Skip to navigation

Security Advisory Important: tomcat6 security update

Advisory: RHSA-2013:0005-1
Type: Security Advisory
Severity: Important
Issued on: 2013-01-03
Last updated on: 2013-01-03
Affected Products: JBoss Enterprise Web Server v2 EL5
JBoss Enterprise Web Server v2 EL6
CVEs (cve.mitre.org): CVE-2012-3546

Details

Updated tomcat6 packages that fix one security issue are now available for
JBoss Enterprise Web Server 2.0.0 for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Apache Tomcat is a servlet container.

It was found that when an application used FORM authentication, along with
another component that calls request.setUserPrincipal() before the call to
FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was
possible to bypass the security constraint checks in the FORM authenticator
by appending "/j_security_check" to the end of a URL. A remote attacker
with an authenticated session on an affected application could use this
flaw to circumvent authorization controls, and thereby access resources not
permitted by the roles associated with their authenticated session.
(CVE-2012-3546)

Warning: Before applying the update, back up your existing JBoss Enterprise
Web Server installation (including all applications and configuration
files).

Users of Tomcat should upgrade to these updated packages, which resolve
this issue. Tomcat must be restarted for this update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Web Server v2 EL5

SRPMS:
tomcat6-6.0.35-6_patch_02.ep6.el5.src.rpm
File outdated by:  RHSA-2013:1011
    MD5: 4df764dfd0cd697ea344e9b208d3d233
SHA-256: f465fd8cb0097fe5ab8a0ae8d2141b5a0fe4df191cc9710db76c2bd17d90fd2c
 
IA-32:
tomcat6-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 1533e9fa3c96989f7d7d77599072097a
SHA-256: 4eff52cd9878c9d872632d8f9776c7f5bd7e38c304fadb58b584193d0ae2420e
tomcat6-admin-webapps-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 6b6700d20fc13876d16b9fb822b2ab26
SHA-256: cdc3c4bc18afadecba8c2aea7c1a5388e3a4c090cbeaa738d358fc628095a9bc
tomcat6-docs-webapp-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 36149893f5696ec97c4754e415d571e1
SHA-256: e66bd0ce1318bcff36be5658ba3706c69b1e879f2044aa55ad2cfd29ca0e5724
tomcat6-el-1.0-api-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: f8c891d3dd5e6367ec37699863672a6c
SHA-256: 450612553bf6f9d6ccb729ea58a741db0a1afcee5c3c3ca1912cd4b60be77220
tomcat6-javadoc-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 2d551b04e42c33f4c206b75bba16fa5a
SHA-256: c167f9060941306846a31312f655b159f525f2d437f5da037df2597cb2ca385b
tomcat6-jsp-2.1-api-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 85ff2e3c00ceabf8662ce5673fd00eeb
SHA-256: e7d375c76eee2827565796983be749faf17d5ab81d0859fcfafb8c32f946e1a0
tomcat6-lib-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 3eee6c37e3c59e068b776d1f49f24229
SHA-256: a73e263e5937a900cb5d040c05369125c72149afc78500481a1bd522d33156b4
tomcat6-log4j-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 3bf786587085f16c674c85c0f2a897fb
SHA-256: 1495c1f2908414b965915dbe2c010ba260a5fb1a0388dbce77042c0555de839b
tomcat6-servlet-2.5-api-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 38980bc3f9a0049e958eea3ad3aa117a
SHA-256: 3eda514d64f598adf92e171eb7cb3fe5dda6608072443373930eb7dbad9c3306
tomcat6-webapps-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 9eaea3f535740be14ab624659a2444ed
SHA-256: 36a02fd90c81f3afc818180a6dcfe2926bf65063a6560e087e794e24ce1bbd62
 
x86_64:
tomcat6-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 1533e9fa3c96989f7d7d77599072097a
SHA-256: 4eff52cd9878c9d872632d8f9776c7f5bd7e38c304fadb58b584193d0ae2420e
tomcat6-admin-webapps-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 6b6700d20fc13876d16b9fb822b2ab26
SHA-256: cdc3c4bc18afadecba8c2aea7c1a5388e3a4c090cbeaa738d358fc628095a9bc
tomcat6-docs-webapp-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 36149893f5696ec97c4754e415d571e1
SHA-256: e66bd0ce1318bcff36be5658ba3706c69b1e879f2044aa55ad2cfd29ca0e5724
tomcat6-el-1.0-api-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: f8c891d3dd5e6367ec37699863672a6c
SHA-256: 450612553bf6f9d6ccb729ea58a741db0a1afcee5c3c3ca1912cd4b60be77220
tomcat6-javadoc-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 2d551b04e42c33f4c206b75bba16fa5a
SHA-256: c167f9060941306846a31312f655b159f525f2d437f5da037df2597cb2ca385b
tomcat6-jsp-2.1-api-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 85ff2e3c00ceabf8662ce5673fd00eeb
SHA-256: e7d375c76eee2827565796983be749faf17d5ab81d0859fcfafb8c32f946e1a0
tomcat6-lib-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 3eee6c37e3c59e068b776d1f49f24229
SHA-256: a73e263e5937a900cb5d040c05369125c72149afc78500481a1bd522d33156b4
tomcat6-log4j-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 3bf786587085f16c674c85c0f2a897fb
SHA-256: 1495c1f2908414b965915dbe2c010ba260a5fb1a0388dbce77042c0555de839b
tomcat6-servlet-2.5-api-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 38980bc3f9a0049e958eea3ad3aa117a
SHA-256: 3eda514d64f598adf92e171eb7cb3fe5dda6608072443373930eb7dbad9c3306
tomcat6-webapps-6.0.35-6_patch_02.ep6.el5.noarch.rpm
File outdated by:  RHSA-2013:1011
    MD5: 9eaea3f535740be14ab624659a2444ed
SHA-256: 36a02fd90c81f3afc818180a6dcfe2926bf65063a6560e087e794e24ce1bbd62
 
JBoss Enterprise Web Server v2 EL6

SRPMS:
tomcat6-6.0.35-25_patch_01.ep6.el6.src.rpm
File outdated by:  RHSA-2013:1012
    MD5: e75d8e685d57e56313b84915f5f3383d
SHA-256: b2f4cc48a67d147c7e34c7c6429d97020daef4cc199a1f28ae8207d8dc3b63fa
 
IA-32:
tomcat6-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 5df5b7c344f1537b557b3f6e520a7557
SHA-256: 100e0e15656026679fe4e7f56a6e0c8bdcd3ff6f239c5b2ba13ffc14d7dcac97
tomcat6-admin-webapps-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 48da292215537abb9f0037eb68973927
SHA-256: 57111c6775d5e2bb3917e02486f841de34f77f541bbe1da4f5fae7df3cc318a5
tomcat6-docs-webapp-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: cf732e393b4ddb520810bc5f5878fb35
SHA-256: 2f84740aaf4d90cff0e569bf36b8742b98d47ac5e52c00c2f7f2c908ff69f905
tomcat6-el-1.0-api-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: b817660bb759add83eb7a6e6cc7bd6c5
SHA-256: 4b9f7f816b3d15f4bbea7ded4a589182e2d853f95e7393b594aba8f6b21fae19
tomcat6-javadoc-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 8031dee68a7030c9ecfb072886adf3c3
SHA-256: 9144d5e7254632d7bf4bc059f4ab9be77c93dffe013b1975be590673b0f1fa73
tomcat6-jsp-2.1-api-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: c70a811c7339f4127385d62495c82c0b
SHA-256: 22dd63d4399e8fb01277d93929639eceddeed8655b599e9c252cc9f45d16ab92
tomcat6-lib-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: f9744295e6dc51b736d72ed8e637bbc8
SHA-256: 62ff580e4f1d253442a752789a35fd9e68296a69a05b46bfc6bc63691664ae19
tomcat6-log4j-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 4e85b587a1cba843497dc89d3b2a80b9
SHA-256: abb44442f0e2a1ef641cd5250a387008ac3ec57fa1c77aea46b95d7cc714c05f
tomcat6-servlet-2.5-api-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 7def85b25a3cf2ddf0af6be7e6a2a160
SHA-256: a0fbdcd557a196708573cf92e0d1d422ce7a25336d4b3bd378d65d3b01fb5fa9
tomcat6-webapps-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: bce531c14f2a43af6c77dcaa997447e4
SHA-256: a70847b3766dabbebc629bbc3b005d4728b0d7a49711c43fc40e7423f9fcaa08
 
x86_64:
tomcat6-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 5df5b7c344f1537b557b3f6e520a7557
SHA-256: 100e0e15656026679fe4e7f56a6e0c8bdcd3ff6f239c5b2ba13ffc14d7dcac97
tomcat6-admin-webapps-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 48da292215537abb9f0037eb68973927
SHA-256: 57111c6775d5e2bb3917e02486f841de34f77f541bbe1da4f5fae7df3cc318a5
tomcat6-docs-webapp-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: cf732e393b4ddb520810bc5f5878fb35
SHA-256: 2f84740aaf4d90cff0e569bf36b8742b98d47ac5e52c00c2f7f2c908ff69f905
tomcat6-el-1.0-api-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: b817660bb759add83eb7a6e6cc7bd6c5
SHA-256: 4b9f7f816b3d15f4bbea7ded4a589182e2d853f95e7393b594aba8f6b21fae19
tomcat6-javadoc-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 8031dee68a7030c9ecfb072886adf3c3
SHA-256: 9144d5e7254632d7bf4bc059f4ab9be77c93dffe013b1975be590673b0f1fa73
tomcat6-jsp-2.1-api-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: c70a811c7339f4127385d62495c82c0b
SHA-256: 22dd63d4399e8fb01277d93929639eceddeed8655b599e9c252cc9f45d16ab92
tomcat6-lib-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: f9744295e6dc51b736d72ed8e637bbc8
SHA-256: 62ff580e4f1d253442a752789a35fd9e68296a69a05b46bfc6bc63691664ae19
tomcat6-log4j-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 4e85b587a1cba843497dc89d3b2a80b9
SHA-256: abb44442f0e2a1ef641cd5250a387008ac3ec57fa1c77aea46b95d7cc714c05f
tomcat6-servlet-2.5-api-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: 7def85b25a3cf2ddf0af6be7e6a2a160
SHA-256: a0fbdcd557a196708573cf92e0d1d422ce7a25336d4b3bd378d65d3b01fb5fa9
tomcat6-webapps-6.0.35-25_patch_01.ep6.el6.noarch.rpm
File outdated by:  RHSA-2013:1012
    MD5: bce531c14f2a43af6c77dcaa997447e4
SHA-256: a70847b3766dabbebc629bbc3b005d4728b0d7a49711c43fc40e7423f9fcaa08
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

883634 - CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/