Security Advisory Important: tomcat security update

Advisory: RHSA-2009:1562-1
Type: Security Advisory
Severity: Important
Issued on: 2009-11-09
Last updated on: 2009-11-09
Affected Products: Application Server v2 EL4
OVAL: N/A
CVEs (cve.mitre.org): CVE-2007-5333
CVE-2008-5515
CVE-2009-0033
CVE-2009-0580
CVE-2009-0781
CVE-2009-0783

Details

Updated tomcat packages that fix several security issues are now available
for Red Hat Application Server v2.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.

It was discovered that the Red Hat Security Advisory RHSA-2007:0876 did not
address all possible flaws in the way Tomcat handles certain characters and
character sequences in cookie values. A remote attacker could use this flaw
to obtain sensitive information, such as session IDs, and then use this
information for session hijacking attacks. (CVE-2007-5333)

Note: The fix for the CVE-2007-5333 flaw changes the default cookie
processing behavior: With this update, version 0 cookies that contain
values that must be quoted to be valid are automatically changed to version
1 cookies. To reactivate the previous, but insecure behavior, add the
following entry to the "/etc/tomcat5/catalina.properties" file:

org.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH=false

It was discovered that request dispatchers did not properly normalize user
requests that have trailing query strings, allowing remote attackers to
send specially-crafted requests that would cause an information leak.
(CVE-2008-5515)

A flaw was found in the way the Tomcat AJP (Apache JServ Protocol)
connector processes AJP connections. An attacker could use this flaw to
send specially-crafted requests that would cause a temporary denial of
service. (CVE-2009-0033)

It was discovered that the error checking methods of certain authentication
classes did not have sufficient error checking, allowing remote attackers
to enumerate (via brute force methods) usernames registered with
applications running on Tomcat when FORM-based authentication was used.
(CVE-2009-0580)

A cross-site scripting (XSS) flaw was found in the examples calendar
application. With some web browsers, remote attackers could use this flaw
to inject arbitrary web script or HTML via the "time" parameter.
(CVE-2009-0781)

It was discovered that web applications containing their own XML parsers
could replace the XML parser Tomcat uses to parse configuration files. A
malicious web application running on a Tomcat instance could read or,
potentially, modify the configuration and XML-based data of other web
applications deployed on the same Tomcat instance. (CVE-2009-0783)

Users of Tomcat should upgrade to these updated packages, which contain
backported patches to resolve these issues. Tomcat must be restarted for
this update to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

Application Server v2 EL4
SRPMS:
tomcat5-5.5.23-0jpp_4rh.16.src.rpm     191e7b1e3480da9933cdc5a5f5bf4480
tomcat5-5.5.23-0jpp_4rh.16.src.rpm     191e7b1e3480da9933cdc5a5f5bf4480
tomcat5-5.5.23-0jpp_4rh.16.src.rpm     191e7b1e3480da9933cdc5a5f5bf4480
 
IA-32:
tomcat5-5.5.23-0jpp_4rh.16.noarch.rpm     ff0085ce1ef6fe95e1784596bad85435
tomcat5-5.5.23-0jpp_4rh.16.noarch.rpm     ff0085ce1ef6fe95e1784596bad85435
tomcat5-5.5.23-0jpp_4rh.16.noarch.rpm     ff0085ce1ef6fe95e1784596bad85435
tomcat5-admin-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     19d568f4fd88788731e877f02f9c4470
tomcat5-admin-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     19d568f4fd88788731e877f02f9c4470
tomcat5-admin-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     19d568f4fd88788731e877f02f9c4470
tomcat5-common-lib-5.5.23-0jpp_4rh.16.noarch.rpm     aa8e4403e83e5922e86611e19dc0faa0
tomcat5-common-lib-5.5.23-0jpp_4rh.16.noarch.rpm     aa8e4403e83e5922e86611e19dc0faa0
tomcat5-common-lib-5.5.23-0jpp_4rh.16.noarch.rpm     aa8e4403e83e5922e86611e19dc0faa0
tomcat5-jasper-5.5.23-0jpp_4rh.16.noarch.rpm     ed4041eb7b295a188b4fd5156a1833a8
tomcat5-jasper-5.5.23-0jpp_4rh.16.noarch.rpm     ed4041eb7b295a188b4fd5156a1833a8
tomcat5-jasper-5.5.23-0jpp_4rh.16.noarch.rpm     ed4041eb7b295a188b4fd5156a1833a8
tomcat5-jasper-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     547c2b3ed4d348ddf78c88884ce20469
tomcat5-jasper-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     547c2b3ed4d348ddf78c88884ce20469
tomcat5-jasper-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     547c2b3ed4d348ddf78c88884ce20469
tomcat5-jsp-2.0-api-5.5.23-0jpp_4rh.16.noarch.rpm     fd2d8ae35d29098cac01b9f4d3dd3e20
tomcat5-jsp-2.0-api-5.5.23-0jpp_4rh.16.noarch.rpm     fd2d8ae35d29098cac01b9f4d3dd3e20
tomcat5-jsp-2.0-api-5.5.23-0jpp_4rh.16.noarch.rpm     fd2d8ae35d29098cac01b9f4d3dd3e20
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     8aad97cc20c75377efa00638f92dd7af
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     8aad97cc20c75377efa00638f92dd7af
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     8aad97cc20c75377efa00638f92dd7af
tomcat5-server-lib-5.5.23-0jpp_4rh.16.noarch.rpm     f9ce0d00f917bebc04e3b3fa67566e4c
tomcat5-server-lib-5.5.23-0jpp_4rh.16.noarch.rpm     f9ce0d00f917bebc04e3b3fa67566e4c
tomcat5-server-lib-5.5.23-0jpp_4rh.16.noarch.rpm     f9ce0d00f917bebc04e3b3fa67566e4c
tomcat5-servlet-2.4-api-5.5.23-0jpp_4rh.16.noarch.rpm     c79a736556c9a5a7a659d2b018777590
tomcat5-servlet-2.4-api-5.5.23-0jpp_4rh.16.noarch.rpm     c79a736556c9a5a7a659d2b018777590
tomcat5-servlet-2.4-api-5.5.23-0jpp_4rh.16.noarch.rpm     c79a736556c9a5a7a659d2b018777590
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     d5164c89200caf24b0c1e4c948632b5a
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     d5164c89200caf24b0c1e4c948632b5a
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     d5164c89200caf24b0c1e4c948632b5a
tomcat5-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     bf330fc7f0d673e090a3f76a26008b88
tomcat5-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     bf330fc7f0d673e090a3f76a26008b88
tomcat5-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     bf330fc7f0d673e090a3f76a26008b88
 
IA-64:
tomcat5-5.5.23-0jpp_4rh.16.noarch.rpm     ff0085ce1ef6fe95e1784596bad85435
tomcat5-5.5.23-0jpp_4rh.16.noarch.rpm     ff0085ce1ef6fe95e1784596bad85435
tomcat5-5.5.23-0jpp_4rh.16.noarch.rpm     ff0085ce1ef6fe95e1784596bad85435
tomcat5-admin-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     19d568f4fd88788731e877f02f9c4470
tomcat5-admin-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     19d568f4fd88788731e877f02f9c4470
tomcat5-admin-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     19d568f4fd88788731e877f02f9c4470
tomcat5-common-lib-5.5.23-0jpp_4rh.16.noarch.rpm     aa8e4403e83e5922e86611e19dc0faa0
tomcat5-common-lib-5.5.23-0jpp_4rh.16.noarch.rpm     aa8e4403e83e5922e86611e19dc0faa0
tomcat5-common-lib-5.5.23-0jpp_4rh.16.noarch.rpm     aa8e4403e83e5922e86611e19dc0faa0
tomcat5-jasper-5.5.23-0jpp_4rh.16.noarch.rpm     ed4041eb7b295a188b4fd5156a1833a8
tomcat5-jasper-5.5.23-0jpp_4rh.16.noarch.rpm     ed4041eb7b295a188b4fd5156a1833a8
tomcat5-jasper-5.5.23-0jpp_4rh.16.noarch.rpm     ed4041eb7b295a188b4fd5156a1833a8
tomcat5-jasper-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     547c2b3ed4d348ddf78c88884ce20469
tomcat5-jasper-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     547c2b3ed4d348ddf78c88884ce20469
tomcat5-jasper-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     547c2b3ed4d348ddf78c88884ce20469
tomcat5-jsp-2.0-api-5.5.23-0jpp_4rh.16.noarch.rpm     fd2d8ae35d29098cac01b9f4d3dd3e20
tomcat5-jsp-2.0-api-5.5.23-0jpp_4rh.16.noarch.rpm     fd2d8ae35d29098cac01b9f4d3dd3e20
tomcat5-jsp-2.0-api-5.5.23-0jpp_4rh.16.noarch.rpm     fd2d8ae35d29098cac01b9f4d3dd3e20
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     8aad97cc20c75377efa00638f92dd7af
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     8aad97cc20c75377efa00638f92dd7af
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     8aad97cc20c75377efa00638f92dd7af
tomcat5-server-lib-5.5.23-0jpp_4rh.16.noarch.rpm     f9ce0d00f917bebc04e3b3fa67566e4c
tomcat5-server-lib-5.5.23-0jpp_4rh.16.noarch.rpm     f9ce0d00f917bebc04e3b3fa67566e4c
tomcat5-server-lib-5.5.23-0jpp_4rh.16.noarch.rpm     f9ce0d00f917bebc04e3b3fa67566e4c
tomcat5-servlet-2.4-api-5.5.23-0jpp_4rh.16.noarch.rpm     c79a736556c9a5a7a659d2b018777590
tomcat5-servlet-2.4-api-5.5.23-0jpp_4rh.16.noarch.rpm     c79a736556c9a5a7a659d2b018777590
tomcat5-servlet-2.4-api-5.5.23-0jpp_4rh.16.noarch.rpm     c79a736556c9a5a7a659d2b018777590
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     d5164c89200caf24b0c1e4c948632b5a
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     d5164c89200caf24b0c1e4c948632b5a
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     d5164c89200caf24b0c1e4c948632b5a
tomcat5-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     bf330fc7f0d673e090a3f76a26008b88
tomcat5-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     bf330fc7f0d673e090a3f76a26008b88
tomcat5-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     bf330fc7f0d673e090a3f76a26008b88
 
PPC:
tomcat5-5.5.23-0jpp_4rh.16.noarch.rpm     ff0085ce1ef6fe95e1784596bad85435
tomcat5-admin-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     19d568f4fd88788731e877f02f9c4470
tomcat5-common-lib-5.5.23-0jpp_4rh.16.noarch.rpm     aa8e4403e83e5922e86611e19dc0faa0
tomcat5-jasper-5.5.23-0jpp_4rh.16.noarch.rpm     ed4041eb7b295a188b4fd5156a1833a8
tomcat5-jasper-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     547c2b3ed4d348ddf78c88884ce20469
tomcat5-jsp-2.0-api-5.5.23-0jpp_4rh.16.noarch.rpm     fd2d8ae35d29098cac01b9f4d3dd3e20
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     8aad97cc20c75377efa00638f92dd7af
tomcat5-server-lib-5.5.23-0jpp_4rh.16.noarch.rpm     f9ce0d00f917bebc04e3b3fa67566e4c
tomcat5-servlet-2.4-api-5.5.23-0jpp_4rh.16.noarch.rpm     c79a736556c9a5a7a659d2b018777590
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     d5164c89200caf24b0c1e4c948632b5a
tomcat5-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     bf330fc7f0d673e090a3f76a26008b88
 
x86_64:
tomcat5-5.5.23-0jpp_4rh.16.noarch.rpm     ff0085ce1ef6fe95e1784596bad85435
tomcat5-5.5.23-0jpp_4rh.16.noarch.rpm     ff0085ce1ef6fe95e1784596bad85435
tomcat5-5.5.23-0jpp_4rh.16.noarch.rpm     ff0085ce1ef6fe95e1784596bad85435
tomcat5-admin-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     19d568f4fd88788731e877f02f9c4470
tomcat5-admin-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     19d568f4fd88788731e877f02f9c4470
tomcat5-admin-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     19d568f4fd88788731e877f02f9c4470
tomcat5-common-lib-5.5.23-0jpp_4rh.16.noarch.rpm     aa8e4403e83e5922e86611e19dc0faa0
tomcat5-common-lib-5.5.23-0jpp_4rh.16.noarch.rpm     aa8e4403e83e5922e86611e19dc0faa0
tomcat5-common-lib-5.5.23-0jpp_4rh.16.noarch.rpm     aa8e4403e83e5922e86611e19dc0faa0
tomcat5-jasper-5.5.23-0jpp_4rh.16.noarch.rpm     ed4041eb7b295a188b4fd5156a1833a8
tomcat5-jasper-5.5.23-0jpp_4rh.16.noarch.rpm     ed4041eb7b295a188b4fd5156a1833a8
tomcat5-jasper-5.5.23-0jpp_4rh.16.noarch.rpm     ed4041eb7b295a188b4fd5156a1833a8
tomcat5-jasper-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     547c2b3ed4d348ddf78c88884ce20469
tomcat5-jasper-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     547c2b3ed4d348ddf78c88884ce20469
tomcat5-jasper-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     547c2b3ed4d348ddf78c88884ce20469
tomcat5-jsp-2.0-api-5.5.23-0jpp_4rh.16.noarch.rpm     fd2d8ae35d29098cac01b9f4d3dd3e20
tomcat5-jsp-2.0-api-5.5.23-0jpp_4rh.16.noarch.rpm     fd2d8ae35d29098cac01b9f4d3dd3e20
tomcat5-jsp-2.0-api-5.5.23-0jpp_4rh.16.noarch.rpm     fd2d8ae35d29098cac01b9f4d3dd3e20
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     8aad97cc20c75377efa00638f92dd7af
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     8aad97cc20c75377efa00638f92dd7af
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     8aad97cc20c75377efa00638f92dd7af
tomcat5-server-lib-5.5.23-0jpp_4rh.16.noarch.rpm     f9ce0d00f917bebc04e3b3fa67566e4c
tomcat5-server-lib-5.5.23-0jpp_4rh.16.noarch.rpm     f9ce0d00f917bebc04e3b3fa67566e4c
tomcat5-server-lib-5.5.23-0jpp_4rh.16.noarch.rpm     f9ce0d00f917bebc04e3b3fa67566e4c
tomcat5-servlet-2.4-api-5.5.23-0jpp_4rh.16.noarch.rpm     c79a736556c9a5a7a659d2b018777590
tomcat5-servlet-2.4-api-5.5.23-0jpp_4rh.16.noarch.rpm     c79a736556c9a5a7a659d2b018777590
tomcat5-servlet-2.4-api-5.5.23-0jpp_4rh.16.noarch.rpm     c79a736556c9a5a7a659d2b018777590
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     d5164c89200caf24b0c1e4c948632b5a
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     d5164c89200caf24b0c1e4c948632b5a
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp_4rh.16.noarch.rpm     d5164c89200caf24b0c1e4c948632b5a
tomcat5-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     bf330fc7f0d673e090a3f76a26008b88
tomcat5-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     bf330fc7f0d673e090a3f76a26008b88
tomcat5-webapps-5.5.23-0jpp_4rh.16.noarch.rpm     bf330fc7f0d673e090a3f76a26008b88
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

427766 - CVE-2007-5333 Improve cookie parsing for tomcat5
489028 - CVE-2009-0781 tomcat: XSS in Apache Tomcat calendar application
493381 - CVE-2009-0033 tomcat6 Denial-Of-Service with AJP connection
503978 - CVE-2009-0580 tomcat6 Information disclosure in authentication classes
504153 - CVE-2009-0783 tomcat XML parser information disclosure
504753 - CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability


References

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5333
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0033
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0580
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0781
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0783
http://tomcat.apache.org/security-5.html
http://www.redhat.com/security/updates/classification/#important

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/