Advisories ยป MGASA-2016-0090

Updated tomcat packages fix security vulnerabilities

Publication date: 02 Mar 2016
Type: security
Affected Mageia releases : 5
CVE: CVE-2015-5174 , CVE-2015-5345 , CVE-2015-5346 , CVE-2015-5351 , CVE-2016-0706 , CVE-2016-0714 , CVE-2016-0763

Description

Updated tomcat packages fix security vulnerabilities:

Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 7.x
before 7.0.65 allows remote authenticated users to bypass intended
SecurityManager restrictions and list a parent directory via a /.. (slash dot
dot) in a pathname used by a web application in a getResource,
getResourceAsStream, or getResourcePaths call, as demonstrated by the
$CATALINA_BASE/webapps directory (CVE-2015-5174).

The Mapper component in 7.x before 7.0.67 processes redirects before
considering security constraints and Filters, which allows remote attackers
to determine the existence of a directory via a URL that lacks a trailing /
(slash) character (CVE-2015-5345).

Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, when
different session settings are used for deployments of multiple versions of
the same web application, might allow remote attackers to hijack web sessions
by leveraging use of a requestedSessionSSL field for an unintended request,
related to CoyoteAdapter.java and Request.java (CVE-2015-5346).

The Manager and Host Manager applications in Apache Tomcat 7.x before 7.0.68
establish sessions and send CSRF tokens for arbitrary new requests, which
allows remote attackers to bypass a CSRF protection mechanism by using a
token (CVE-2015-5351).

Apache Tomcat 7.x before 7.0.68 does not place
org.apache.catalina.manager.StatusManagerServlet on the
org/apache/catalina/core/RestrictedServlets.properties list, which allows
remote authenticated users to bypass intended SecurityManager restrictions
and read arbitrary HTTP requests, and consequently discover session ID
values, via a crafted web application (CVE-2016-0706).

The session-persistence implementation in Apache Tomcat 7.x before 7.0.68
mishandles session attributes, which allows remote authenticated users to
bypass intended SecurityManager restrictions and execute arbitrary code in a
privileged context via a web application that places a crafted object in a
session (CVE-2016-0714).

The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x
before 7.0.68 does not consider whether ResourceLinkFactory.setGlobalContext
callers are authorized, which allows remote authenticated users to bypass
intended SecurityManager restrictions and read or write to arbitrary
application data, or cause a denial of service (application disruption), via
a web application that sets a crafted global context (CVE-2016-0763).

The tomcat package has been updated to version 7.0.68 to fix these issues.
The tomcat-native package has also been updated to version 1.1.34 for
compatibility with the updated tomcat.
                

References

SRPMS

5/core