Red Hat Security Advisory 2015-1622-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made.
13aec45125ba2969c607d511dc60176807f4dd755f549de21a54c10c4a03756c-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=====================================================================
Red Hat Security Advisory
Synopsis: Moderate: Red Hat JBoss Web Server 2.1.0 tomcat security update
Advisory ID: RHSA-2015:1622-01
Product: Red Hat JBoss Web Server
Advisory URL: https://rhn.redhat.com/errata/RHSA-2015-1622.html
Issue date: 2015-08-13
CVE Names: CVE-2014-0230 CVE-2014-7810
=====================================================================
1. Summary:
Updated tomcat6 and tomcat7 packages that fix two security issues are now
available for Red Hat JBoss Web Server 2.1.0 on Red Hat Enterprise Linux 5,
6, and 7.
Red Hat Product Security has rated this update as having Moderate security
impact. Common Vulnerability Scoring System (CVSS) base scores, which give
detailed severity ratings, are available for each vulnerability from the
CVE links in the References section.
2. Relevant releases/architectures:
Red Hat JBoss Web Server 2 for RHEL 5 Server - noarch
Red Hat JBoss Web Server 2 for RHEL 6 Server - noarch
Red Hat JBoss Web Server 2 for RHEL 7 Server - noarch
3. Description:
Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.
It was found that the expression language resolver evaluated expressions
within a privileged code section. A malicious web application could use
this flaw to bypass security manager protections. (CVE-2014-7810)
It was found that Tomcat would keep connections open after processing
requests with a large enough request body. A remote attacker could
potentially use this flaw to exhaust the pool of available connections and
preventing further, legitimate connections to the Tomcat server to be made.
(CVE-2014-0230)
All users of Red Hat JBoss Web Server 2.1.0 as provided from the Red Hat
Customer Portal are advised to apply this update. The Red Hat JBoss Web
Server process must be restarted for the update to take effect.
4. Solution:
Before applying this update, make sure all previously released errata
relevant to your system have been applied, and back up your existing Red
Hat JBoss Web Server installation (including all applications and
configuration files).
This update is available via the Red Hat Network. Details on how to use the
Red Hat Network to apply this update are available at
https://access.redhat.com/articles/11258
5. Bugs fixed (https://bugzilla.redhat.com/):
1191200 - CVE-2014-0230 tomcat: non-persistent DoS attack by feeding data by aborting an upload
1222573 - CVE-2014-7810 Tomcat/JbossWeb: security manager bypass via EL expressions
6. Package List:
Red Hat JBoss Web Server 2 for RHEL 5 Server:
Source:
tomcat6-6.0.41-15_patch_04.ep6.el5.src.rpm
tomcat7-7.0.54-19_patch_04.ep6.el5.src.rpm
noarch:
tomcat6-6.0.41-15_patch_04.ep6.el5.noarch.rpm
tomcat6-admin-webapps-6.0.41-15_patch_04.ep6.el5.noarch.rpm
tomcat6-docs-webapp-6.0.41-15_patch_04.ep6.el5.noarch.rpm
tomcat6-el-2.1-api-6.0.41-15_patch_04.ep6.el5.noarch.rpm
tomcat6-javadoc-6.0.41-15_patch_04.ep6.el5.noarch.rpm
tomcat6-jsp-2.1-api-6.0.41-15_patch_04.ep6.el5.noarch.rpm
tomcat6-lib-6.0.41-15_patch_04.ep6.el5.noarch.rpm
tomcat6-log4j-6.0.41-15_patch_04.ep6.el5.noarch.rpm
tomcat6-maven-devel-6.0.41-15_patch_04.ep6.el5.noarch.rpm
tomcat6-servlet-2.5-api-6.0.41-15_patch_04.ep6.el5.noarch.rpm
tomcat6-webapps-6.0.41-15_patch_04.ep6.el5.noarch.rpm
tomcat7-7.0.54-19_patch_04.ep6.el5.noarch.rpm
tomcat7-admin-webapps-7.0.54-19_patch_04.ep6.el5.noarch.rpm
tomcat7-docs-webapp-7.0.54-19_patch_04.ep6.el5.noarch.rpm
tomcat7-el-2.2-api-7.0.54-19_patch_04.ep6.el5.noarch.rpm
tomcat7-javadoc-7.0.54-19_patch_04.ep6.el5.noarch.rpm
tomcat7-jsp-2.2-api-7.0.54-19_patch_04.ep6.el5.noarch.rpm
tomcat7-lib-7.0.54-19_patch_04.ep6.el5.noarch.rpm
tomcat7-log4j-7.0.54-19_patch_04.ep6.el5.noarch.rpm
tomcat7-maven-devel-7.0.54-19_patch_04.ep6.el5.noarch.rpm
tomcat7-servlet-3.0-api-7.0.54-19_patch_04.ep6.el5.noarch.rpm
tomcat7-webapps-7.0.54-19_patch_04.ep6.el5.noarch.rpm
Red Hat JBoss Web Server 2 for RHEL 6 Server:
Source:
tomcat6-6.0.41-15_patch_04.ep6.el6.src.rpm
tomcat7-7.0.54-19_patch_04.ep6.el6.src.rpm
noarch:
tomcat6-6.0.41-15_patch_04.ep6.el6.noarch.rpm
tomcat6-admin-webapps-6.0.41-15_patch_04.ep6.el6.noarch.rpm
tomcat6-docs-webapp-6.0.41-15_patch_04.ep6.el6.noarch.rpm
tomcat6-el-2.1-api-6.0.41-15_patch_04.ep6.el6.noarch.rpm
tomcat6-javadoc-6.0.41-15_patch_04.ep6.el6.noarch.rpm
tomcat6-jsp-2.1-api-6.0.41-15_patch_04.ep6.el6.noarch.rpm
tomcat6-lib-6.0.41-15_patch_04.ep6.el6.noarch.rpm
tomcat6-log4j-6.0.41-15_patch_04.ep6.el6.noarch.rpm
tomcat6-maven-devel-6.0.41-15_patch_04.ep6.el6.noarch.rpm
tomcat6-servlet-2.5-api-6.0.41-15_patch_04.ep6.el6.noarch.rpm
tomcat6-webapps-6.0.41-15_patch_04.ep6.el6.noarch.rpm
tomcat7-7.0.54-19_patch_04.ep6.el6.noarch.rpm
tomcat7-admin-webapps-7.0.54-19_patch_04.ep6.el6.noarch.rpm
tomcat7-docs-webapp-7.0.54-19_patch_04.ep6.el6.noarch.rpm
tomcat7-el-2.2-api-7.0.54-19_patch_04.ep6.el6.noarch.rpm
tomcat7-javadoc-7.0.54-19_patch_04.ep6.el6.noarch.rpm
tomcat7-jsp-2.2-api-7.0.54-19_patch_04.ep6.el6.noarch.rpm
tomcat7-lib-7.0.54-19_patch_04.ep6.el6.noarch.rpm
tomcat7-log4j-7.0.54-19_patch_04.ep6.el6.noarch.rpm
tomcat7-maven-devel-7.0.54-19_patch_04.ep6.el6.noarch.rpm
tomcat7-servlet-3.0-api-7.0.54-19_patch_04.ep6.el6.noarch.rpm
tomcat7-webapps-7.0.54-19_patch_04.ep6.el6.noarch.rpm
Red Hat JBoss Web Server 2 for RHEL 7 Server:
Source:
tomcat6-6.0.41-15_patch_04.ep6.el7.src.rpm
tomcat7-7.0.54-20_patch_04.ep6.el7.src.rpm
noarch:
tomcat6-6.0.41-15_patch_04.ep6.el7.noarch.rpm
tomcat6-admin-webapps-6.0.41-15_patch_04.ep6.el7.noarch.rpm
tomcat6-docs-webapp-6.0.41-15_patch_04.ep6.el7.noarch.rpm
tomcat6-el-2.1-api-6.0.41-15_patch_04.ep6.el7.noarch.rpm
tomcat6-javadoc-6.0.41-15_patch_04.ep6.el7.noarch.rpm
tomcat6-jsp-2.1-api-6.0.41-15_patch_04.ep6.el7.noarch.rpm
tomcat6-lib-6.0.41-15_patch_04.ep6.el7.noarch.rpm
tomcat6-log4j-6.0.41-15_patch_04.ep6.el7.noarch.rpm
tomcat6-maven-devel-6.0.41-15_patch_04.ep6.el7.noarch.rpm
tomcat6-servlet-2.5-api-6.0.41-15_patch_04.ep6.el7.noarch.rpm
tomcat6-webapps-6.0.41-15_patch_04.ep6.el7.noarch.rpm
tomcat7-7.0.54-20_patch_04.ep6.el7.noarch.rpm
tomcat7-admin-webapps-7.0.54-20_patch_04.ep6.el7.noarch.rpm
tomcat7-docs-webapp-7.0.54-20_patch_04.ep6.el7.noarch.rpm
tomcat7-el-2.2-api-7.0.54-20_patch_04.ep6.el7.noarch.rpm
tomcat7-javadoc-7.0.54-20_patch_04.ep6.el7.noarch.rpm
tomcat7-jsp-2.2-api-7.0.54-20_patch_04.ep6.el7.noarch.rpm
tomcat7-lib-7.0.54-20_patch_04.ep6.el7.noarch.rpm
tomcat7-log4j-7.0.54-20_patch_04.ep6.el7.noarch.rpm
tomcat7-maven-devel-7.0.54-20_patch_04.ep6.el7.noarch.rpm
tomcat7-servlet-3.0-api-7.0.54-20_patch_04.ep6.el7.noarch.rpm
tomcat7-webapps-7.0.54-20_patch_04.ep6.el7.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/
7. References:
https://access.redhat.com/security/cve/CVE-2014-0230
https://access.redhat.com/security/cve/CVE-2014-7810
https://access.redhat.com/security/updates/classification/#moderate
8. Contact:
The Red Hat security contact is <secalert@redhat.com>. More contact
details at https://access.redhat.com/security/team/contact/
Copyright 2015 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iD8DBQFVzLpBXlSAg2UNWIIRAp1DAKC3+LI5g5mPk1KDc0HGtqYVviYcnACfSsPx
cOyulHGWld/awnIrle9SO1o=
=uB70
-----END PGP SIGNATURE-----
--
RHSA-announce mailing list
RHSA-announce@redhat.com
https://www.redhat.com/mailman/listinfo/rhsa-announce
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed