Skip to navigation

Security Advisory Important: tomcat6 security update

Advisory: RHSA-2009:1506-1
Type: Security Advisory
Severity: Important
Issued on: 2009-10-14
Last updated on: 2009-10-14
Affected Products: JBoss Enterprise Web Server v1 EL4
JBoss Enterprise Web Server v1 EL5
CVEs (cve.mitre.org): CVE-2008-5515
CVE-2009-0033
CVE-2009-0580
CVE-2009-0783

Details

Updated tomcat6 packages that fix several security issues are now available
for JBoss Enterprise Web Server 1.0.0 for Red Hat Enterprise Linux 4 and 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer
Pages (JSP) technologies.

It was discovered that request dispatchers did not properly normalize user
requests that have trailing query strings, allowing remote attackers to
send specially-crafted requests that would cause an information leak.
(CVE-2008-5515)

A flaw was found in the way the Tomcat AJP (Apache JServ Protocol)
connector processes AJP connections. An attacker could use this flaw to
send specially-crafted requests that would cause a temporary denial of
service. (CVE-2009-0033)

It was discovered that the error checking methods of certain authentication
classes did not have sufficient error checking, allowing remote attackers
to enumerate (via brute force methods) usernames registered with
applications running on Tomcat when FORM-based authentication was used.
(CVE-2009-0580)

It was discovered that web applications containing their own XML parsers
could replace the XML parser Tomcat uses to parse configuration files. A
malicious web application running on a Tomcat instance could read or,
potentially, modify the configuration and XML-based data of other web
applications deployed on the same Tomcat instance. (CVE-2009-0783)

Users of Tomcat should upgrade to these updated packages, which contain
backported patches to resolve these issues. Tomcat must be restarted for
this update to take effect.


Solution

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.

This update is available via Red Hat Network. Details on how to use
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/docs/DOC-11259

Updated packages

JBoss Enterprise Web Server v1 EL4

IA-32:
tomcat6-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: bb26e6227e0ba7ad5475b4ee948fa47a
tomcat6-admin-webapps-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: 009e923d872005437bf566d8da212fdf
tomcat6-docs-webapp-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: f5af52fcda62d836592d3534dd27b7e4
tomcat6-el-1.0-api-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: 65824f349e4d150d98ceaec33e574d08
tomcat6-javadoc-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: 652ec62e28fe2e2b772b9f721c06db27
tomcat6-jsp-2.1-api-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: 756cf5dbd25285659004ac0d1d7d9f0d
tomcat6-lib-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: 19caa4d0fd7171a8b92324ddf917eec4
tomcat6-log4j-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: 67b19347c82ed3d44031f4148db300ce
tomcat6-servlet-2.5-api-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: 60f35103d70b020cce5b035dc3f53e82
tomcat6-webapps-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: f3a5b23d13b559c6abc0be4dd0f2c9a3
 
x86_64:
tomcat6-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: bb26e6227e0ba7ad5475b4ee948fa47a
tomcat6-admin-webapps-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: 009e923d872005437bf566d8da212fdf
tomcat6-docs-webapp-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: f5af52fcda62d836592d3534dd27b7e4
tomcat6-el-1.0-api-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: 65824f349e4d150d98ceaec33e574d08
tomcat6-javadoc-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: 652ec62e28fe2e2b772b9f721c06db27
tomcat6-jsp-2.1-api-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: 756cf5dbd25285659004ac0d1d7d9f0d
tomcat6-lib-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: 19caa4d0fd7171a8b92324ddf917eec4
tomcat6-log4j-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: 67b19347c82ed3d44031f4148db300ce
tomcat6-servlet-2.5-api-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: 60f35103d70b020cce5b035dc3f53e82
tomcat6-webapps-6.0.18-11.3.ep5.el4.noarch.rpm
File outdated by:  RHSA-2011:0897
    MD5: f3a5b23d13b559c6abc0be4dd0f2c9a3
 
JBoss Enterprise Web Server v1 EL5

SRPMS:
tomcat6-6.0.18-12.0.ep5.el5.src.rpm
File outdated by:  RHSA-2013:0872
    MD5: 4e48e9d5d75d5831e396d74a4a888cbb
 
IA-32:
tomcat6-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 4361a58aa317cd701a6d6c2e51ba3da9
tomcat6-admin-webapps-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 87a2af9856068f676f28a237a79a246c
tomcat6-docs-webapp-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 749e96b3a32bf55eff9cc717064e9a3b
tomcat6-el-1.0-api-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 90b198a3b48da7166fe68b2febefd824
tomcat6-javadoc-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: eb0aca92d153326effb6f272ea940b1b
tomcat6-jsp-2.1-api-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 91d1863448defad8c6e0c34d7daab34f
tomcat6-lib-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: c559222f6124c49474a5828bd27bda10
tomcat6-log4j-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: bb68999fe99b1f149e13a550ade54e0e
tomcat6-servlet-2.5-api-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 4a27e1038c3955f93c407434e49cc3ff
tomcat6-webapps-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: f5332631c2efb9e6f73897fff80bd825
 
x86_64:
tomcat6-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 4361a58aa317cd701a6d6c2e51ba3da9
tomcat6-admin-webapps-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 87a2af9856068f676f28a237a79a246c
tomcat6-docs-webapp-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 749e96b3a32bf55eff9cc717064e9a3b
tomcat6-el-1.0-api-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 90b198a3b48da7166fe68b2febefd824
tomcat6-javadoc-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: eb0aca92d153326effb6f272ea940b1b
tomcat6-jsp-2.1-api-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 91d1863448defad8c6e0c34d7daab34f
tomcat6-lib-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: c559222f6124c49474a5828bd27bda10
tomcat6-log4j-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: bb68999fe99b1f149e13a550ade54e0e
tomcat6-servlet-2.5-api-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 4a27e1038c3955f93c407434e49cc3ff
tomcat6-webapps-6.0.18-12.0.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: f5332631c2efb9e6f73897fff80bd825
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

493381 - CVE-2009-0033 tomcat6 Denial-Of-Service with AJP connection
503978 - CVE-2009-0580 tomcat6 Information disclosure in authentication classes
504153 - CVE-2009-0783 tomcat XML parser information disclosure
504753 - CVE-2008-5515 tomcat request dispatcher information disclosure vulnerability


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/