Skip to navigation

Security Advisory Important: tomcat5 security update

Advisory: RHSA-2013:0641-1
Type: Security Advisory
Severity: Important
Issued on: 2013-03-12
Last updated on: 2013-03-12
Affected Products: JBoss Enterprise Web Server v1 EL5
JBoss Enterprise Web Server v1 EL6
CVEs (cve.mitre.org): CVE-2012-3546

Details

Updated tomcat5 packages that fix one security issue are now available for
JBoss Enterprise Web Server 1.0.2 for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having
important security impact. A Common Vulnerability Scoring System (CVSS)
base score, which gives a detailed severity rating, is available from the
CVE link in the References section.

Apache Tomcat is a servlet container.

It was found that when an application used FORM authentication, along with
another component that calls request.setUserPrincipal() before the call to
FormAuthenticator#authenticate() (such as the Single-Sign-On valve), it was
possible to bypass the security constraint checks in the FORM authenticator
by appending "/j_security_check" to the end of a URL. A remote attacker
with an authenticated session on an affected application could use this
flaw to circumvent authorization controls, and thereby access resources not
permitted by the roles associated with their authenticated session.
(CVE-2012-3546)

Warning: Before applying the update, back up your existing JBoss Enterprise
Web Server installation (including all applications and configuration
files).

Users of Tomcat should upgrade to these updated packages, which resolve
this issue. Tomcat must be restarted for this update to take effect.


Solution

Before applying this update, make sure all previously-released errata
relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to
use the Red Hat Network to apply this update are available at
https://access.redhat.com/knowledge/articles/11258

Updated packages

JBoss Enterprise Web Server v1 EL5

SRPMS:
tomcat5-5.5.33-31_patch_08.ep5.el5.src.rpm
File outdated by:  RHSA-2013:0872
    MD5: b4cfc29638d81ac81e4cb00f6474aee6
SHA-256: e2912d4b5363b4933c24551b712347ffb59c104d8d80704879e00fa2dfedef99
 
IA-32:
tomcat5-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 20d5736ccbcbd59f5682e28e4faf93ba
SHA-256: c2be5d4dfa4eb93d6d35260e707feaae8f1b07a4ce3a6eeb0955ff5493b526e6
tomcat5-admin-webapps-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: f9bc998a2f4fa34f2b12b9b255304039
SHA-256: aab9f75477da64f03594fcdda223ef6f1da15d7fa9e9e5f9f548917f4326274f
tomcat5-common-lib-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 16d151480fdbf1ae93e61445b64be565
SHA-256: 7ff2235089fdf1a711fbda88cd8019c8317fcecff8e9818429f46e3b0b2b5f22
tomcat5-jasper-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: e86b84c28c38c471dca9b73192563f3c
SHA-256: 0a232c52d1e19b24411d6749a25a8c847f4fc0073f847a0131e28f4f742707cd
tomcat5-jasper-eclipse-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 4889901af4be6c4fa1f1c968c8ce19f5
SHA-256: eb4c90e0ad9c95481d541a7b8ba0eb2658b1091508fef8f2874a7b7a9e5fcc3b
tomcat5-jasper-javadoc-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 93ac8f698527c96e55ff45ff94ea129d
SHA-256: c857d6322bd70c0225ebe8c1f16c220c300c66eee08bfd5ccb3f7056c5f70d8c
tomcat5-jsp-2.0-api-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 96942381cff721b5f637d5a88e5cabac
SHA-256: ae5e5534eb5753a168cf718e8c93d60709deb29b68901538bb97c4455e1573fc
tomcat5-jsp-2.0-api-javadoc-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: c288e655c6934fb162b28b1674558ca0
SHA-256: eff6923ab379cccc9fc09d27fcd42059fef8e809f8d5e0c875328456a7db4fe7
tomcat5-parent-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: bce12599e4c01101a8b491fab42ca0f9
SHA-256: 54d5044c3588639d42fde4c3e805320fa09df79595bbedc1dc89355fb221314b
tomcat5-server-lib-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 406c479905fb1e8f56037a0e05b8a131
SHA-256: 32f695ff69d7825b47bcc3f7bba692e8fd14ee3415da58a3925dc336a099e35a
tomcat5-servlet-2.4-api-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 3367129be96c034fe3959f1cb5849755
SHA-256: be8e1c5d7ab70b37d24df8d7c4ae92754c2f7105d2b470300effafa6f94315d2
tomcat5-servlet-2.4-api-javadoc-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: ab742afd79a5a19e5eced7a2feccd6f4
SHA-256: 314a8e27181c6edb4ebdd9561586868533764a1b607b40b6b53cdd0ed465b019
tomcat5-webapps-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: b40fddb86f9c6bfe0198e7c812e9d8b4
SHA-256: e5307209fbdcb93b56499bc6a1194c3e03e95e9a485d0ee7e5d6cb4d0a4f5747
 
x86_64:
tomcat5-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 20d5736ccbcbd59f5682e28e4faf93ba
SHA-256: c2be5d4dfa4eb93d6d35260e707feaae8f1b07a4ce3a6eeb0955ff5493b526e6
tomcat5-admin-webapps-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: f9bc998a2f4fa34f2b12b9b255304039
SHA-256: aab9f75477da64f03594fcdda223ef6f1da15d7fa9e9e5f9f548917f4326274f
tomcat5-common-lib-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 16d151480fdbf1ae93e61445b64be565
SHA-256: 7ff2235089fdf1a711fbda88cd8019c8317fcecff8e9818429f46e3b0b2b5f22
tomcat5-jasper-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: e86b84c28c38c471dca9b73192563f3c
SHA-256: 0a232c52d1e19b24411d6749a25a8c847f4fc0073f847a0131e28f4f742707cd
tomcat5-jasper-eclipse-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 4889901af4be6c4fa1f1c968c8ce19f5
SHA-256: eb4c90e0ad9c95481d541a7b8ba0eb2658b1091508fef8f2874a7b7a9e5fcc3b
tomcat5-jasper-javadoc-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 93ac8f698527c96e55ff45ff94ea129d
SHA-256: c857d6322bd70c0225ebe8c1f16c220c300c66eee08bfd5ccb3f7056c5f70d8c
tomcat5-jsp-2.0-api-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 96942381cff721b5f637d5a88e5cabac
SHA-256: ae5e5534eb5753a168cf718e8c93d60709deb29b68901538bb97c4455e1573fc
tomcat5-jsp-2.0-api-javadoc-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: c288e655c6934fb162b28b1674558ca0
SHA-256: eff6923ab379cccc9fc09d27fcd42059fef8e809f8d5e0c875328456a7db4fe7
tomcat5-parent-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: bce12599e4c01101a8b491fab42ca0f9
SHA-256: 54d5044c3588639d42fde4c3e805320fa09df79595bbedc1dc89355fb221314b
tomcat5-server-lib-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 406c479905fb1e8f56037a0e05b8a131
SHA-256: 32f695ff69d7825b47bcc3f7bba692e8fd14ee3415da58a3925dc336a099e35a
tomcat5-servlet-2.4-api-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 3367129be96c034fe3959f1cb5849755
SHA-256: be8e1c5d7ab70b37d24df8d7c4ae92754c2f7105d2b470300effafa6f94315d2
tomcat5-servlet-2.4-api-javadoc-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: ab742afd79a5a19e5eced7a2feccd6f4
SHA-256: 314a8e27181c6edb4ebdd9561586868533764a1b607b40b6b53cdd0ed465b019
tomcat5-webapps-5.5.33-31_patch_08.ep5.el5.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: b40fddb86f9c6bfe0198e7c812e9d8b4
SHA-256: e5307209fbdcb93b56499bc6a1194c3e03e95e9a485d0ee7e5d6cb4d0a4f5747
 
JBoss Enterprise Web Server v1 EL6

SRPMS:
tomcat5-5.5.33-34_patch_08.ep5.el6.src.rpm
File outdated by:  RHSA-2013:0872
    MD5: 91453a09e97c9704e4f9684f1f2e7dfd
SHA-256: a9520340296278ad8cd60d4cfac88eb9a3af9fe3896b81fc3e9fb34eed2eb0cf
 
IA-32:
tomcat5-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 52d3a714846bef6c64ac2cc260785a37
SHA-256: 58ad68f660d51b6e52a55fde342914232c6b21b4718e20abd1ec45235959dc3a
tomcat5-admin-webapps-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 88186cf6daa165228823cdca9ba7b1e3
SHA-256: ef457d2a14343aa85e5917bd2c48059fbf69c537d507eee06c37ab0d3eaf9274
tomcat5-common-lib-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: c15300a9c202d543b7f3318a300082de
SHA-256: c3711609cf325e0b9c73057c3695a14ecf2b045660c50d6ee7837436be9d55b6
tomcat5-jasper-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 62bf0019b862b84baf5a1d4eb936a5da
SHA-256: 0f08bd86903a4dd3682581b9f9a8c87e647340d54a37c4fd7d4974da3e19fb0a
tomcat5-jasper-eclipse-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: e98731b8df4cac3a88b071365b69dcaf
SHA-256: fa536f2b4ed6244184cfbecd3a8704d65436bce95a6d59b7fe49f74c85508475
tomcat5-jasper-javadoc-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: d925d87e61cd50b8d396d4176c01dec5
SHA-256: 7e6b9e512b480fb1d06e2c25b991a4984fc64066dda91e637aa422ce7386fa48
tomcat5-jsp-2.0-api-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 84fe66bbd6ca4ddd83b16911b6a55bf9
SHA-256: 579dfd95e36e19ecb4c4a20792db8e224c52b23176bcc7134048fc3f77dc9e1e
tomcat5-jsp-2.0-api-javadoc-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: e5869e6880dc4af936d8787de67dc7f7
SHA-256: 3f296559d553497f5a4c17c4811cd040db2779e7f9c1467013d0fc64ffa0a57a
tomcat5-parent-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 4bfd698ce6250a2b39284a5aa809559b
SHA-256: 67973a4e739e2fe578dda0519e42049136190f7fd64ada0d318019962dabd7d6
tomcat5-server-lib-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: a08d92e761377ec30d73ac715fd20ac2
SHA-256: 25d7d0403801a41d0ebb61aae77187504c8bb663572fd126a64efdd52dbcb6dc
tomcat5-servlet-2.4-api-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 7f0f7c7c9b3c7300a307995397ff7867
SHA-256: 682467a643f058a63334a461b783463096fc886063232b9920872b92327cf1d6
tomcat5-servlet-2.4-api-javadoc-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 3af4f3cea46b867defd6577a7d24d7dc
SHA-256: 9859c02ea6a90f1254976c5b4d303f9d9f738a28cf5e231d5ac14158a1e073f9
tomcat5-webapps-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: c5f554fafa3293e9146a39a2966acb8b
SHA-256: 8a9aeefb4122bd08921d6e7105eb00f2be1a79f64a7a32f3b4d118bfd27c747c
 
x86_64:
tomcat5-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 52d3a714846bef6c64ac2cc260785a37
SHA-256: 58ad68f660d51b6e52a55fde342914232c6b21b4718e20abd1ec45235959dc3a
tomcat5-admin-webapps-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 88186cf6daa165228823cdca9ba7b1e3
SHA-256: ef457d2a14343aa85e5917bd2c48059fbf69c537d507eee06c37ab0d3eaf9274
tomcat5-common-lib-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: c15300a9c202d543b7f3318a300082de
SHA-256: c3711609cf325e0b9c73057c3695a14ecf2b045660c50d6ee7837436be9d55b6
tomcat5-jasper-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 62bf0019b862b84baf5a1d4eb936a5da
SHA-256: 0f08bd86903a4dd3682581b9f9a8c87e647340d54a37c4fd7d4974da3e19fb0a
tomcat5-jasper-eclipse-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: e98731b8df4cac3a88b071365b69dcaf
SHA-256: fa536f2b4ed6244184cfbecd3a8704d65436bce95a6d59b7fe49f74c85508475
tomcat5-jasper-javadoc-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: d925d87e61cd50b8d396d4176c01dec5
SHA-256: 7e6b9e512b480fb1d06e2c25b991a4984fc64066dda91e637aa422ce7386fa48
tomcat5-jsp-2.0-api-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 84fe66bbd6ca4ddd83b16911b6a55bf9
SHA-256: 579dfd95e36e19ecb4c4a20792db8e224c52b23176bcc7134048fc3f77dc9e1e
tomcat5-jsp-2.0-api-javadoc-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: e5869e6880dc4af936d8787de67dc7f7
SHA-256: 3f296559d553497f5a4c17c4811cd040db2779e7f9c1467013d0fc64ffa0a57a
tomcat5-parent-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 4bfd698ce6250a2b39284a5aa809559b
SHA-256: 67973a4e739e2fe578dda0519e42049136190f7fd64ada0d318019962dabd7d6
tomcat5-server-lib-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: a08d92e761377ec30d73ac715fd20ac2
SHA-256: 25d7d0403801a41d0ebb61aae77187504c8bb663572fd126a64efdd52dbcb6dc
tomcat5-servlet-2.4-api-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 7f0f7c7c9b3c7300a307995397ff7867
SHA-256: 682467a643f058a63334a461b783463096fc886063232b9920872b92327cf1d6
tomcat5-servlet-2.4-api-javadoc-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: 3af4f3cea46b867defd6577a7d24d7dc
SHA-256: 9859c02ea6a90f1254976c5b4d303f9d9f738a28cf5e231d5ac14158a1e073f9
tomcat5-webapps-5.5.33-34_patch_08.ep5.el6.noarch.rpm
File outdated by:  RHSA-2013:0872
    MD5: c5f554fafa3293e9146a39a2966acb8b
SHA-256: 8a9aeefb4122bd08921d6e7105eb00f2be1a79f64a7a32f3b4d118bfd27c747c
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

883634 - CVE-2012-3546 Tomcat/JBoss Web: Bypass of security constraints


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/