Skip to navigation

Security Advisory Important: tomcat6 security update

Advisory: RHSA-2013:0158-1
Type: Security Advisory
Severity: Important
Issued on: 2013-01-14
Last updated on: 2013-01-14
Affected Products: JBoss Enterprise Web Server v1 EL5
JBoss Enterprise Web Server v1 EL6
CVEs (cve.mitre.org): CVE-2012-3546

Details

Updated tomcat6 packages that fix one security issue are now available for
JBoss Enterprise Web Server 1.0.2 for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Apache Tomcat is a servlet container.

It was found that when an application used FORM authentication, along with
another component that calls request.setUserPrincipal() before the call to
FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was
possible to bypass the security constraint checks in the FORM authenticator
by appending "/j_security_check" to the end of a URL. A remote attacker
with an authenticated session on an affected application could use this
flaw to circumvent authorization controls, and thereby access resources not
permitted by the roles associated with their authenticated session.
(CVE-2012-3546)

Warning: Before applying the update, back up your existing JBoss Enterprise
Web Server installation (including all applications and configuration
files).

Users of Tomcat should upgrade to these updated packages, which resolve
this issue. Tomcat must be restarted for this update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Web Server v1 EL5

SRPMS:
tomcat6-6.0.32-28_patch_08.ep5.el5.src.rpm
File outdated by:  RHSA-2013:0872
    MD5: b22e3d782a3c6a352eeb378300ba1e78
SHA-256: cbd42995d609596f20ae04b0701ad55b1584616318b948adc00c78fec0bca062
 
IA-32:
tomcat6-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: a2f4c8291a44442fee32bb878a300d41
SHA-256: 3893c8b7deba9a84ddeefb33af5b4349970967b58f6cd7f8194dd71354e896bd
tomcat6-admin-webapps-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 69cdcfcadb28b7a36bfc7a5fe342578b
SHA-256: f49c0aab8d61931d28a9c94ee08e2a62758923a66aa0185d0ffa31d451988a95
tomcat6-docs-webapp-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: ca0092ac33d222b0b4d1ffe6b45c0901
SHA-256: 9d2318c62f70fb5f69055158d7da544607a09d34cbd2b40c42aef5cd0911b326
tomcat6-el-1.0-api-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 6b37e6882b79708fd0d54d78913f1bea
SHA-256: 948c6292760ec7e2206153b5df908eb4e6737fafdc2245fa2cd6406f18257fc1
tomcat6-javadoc-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 79a246307bd57c88e5a5bc994c0bcb4f
SHA-256: a7f6807eeed89f2efb78cc0cd4e45e061b7ea9565d8ed04577de2f63a2af8822
tomcat6-jsp-2.1-api-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 6903a8ef6f964fffce5729c5d48a5390
SHA-256: 9fdb0f7f53d6a78d041da0bb6b6ccb6312b623b85973151f698ab64a82407cbc
tomcat6-lib-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: e7b0ffc42aae29b68e53de41d3125631
SHA-256: b1dc9c4f88b95be0eec97fa0f17e17271287e19e4acc7b2caf867ee9b5c5d01f
tomcat6-log4j-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: ee82e61ba5f4c107db9c76260d16d9ad
SHA-256: b134c3bbf1f8d2f5e77187d577ecebf27157085738be8625d0d506054cbf9f04
tomcat6-servlet-2.5-api-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: d0a1a513e68e02049972b6a76009c3f8
SHA-256: 5b455488123966f9b917bb54ca3fc8cbc6a8c3eca2790f329350234ac732f80d
tomcat6-webapps-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: beeeab0dc3a6d33106604fb761c29436
SHA-256: f10a138288946212bd9c8a3f50d088e1d46c5a0cf0fa3522b45fe11da12e68b3
 
x86_64:
tomcat6-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: a2f4c8291a44442fee32bb878a300d41
SHA-256: 3893c8b7deba9a84ddeefb33af5b4349970967b58f6cd7f8194dd71354e896bd
tomcat6-admin-webapps-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 69cdcfcadb28b7a36bfc7a5fe342578b
SHA-256: f49c0aab8d61931d28a9c94ee08e2a62758923a66aa0185d0ffa31d451988a95
tomcat6-docs-webapp-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: ca0092ac33d222b0b4d1ffe6b45c0901
SHA-256: 9d2318c62f70fb5f69055158d7da544607a09d34cbd2b40c42aef5cd0911b326
tomcat6-el-1.0-api-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 6b37e6882b79708fd0d54d78913f1bea
SHA-256: 948c6292760ec7e2206153b5df908eb4e6737fafdc2245fa2cd6406f18257fc1
tomcat6-javadoc-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 79a246307bd57c88e5a5bc994c0bcb4f
SHA-256: a7f6807eeed89f2efb78cc0cd4e45e061b7ea9565d8ed04577de2f63a2af8822
tomcat6-jsp-2.1-api-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 6903a8ef6f964fffce5729c5d48a5390
SHA-256: 9fdb0f7f53d6a78d041da0bb6b6ccb6312b623b85973151f698ab64a82407cbc
tomcat6-lib-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: e7b0ffc42aae29b68e53de41d3125631
SHA-256: b1dc9c4f88b95be0eec97fa0f17e17271287e19e4acc7b2caf867ee9b5c5d01f
tomcat6-log4j-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: ee82e61ba5f4c107db9c76260d16d9ad
SHA-256: b134c3bbf1f8d2f5e77187d577ecebf27157085738be8625d0d506054cbf9f04
tomcat6-servlet-2.5-api-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: d0a1a513e68e02049972b6a76009c3f8
SHA-256: 5b455488123966f9b917bb54ca3fc8cbc6a8c3eca2790f329350234ac732f80d
tomcat6-webapps-6.0.32-28_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: beeeab0dc3a6d33106604fb761c29436
SHA-256: f10a138288946212bd9c8a3f50d088e1d46c5a0cf0fa3522b45fe11da12e68b3
 
JBoss Enterprise Web Server v1 EL6

SRPMS:
tomcat6-6.0.32-31_patch_08.ep5.el6.src.rpm
File outdated by:  RHSA-2013:0872
    MD5: e5b079b8533b91e93607a3b4fa2db6e1
SHA-256: cdee075423c933943155646fbdad99cd8d2d9587cf9fb47fa53f4a67bd51d5e1
 
IA-32:
tomcat6-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: c2ad31b378aedf36e05dfd91b260c69c
SHA-256: 7f0c70b80b6bf17f8ddc958d7e8455cb525dc8cf9b9b29f1124c8e9d1aa2d801
tomcat6-admin-webapps-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 6ffbb99e009bc6a195aef533b6856c61
SHA-256: 4c11b04dfa99034ef2953f33e4cc9858273cc932fed5f82db56274bc7b428036
tomcat6-docs-webapp-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 60a12044d0c06700321cf42dee067248
SHA-256: 4195be1272e5a0116e9e195c3846a3b1eeb88da94caf7e503299cfb1c8596646
tomcat6-el-1.0-api-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: e5c0b0b37bdb0ebcf201e48f3fb39610
SHA-256: df377feff079b665cb0b35bf609d33bfb83bde6ef36fffa701b4fd62b96ed45e
tomcat6-javadoc-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 0b8a9ef482b70f760668db605b03974b
SHA-256: 7c46389ad29d850cdc988b742d5fcdb1361a381aca43ee639ae292a0ee5eb619
tomcat6-jsp-2.1-api-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: dda21f93f554f88dad5b8cfc1b6f94bb
SHA-256: 20614c1c1908b69c3e48817a579d274c40aa7d2332bca1a5522b1bcbd44a20dc
tomcat6-lib-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: d7716ea54cd2fe205aa6de6b9a66cf4a
SHA-256: 474e63eea7410169e6842c16dd8dbe58407eba9cc9327e70cea774a8493ca9e5
tomcat6-log4j-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: ae44d618ca53944653b58310751d56a4
SHA-256: 9fcc1a06516833c8dbd9609a3eff9704e6c5970592b675f28dfeceb11da80191
tomcat6-servlet-2.5-api-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 366797139beb1bd3a9ec8beac82daefe
SHA-256: 25ecf1a20a0ccd6ea996e4360970cc63cb5f7b1adf4b3be0d9328217ccf00f98
tomcat6-webapps-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 7d4f33a4af419b2c8ea5e132f93f6042
SHA-256: 240290b4b56cfee6d8ad657b3181e01d1a36023faf045b1dd231d2b89b1c84dd
 
x86_64:
tomcat6-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: c2ad31b378aedf36e05dfd91b260c69c
SHA-256: 7f0c70b80b6bf17f8ddc958d7e8455cb525dc8cf9b9b29f1124c8e9d1aa2d801
tomcat6-admin-webapps-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 6ffbb99e009bc6a195aef533b6856c61
SHA-256: 4c11b04dfa99034ef2953f33e4cc9858273cc932fed5f82db56274bc7b428036
tomcat6-docs-webapp-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 60a12044d0c06700321cf42dee067248
SHA-256: 4195be1272e5a0116e9e195c3846a3b1eeb88da94caf7e503299cfb1c8596646
tomcat6-el-1.0-api-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: e5c0b0b37bdb0ebcf201e48f3fb39610
SHA-256: df377feff079b665cb0b35bf609d33bfb83bde6ef36fffa701b4fd62b96ed45e
tomcat6-javadoc-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 0b8a9ef482b70f760668db605b03974b
SHA-256: 7c46389ad29d850cdc988b742d5fcdb1361a381aca43ee639ae292a0ee5eb619
tomcat6-jsp-2.1-api-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: dda21f93f554f88dad5b8cfc1b6f94bb
SHA-256: 20614c1c1908b69c3e48817a579d274c40aa7d2332bca1a5522b1bcbd44a20dc
tomcat6-lib-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: d7716ea54cd2fe205aa6de6b9a66cf4a
SHA-256: 474e63eea7410169e6842c16dd8dbe58407eba9cc9327e70cea774a8493ca9e5
tomcat6-log4j-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: ae44d618ca53944653b58310751d56a4
SHA-256: 9fcc1a06516833c8dbd9609a3eff9704e6c5970592b675f28dfeceb11da80191
tomcat6-servlet-2.5-api-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 366797139beb1bd3a9ec8beac82daefe
SHA-256: 25ecf1a20a0ccd6ea996e4360970cc63cb5f7b1adf4b3be0d9328217ccf00f98
tomcat6-webapps-6.0.32-31_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 7d4f33a4af419b2c8ea5e132f93f6042
SHA-256: 240290b4b56cfee6d8ad657b3181e01d1a36023faf045b1dd231d2b89b1c84dd
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

883634 - CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/