Skip to navigation

Security Advisory Important: tomcat security update

Advisory: RHSA-2007:0326-12
Type: Security Advisory
Severity: Important
Issued on: 2007-05-21
Last updated on: 2007-05-21
Affected Products: Application Server v2 EL4
CVEs (cve.mitre.org): CVE-2005-2090
CVE-2006-3835
CVE-2006-7195
CVE-2006-7196
CVE-2007-0450
CVE-2007-1358
CVE-2007-1858

Details

Updated tomcat packages that fix multiple security issues are now available
for Red Hat Application Server v2.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Tomcat is a servlet container for Java Servlet and JavaServer Pages
technologies.

Tomcat was found to accept multiple content-length headers in a
request. This could allow attackers to poison a web-cache, bypass web
application firewall protection, or conduct cross-site scripting attacks.
(CVE-2005-2090)

Tomcat permitted various characters as path delimiters. If Tomcat was used
behind certain proxies and configured to only proxy some contexts, an
attacker could construct an HTTP request to work around the context
restriction and potentially access non-proxied content. (CVE-2007-0450)

Several applications distributed in the JSP examples displayed unfiltered
values. If the JSP examples are accessible, these flaws could allow a
remote attacker to perform cross-site scripting attacks. (CVE-2006-7195,
CVE-2006-7196)

The default Tomcat configuration permitted the use of insecure
SSL cipher suites including the anonymous cipher suite. (CVE-2007-1858)

Directory listings were enabled by default in Tomcat. Information stored
unprotected under the document root was visible to anyone if the
administrator did not disable directory listings. (CVE-2006-3835)

Users should upgrade to these erratum packages which contain Tomcat version
5.5.23 that resolves these issues. Updated jakarta-commons-modeler
packages are also included which correct a bug when used with Tomcat 5.5.23.


Solution

Note: /etc/tomcat5/web.xml has been updated to disable directory listing by
default. If you have previously modified /etc/tomcat5/web.xml, this change
will not be made automatically and you should manually update the value for
the "listings" parameter to "false".

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

Updated packages

Application Server v2 EL4

SRPMS:
jakarta-commons-modeler-2.0-3jpp_2rh.src.rpm     MD5: b3162bbdc2d76355fea5ba90a3f987f7
SHA-256: 3fd12dcb7f441df7893fd9a73ccc331651997cb4864b52543821b8f35a9957b3
tomcat5-5.5.23-0jpp_4rh.3.src.rpm
File outdated by:  RHSA-2010:0582
    MD5: b5e689ee390bc378661aede8bd4def71
 
IA-32:
jakarta-commons-modeler-javadoc-2.0-3jpp_2rh.noarch.rpm     MD5: 6464c3c937b11f2aabe8b5cd67df6d0d
tomcat5-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: a4f0c8dcb53eab2a1f7a2abd4b0f8388
tomcat5-admin-webapps-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 1038694e26ecbd63e22f639e5c47b293
tomcat5-common-lib-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 801d37609d0870fadf068807ea69b5f4
tomcat5-jasper-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: a07efbad621c4dff32d8c7a6bf070b35
tomcat5-jasper-javadoc-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: f6d141890108fad7ceea6d3c565c92f1
tomcat5-jsp-2.0-api-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 50f85dad6dfff70b1cdece862c0ea971
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 560bd117cee92b53a5aadbe1fb80d8a3
tomcat5-server-lib-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 326d74348a7f5320380f50d232781d01
tomcat5-servlet-2.4-api-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 945a8fb45fe416166412a1b9907131e7
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 361e84d28cd9a2c9f4e68814d6c36863
tomcat5-webapps-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 9b2a4efb1fa46f11923b51acb58afd04
 
IA-64:
jakarta-commons-modeler-javadoc-2.0-3jpp_2rh.noarch.rpm     MD5: 6464c3c937b11f2aabe8b5cd67df6d0d
tomcat5-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: a4f0c8dcb53eab2a1f7a2abd4b0f8388
tomcat5-admin-webapps-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 1038694e26ecbd63e22f639e5c47b293
tomcat5-common-lib-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 801d37609d0870fadf068807ea69b5f4
tomcat5-jasper-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: a07efbad621c4dff32d8c7a6bf070b35
tomcat5-jasper-javadoc-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: f6d141890108fad7ceea6d3c565c92f1
tomcat5-jsp-2.0-api-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 50f85dad6dfff70b1cdece862c0ea971
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 560bd117cee92b53a5aadbe1fb80d8a3
tomcat5-server-lib-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 326d74348a7f5320380f50d232781d01
tomcat5-servlet-2.4-api-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 945a8fb45fe416166412a1b9907131e7
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 361e84d28cd9a2c9f4e68814d6c36863
tomcat5-webapps-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 9b2a4efb1fa46f11923b51acb58afd04
 
PPC:
jakarta-commons-modeler-javadoc-2.0-3jpp_2rh.noarch.rpm     MD5: 6464c3c937b11f2aabe8b5cd67df6d0d
tomcat5-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: a4f0c8dcb53eab2a1f7a2abd4b0f8388
tomcat5-admin-webapps-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 1038694e26ecbd63e22f639e5c47b293
tomcat5-common-lib-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 801d37609d0870fadf068807ea69b5f4
tomcat5-jasper-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: a07efbad621c4dff32d8c7a6bf070b35
tomcat5-jasper-javadoc-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: f6d141890108fad7ceea6d3c565c92f1
tomcat5-jsp-2.0-api-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 50f85dad6dfff70b1cdece862c0ea971
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 560bd117cee92b53a5aadbe1fb80d8a3
tomcat5-server-lib-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 326d74348a7f5320380f50d232781d01
tomcat5-servlet-2.4-api-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 945a8fb45fe416166412a1b9907131e7
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 361e84d28cd9a2c9f4e68814d6c36863
tomcat5-webapps-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 9b2a4efb1fa46f11923b51acb58afd04
 
x86_64:
jakarta-commons-modeler-javadoc-2.0-3jpp_2rh.noarch.rpm     MD5: 6464c3c937b11f2aabe8b5cd67df6d0d
tomcat5-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: a4f0c8dcb53eab2a1f7a2abd4b0f8388
tomcat5-admin-webapps-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 1038694e26ecbd63e22f639e5c47b293
tomcat5-common-lib-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 801d37609d0870fadf068807ea69b5f4
tomcat5-jasper-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: a07efbad621c4dff32d8c7a6bf070b35
tomcat5-jasper-javadoc-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: f6d141890108fad7ceea6d3c565c92f1
tomcat5-jsp-2.0-api-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 50f85dad6dfff70b1cdece862c0ea971
tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 560bd117cee92b53a5aadbe1fb80d8a3
tomcat5-server-lib-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 326d74348a7f5320380f50d232781d01
tomcat5-servlet-2.4-api-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 945a8fb45fe416166412a1b9907131e7
tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 361e84d28cd9a2c9f4e68814d6c36863
tomcat5-webapps-5.5.23-0jpp_4rh.3.noarch.rpm
File outdated by:  RHSA-2010:0582
    MD5: 9b2a4efb1fa46f11923b51acb58afd04
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

237086 - CVE-2005-2090 multiple tomcat issues (CVE-2007-0450 CVE-2006-7195 CVE-2006-7196 CVE-2007-1858 CVE-2006-3835)


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/