From bugzilla at redhat.com Wed Oct 14 16:23:39 2009 From: bugzilla at redhat.com (bugzilla at redhat.com) Date: Wed, 14 Oct 2009 12:23:39 -0400 Subject: [RHSA-2009:1506-01] Important: tomcat6 security update Message-ID: <200910141623.n9EGNeF4029864@int-mx05.intmail.prod.int.phx2.redhat.com> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ===================================================================== Red Hat Security Advisory Synopsis: Important: tomcat6 security update Advisory ID: RHSA-2009:1506-01 Product: JBoss Enterprise Web Server Advisory URL: https://rhn.redhat.com/errata/RHSA-2009-1506.html Issue date: 2009-10-14 CVE Names: CVE-2008-5515 CVE-2009-0033 CVE-2009-0580 CVE-2009-0783 ===================================================================== 1. Summary: Updated tomcat6 packages that fix several security issues are now available for JBoss Enterprise Web Server 1.0.0 for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. 2. Relevant releases/architectures: JBoss Enterprise Web Server 1.0.0 for RHEL 4 AS - noarch JBoss Enterprise Web Server 1.0.0 for RHEL 4 ES - noarch JBoss Enterprise Web Server 1.0.0 for RHEL 5 Server - noarch 3. Description: Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies. It was discovered that request dispatchers did not properly normalize user requests that have trailing query strings, allowing remote attackers to send specially-crafted requests that would cause an information leak. (CVE-2008-5515) A flaw was found in the way the Tomcat AJP (Apache JServ Protocol) connector processes AJP connections. An attacker could use this flaw to send specially-crafted requests that would cause a temporary denial of service. (CVE-2009-0033) It was discovered that the error checking methods of certain authentication classes did not have sufficient error checking, allowing remote attackers to enumerate (via brute force methods) usernames registered with applications running on Tomcat when FORM-based authentication was used. (CVE-2009-0580) It was discovered that web applications containing their own XML parsers could replace the XML parser Tomcat uses to parse configuration files. A malicious web application running on a Tomcat instance could read or, potentially, modify the configuration and XML-based data of other web applications deployed on the same Tomcat instance. (CVE-2009-0783) Users of Tomcat should upgrade to these updated packages, which contain backported patches to resolve these issues. Tomcat must be restarted for this update to take effect. 4. Solution: Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/docs/DOC-11259 5. Bugs fixed (http://bugzilla.redhat.com/): 493381 - CVE-2009-0033 tomcat6 Denial-Of-Service with AJP connection 503978 - CVE-2009-0580 tomcat6 Information disclosure in authentication classes 504153 - CVE-2009-0783 tomcat XML parser information disclosure 504753 - CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability 6. Package List: JBoss Enterprise Web Server 1.0.0 for RHEL 4 AS: noarch: tomcat6-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-admin-webapps-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-docs-webapp-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-el-1.0-api-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-javadoc-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-jsp-2.1-api-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-lib-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-log4j-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-servlet-2.5-api-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-webapps-6.0.18-11.3.ep5.el4.noarch.rpm JBoss Enterprise Web Server 1.0.0 for RHEL 4 ES: noarch: tomcat6-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-admin-webapps-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-docs-webapp-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-el-1.0-api-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-javadoc-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-jsp-2.1-api-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-lib-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-log4j-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-servlet-2.5-api-6.0.18-11.3.ep5.el4.noarch.rpm tomcat6-webapps-6.0.18-11.3.ep5.el4.noarch.rpm JBoss Enterprise Web Server 1.0.0 for RHEL 5 Server: noarch: tomcat6-6.0.18-12.0.ep5.el5.noarch.rpm tomcat6-admin-webapps-6.0.18-12.0.ep5.el5.noarch.rpm tomcat6-docs-webapp-6.0.18-12.0.ep5.el5.noarch.rpm tomcat6-el-1.0-api-6.0.18-12.0.ep5.el5.noarch.rpm tomcat6-javadoc-6.0.18-12.0.ep5.el5.noarch.rpm tomcat6-jsp-2.1-api-6.0.18-12.0.ep5.el5.noarch.rpm tomcat6-lib-6.0.18-12.0.ep5.el5.noarch.rpm tomcat6-log4j-6.0.18-12.0.ep5.el5.noarch.rpm tomcat6-servlet-2.5-api-6.0.18-12.0.ep5.el5.noarch.rpm tomcat6-webapps-6.0.18-12.0.ep5.el5.noarch.rpm These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://www.redhat.com/security/team/key/#package 7. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783 http://tomcat.apache.org/security-6.html http://www.redhat.com/security/updates/classification/#important 8. Contact: The Red Hat security contact is . More contact details at https://www.redhat.com/security/team/contact/ Copyright 2009 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.4 (GNU/Linux) iD8DBQFK1fr1XlSAg2UNWIIRAkJfAJwI0oJ5nHiPSqSmKk9GOxaQAIvfagCgpCiD EPYj5nggrjovz+Doio9tZfw= =GCvH -----END PGP SIGNATURE-----