tomcat-jsvc-8.0.32-5.1 tomcat-lib-8.0.32-5.1 tomcat-servlet-3_1-api-8.0.32-5.1 tomcat-webapps-8.0.32-5.1 tomcat-8.0.32-5.1 as a component of openSUSE Leap 42.1 tomcat-admin-webapps-8.0.32-5.1 as a component of openSUSE Leap 42.1 tomcat-docs-webapp-8.0.32-5.1 as a component of openSUSE Leap 42.1 tomcat-el-3_0-api-8.0.32-5.1 as a component of openSUSE Leap 42.1 tomcat-embed-8.0.32-5.1 as a component of openSUSE Leap 42.1 tomcat-javadoc-8.0.32-5.1 as a component of openSUSE Leap 42.1 tomcat-jsp-2_3-api-8.0.32-5.1 as a component of openSUSE Leap 42.1 tomcat-jsvc-8.0.32-5.1 as a component of openSUSE Leap 42.1 tomcat-lib-8.0.32-5.1 as a component of openSUSE Leap 42.1 tomcat-servlet-3_1-api-8.0.32-5.1 as a component of openSUSE Leap 42.1 tomcat-webapps-8.0.32-5.1 as a component of openSUSE Leap 42.1 Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. CVE-2015-5174 openSUSE Leap 42.1:tomcat-8.0.32-5.1 openSUSE Leap 42.1:tomcat-admin-webapps-8.0.32-5.1 openSUSE Leap 42.1:tomcat-docs-webapp-8.0.32-5.1 openSUSE Leap 42.1:tomcat-el-3_0-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-embed-8.0.32-5.1 openSUSE Leap 42.1:tomcat-javadoc-8.0.32-5.1 openSUSE Leap 42.1:tomcat-jsp-2_3-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-jsvc-8.0.32-5.1 openSUSE Leap 42.1:tomcat-lib-8.0.32-5.1 openSUSE Leap 42.1:tomcat-servlet-3_1-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-webapps-8.0.32-5.1 moderate 4.3 AV:A/AC:M/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html https://www.suse.com/security/cve/CVE-2015-5174.html CVE-2015-5174 https://bugzilla.suse.com/967967 SUSE Bug 967967 The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. CVE-2015-5345 openSUSE Leap 42.1:tomcat-8.0.32-5.1 openSUSE Leap 42.1:tomcat-admin-webapps-8.0.32-5.1 openSUSE Leap 42.1:tomcat-docs-webapp-8.0.32-5.1 openSUSE Leap 42.1:tomcat-el-3_0-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-embed-8.0.32-5.1 openSUSE Leap 42.1:tomcat-javadoc-8.0.32-5.1 openSUSE Leap 42.1:tomcat-jsp-2_3-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-jsvc-8.0.32-5.1 openSUSE Leap 42.1:tomcat-lib-8.0.32-5.1 openSUSE Leap 42.1:tomcat-servlet-3_1-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-webapps-8.0.32-5.1 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html https://www.suse.com/security/cve/CVE-2015-5345.html CVE-2015-5345 https://bugzilla.suse.com/967965 SUSE Bug 967965 Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. CVE-2015-5346 openSUSE Leap 42.1:tomcat-8.0.32-5.1 openSUSE Leap 42.1:tomcat-admin-webapps-8.0.32-5.1 openSUSE Leap 42.1:tomcat-docs-webapp-8.0.32-5.1 openSUSE Leap 42.1:tomcat-el-3_0-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-embed-8.0.32-5.1 openSUSE Leap 42.1:tomcat-javadoc-8.0.32-5.1 openSUSE Leap 42.1:tomcat-jsp-2_3-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-jsvc-8.0.32-5.1 openSUSE Leap 42.1:tomcat-lib-8.0.32-5.1 openSUSE Leap 42.1:tomcat-servlet-3_1-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-webapps-8.0.32-5.1 moderate 5.4 AV:A/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html https://www.suse.com/security/cve/CVE-2015-5346.html CVE-2015-5346 https://bugzilla.suse.com/967814 SUSE Bug 967814 The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. CVE-2015-5351 openSUSE Leap 42.1:tomcat-8.0.32-5.1 openSUSE Leap 42.1:tomcat-admin-webapps-8.0.32-5.1 openSUSE Leap 42.1:tomcat-docs-webapp-8.0.32-5.1 openSUSE Leap 42.1:tomcat-el-3_0-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-embed-8.0.32-5.1 openSUSE Leap 42.1:tomcat-javadoc-8.0.32-5.1 openSUSE Leap 42.1:tomcat-jsp-2_3-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-jsvc-8.0.32-5.1 openSUSE Leap 42.1:tomcat-lib-8.0.32-5.1 openSUSE Leap 42.1:tomcat-servlet-3_1-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-webapps-8.0.32-5.1 moderate 5.4 AV:A/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html https://www.suse.com/security/cve/CVE-2015-5351.html CVE-2015-5351 https://bugzilla.suse.com/967812 SUSE Bug 967812 Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. CVE-2016-0706 openSUSE Leap 42.1:tomcat-8.0.32-5.1 openSUSE Leap 42.1:tomcat-admin-webapps-8.0.32-5.1 openSUSE Leap 42.1:tomcat-docs-webapp-8.0.32-5.1 openSUSE Leap 42.1:tomcat-el-3_0-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-embed-8.0.32-5.1 openSUSE Leap 42.1:tomcat-javadoc-8.0.32-5.1 openSUSE Leap 42.1:tomcat-jsp-2_3-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-jsvc-8.0.32-5.1 openSUSE Leap 42.1:tomcat-lib-8.0.32-5.1 openSUSE Leap 42.1:tomcat-servlet-3_1-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-webapps-8.0.32-5.1 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html https://www.suse.com/security/cve/CVE-2016-0706.html CVE-2016-0706 https://bugzilla.suse.com/967815 SUSE Bug 967815 https://bugzilla.suse.com/988489 SUSE Bug 988489 The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. CVE-2016-0714 openSUSE Leap 42.1:tomcat-8.0.32-5.1 openSUSE Leap 42.1:tomcat-admin-webapps-8.0.32-5.1 openSUSE Leap 42.1:tomcat-docs-webapp-8.0.32-5.1 openSUSE Leap 42.1:tomcat-el-3_0-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-embed-8.0.32-5.1 openSUSE Leap 42.1:tomcat-javadoc-8.0.32-5.1 openSUSE Leap 42.1:tomcat-jsp-2_3-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-jsvc-8.0.32-5.1 openSUSE Leap 42.1:tomcat-lib-8.0.32-5.1 openSUSE Leap 42.1:tomcat-servlet-3_1-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-webapps-8.0.32-5.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html https://www.suse.com/security/cve/CVE-2016-0714.html CVE-2016-0714 https://bugzilla.suse.com/967964 SUSE Bug 967964 The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. CVE-2016-0763 openSUSE Leap 42.1:tomcat-8.0.32-5.1 openSUSE Leap 42.1:tomcat-admin-webapps-8.0.32-5.1 openSUSE Leap 42.1:tomcat-docs-webapp-8.0.32-5.1 openSUSE Leap 42.1:tomcat-el-3_0-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-embed-8.0.32-5.1 openSUSE Leap 42.1:tomcat-javadoc-8.0.32-5.1 openSUSE Leap 42.1:tomcat-jsp-2_3-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-jsvc-8.0.32-5.1 openSUSE Leap 42.1:tomcat-lib-8.0.32-5.1 openSUSE Leap 42.1:tomcat-servlet-3_1-api-8.0.32-5.1 openSUSE Leap 42.1:tomcat-webapps-8.0.32-5.1 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html https://www.suse.com/security/cve/CVE-2016-0763.html CVE-2016-0763 https://bugzilla.suse.com/967966 SUSE Bug 967966