what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New
Showing 1 - 13 of 13 RSS Feed

CVE-2017-5664

Status Candidate

Overview

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.

Related Files

Micro Focus Security Bulletin MFSBGN03837 1
Posted Dec 13, 2018
Authored by Micro Focus | Site microfocus.com

Micro Focus Security Bulletin MFSBGN03837 1 - A vulnerabilities in Apache Tomcat was addressed by Micro Focus Network Node Manager i. The vulnerability could be exploited Remote Cross-Site Scripting (XSS) and Remote Disclosure of Information. Revision 1 of this advisory.

tags | advisory, remote, vulnerability, xss
advisories | CVE-2016-6816, CVE-2017-5664
SHA-256 | 69bad3da3d6d506035ef6a4b85f35bec78121f1787146f7b5587ba63b5f9d04d
Ubuntu Security Notice USN-3519-1
Posted Jan 9, 2018
Authored by Ubuntu | Site security.ubuntu.com

Ubuntu Security Notice 3519-1 - It was discovered that Tomcat incorrectly handled certain pipelined requests when sendfile was used. A remote attacker could use this issue to obtain wrong responses possibly containing sensitive information. It was discovered that Tomcat incorrectly used the appropriate facade object. A malicious application could possibly use this to bypass Security Manager restrictions. Various other issues were also addressed.

tags | advisory, remote
systems | linux, ubuntu
advisories | CVE-2017-5647, CVE-2017-5648, CVE-2017-5664, CVE-2017-7674
SHA-256 | 38382610e11f924ba68fd9e1ac30126f36e4138680f20e49f3193dccf7392465
Red Hat Security Advisory 2017-3080-01
Posted Oct 30, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-3080-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: A vulnerability was discovered in Tomcat's handling of pipelined requests when "Sendfile" was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure. A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page.

tags | advisory, java, web, info disclosure
systems | linux, redhat
advisories | CVE-2017-12615, CVE-2017-12617, CVE-2017-5647, CVE-2017-5664
SHA-256 | 72e971421dc578d94992998ea2583fa3d26096b02f8d1943c478536a76eccf76
Red Hat Security Advisory 2017-2638-01
Posted Sep 6, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-2638-01 - The jboss-ec2-eap packages provide scripts for Red Hat JBoss Enterprise Application Platform running on the Amazon Web Services Elastic Compute Cloud. With this update, the jboss-ec2-eap package has been updated to ensure compatibility with Red Hat JBoss Enterprise Application Platform 6.4.17. Security Fix: It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.

tags | advisory, remote, web, arbitrary, udp, tcp
systems | linux, redhat
advisories | CVE-2017-5645, CVE-2017-5664, CVE-2017-7525
SHA-256 | 148f1b5b157bb85b98e7fc15fbd63bb479cc20446692ce26b0423ee096234e56
Red Hat Security Advisory 2017-2637-01
Posted Sep 6, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-2637-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.17 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.16, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix: It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.

tags | advisory, java, remote, arbitrary, udp, tcp
systems | linux, redhat
advisories | CVE-2017-5645, CVE-2017-5664, CVE-2017-7525
SHA-256 | 34b7987ca7a0081dd32bf5d091ad597a3a30a88a1adc46d70b82c05b55ec0b73
Red Hat Security Advisory 2017-2635-01
Posted Sep 6, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-2635-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.17 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.16, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix: It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.

tags | advisory, java, remote, arbitrary, udp, tcp
systems | linux, redhat
advisories | CVE-2017-5645, CVE-2017-5664, CVE-2017-7525
SHA-256 | 98a346cb549f75e737c9f822095d637e791aba17b8c506b7ef6f23549bc4bcd1
Red Hat Security Advisory 2017-2636-01
Posted Sep 5, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-2636-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.17 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.16, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix: It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.

tags | advisory, java, remote, arbitrary, udp, tcp
systems | linux, redhat
advisories | CVE-2017-5645, CVE-2017-5664, CVE-2017-7525
SHA-256 | 663a2493f3c4baf7ce5bce2b9d8739a6d8a826cda959588e5ca84f3b72ef6ffb
Red Hat Security Advisory 2017-2633-01
Posted Sep 5, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-2633-01 - Red Hat JBoss Enterprise Application Platform is a platform for Java applications based on the JBoss Application Server. This release of Red Hat JBoss Enterprise Application Platform 6.4.17 serves as a replacement for Red Hat JBoss Enterprise Application Platform 6.4.16, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Security Fix: It was found that when using remote logging with log4j socket server the log4j server would deserialize any log event received via TCP or UDP. An attacker could use this flaw to send a specially crafted log event that, during deserialization, would execute arbitrary code in the context of the logger application.

tags | advisory, java, remote, arbitrary, udp, tcp
systems | linux, redhat
advisories | CVE-2017-5645, CVE-2017-5664, CVE-2017-7525
SHA-256 | 4d514d885da4ae600f33a47db39df855d9250c6c94bd6ec0c6bcf7ec8f75d657
Red Hat Security Advisory 2017-2493-01
Posted Aug 22, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-2493-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. This release provides an update to OpenSSL and Tomcat 6/7 for Red Hat JBoss Web Server 2.1.2.

tags | advisory, java, web, protocol
systems | linux, redhat
advisories | CVE-2016-6304, CVE-2016-8610, CVE-2017-5647, CVE-2017-5664
SHA-256 | 433eb5a4ba8c2a4ffb2b9fdb5aae2ede9d17adb9eef7d9ad9f509286e86517e5
Red Hat Security Advisory 2017-2494-01
Posted Aug 22, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-2494-01 - OpenSSL is a toolkit that implements the Secure Sockets Layer and Transport Layer Security protocols, as well as a full-strength general-purpose cryptography library. Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. This release provides an update to OpenSSL and Tomcat 6/7 for Red Hat JBoss Web Server 2.1.2.

tags | advisory, java, web, protocol
systems | linux, redhat
advisories | CVE-2016-6304, CVE-2016-8610, CVE-2017-5647, CVE-2017-5664
SHA-256 | 5df0cde009ea76fc4d097ec8af7d6914e065e0eb2e8b377de3486c9be15a06b4
Red Hat Security Advisory 2017-1809-01
Posted Jul 27, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-1809-01 - Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages technologies. Security Fix: A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. A vulnerability was discovered in Tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application.

tags | advisory, java, web
systems | linux, redhat
advisories | CVE-2017-5648, CVE-2017-5664
SHA-256 | 8bf0dc615683dd9ae21de05c218282d759e0e15d7ddc2f5c8b59f7b6184aed68
Red Hat Security Advisory 2017-1802-01
Posted Jul 25, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-1802-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes.

tags | advisory, java, web
systems | linux, redhat
advisories | CVE-2017-5645, CVE-2017-5647, CVE-2017-5648, CVE-2017-5664
SHA-256 | 1602567b2941f8a71630e044ec64baa8da301c97999fda6d0db02fe7640f5043
Red Hat Security Advisory 2017-1801-01
Posted Jul 25, 2017
Authored by Red Hat | Site access.redhat.com

Red Hat Security Advisory 2017-1801-01 - Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector, JBoss HTTP Connector, Hibernate, and the Tomcat Native library. This release of Red Hat JBoss Web Server 3.1 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 3.1, and includes bug fixes.

tags | advisory, java, web
systems | linux, redhat
advisories | CVE-2017-5645, CVE-2017-5647, CVE-2017-5648, CVE-2017-5664
SHA-256 | 4845740ebc70babce611a556483d39dc408012eba864ad9958098ff60f729ef5
Page 1 of 1
Back1Next

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    0 Files
  • 14
    Nov 14th
    0 Files
  • 15
    Nov 15th
    0 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close