[gentoo-announce] [ GLSA 201705-09 ] Apache Tomcat: Multiple vulnerabilities - gentoo-announce

From:	Yury German <blueknight@g.o>
To:	gentoo-announce@l.g.o
Subject:	[gentoo-announce] [ GLSA 201705-09 ] Apache Tomcat: Multiple vulnerabilities
Date:	Thu, 18 May 2017 02:01:55
Message-Id:	`003eed54-1d18-53bf-3623-18d427c3b24d@gentoo.org`

1

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

2

Gentoo Linux Security Advisory                           GLSA 201705-09

3

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

4

                                           https://security.gentoo.org/

5

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

6

7

 Severity: High

8

    Title: Apache Tomcat: Multiple vulnerabilities

9

     Date: May 18, 2017

10

     Bugs: #575796, #586966, #595978, #615868

11

       ID: 201705-09

12

13

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

14

15

Synopsis

16

========

17

18

Multiple vulnerabilities have been found in Apache Tomcat, the worst of

19

which could lead to privilege escalation.

20

21

Background

22

==========

23

24

Apache Tomcat is a Servlet-3.0/JSP-2.2 Container.

25

26

Affected packages

27

=================

28

29

    -------------------------------------------------------------------

30

     Package              /     Vulnerable     /            Unaffected

31

    -------------------------------------------------------------------

32

  1  www-servers/tomcat           < 8.0.36                  >= 7.0.70

33

                                                            >= 8.0.36

34

35

Description

36

===========

37

38

Multiple vulnerabilities have been discovered in Tomcat. Please review

39

the CVE identifiers referenced below for details.

40

41

Impact

42

======

43

44

A remote attacker may be able to cause a Denial of Service condition,

45

obtain sensitive information, bypass protection mechanisms and

46

authentication restrictions.

47

48

A local attacker, who is a tomcat's system user or belongs to tomcat’s

49

group, could potentially escalate privileges.

50

51

Workaround

52

==========

53

54

There is no known workaround at this time.

55

56

Resolution

57

==========

58

59

All Apache Tomcat users have to manually check their Tomcat runscripts

60

to make sure that they don't use an old, vulnerable runscript. In

61

addition:

62

63

All Apache Tomcat 7 users should upgrade to the latest version:

64

65

  # emerge --sync

66

  # emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.70:7"

67

68

All Apache Tomcat 8 users should upgrade to the latest version:

69

70

  # emerge --sync

71

  # emerge --ask --oneshot --verbose ">=www-servers/tomcat-8.0.36:8"

72

73

References

74

==========

75

76

[  1 ] CVE-2015-5174

77

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5174

78

[  2 ] CVE-2015-5345

79

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5345

80

[  3 ] CVE-2015-5346

81

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5346

82

[  4 ] CVE-2015-5351

83

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5351

84

[  5 ] CVE-2016-0706

85

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0706

86

[  6 ] CVE-2016-0714

87

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0714

88

[  7 ] CVE-2016-0763

89

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0763

90

[  8 ] CVE-2016-1240

91

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1240

92

[  9 ] CVE-2016-3092

93

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3092

94

[ 10 ] CVE-2016-8745

95

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8745

96

[ 11 ] CVE-2017-5647

97

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5647

98

[ 12 ] CVE-2017-5648

99

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5648

100

[ 13 ] CVE-2017-5650

101

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5650

102

[ 14 ] CVE-2017-5651

103

       http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5651

104

105

Availability

106

============

107

108

This GLSA and any updates to it are available for viewing at

109

the Gentoo Security Website:

110

111

 https://security.gentoo.org/glsa/201705-09

112

113

Concerns?

114

=========

115

116

Security is a primary focus of Gentoo Linux and ensuring the

117

confidentiality and security of our users' machines is of utmost

118

importance to us. Any security concerns should be addressed to

119

security@g.o or alternatively, you may file a bug at

120

https://bugs.gentoo.org.

121

122

License

123

=======

124

125

Copyright 2017 Gentoo Foundation, Inc; referenced text

126

belongs to its owner(s).

127

128

The contents of this document are licensed under the

129

Creative Commons - Attribution / Share Alike license.

130

131

http://creativecommons.org/licenses/by-sa/2.5

Gentoo Archives: gentoo-announce

Attachments

1	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2	Gentoo Linux Security Advisory GLSA 201705-09
3	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4	https://security.gentoo.org/
5	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7	Severity: High
8	Title: Apache Tomcat: Multiple vulnerabilities
9	Date: May 18, 2017
10	Bugs: #575796, #586966, #595978, #615868
11	ID: 201705-09
12
13	- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15	Synopsis
16	========
17
18	Multiple vulnerabilities have been found in Apache Tomcat, the worst of
19	which could lead to privilege escalation.
20
21	Background
22	==========
23
24	Apache Tomcat is a Servlet-3.0/JSP-2.2 Container.
25
26	Affected packages
27	=================
28
29	-------------------------------------------------------------------
30	Package / Vulnerable / Unaffected
31	-------------------------------------------------------------------
32	1 www-servers/tomcat < 8.0.36 >= 7.0.70
33	>= 8.0.36
34
35	Description
36	===========
37
38	Multiple vulnerabilities have been discovered in Tomcat. Please review
39	the CVE identifiers referenced below for details.
40
41	Impact
42	======
43
44	A remote attacker may be able to cause a Denial of Service condition,
45	obtain sensitive information, bypass protection mechanisms and
46	authentication restrictions.
47
48	A local attacker, who is a tomcat's system user or belongs to tomcat’s
49	group, could potentially escalate privileges.
50
51	Workaround
52	==========
53
54	There is no known workaround at this time.
55
56	Resolution
57	==========
58
59	All Apache Tomcat users have to manually check their Tomcat runscripts
60	to make sure that they don't use an old, vulnerable runscript. In
61	addition:
62
63	All Apache Tomcat 7 users should upgrade to the latest version:
64
65	# emerge --sync
66	# emerge --ask --oneshot --verbose ">=www-servers/tomcat-7.0.70:7"
67
68	All Apache Tomcat 8 users should upgrade to the latest version:
69
70	# emerge --sync
71	# emerge --ask --oneshot --verbose ">=www-servers/tomcat-8.0.36:8"
72
73	References
74	==========
75
76	[ 1 ] CVE-2015-5174
77	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5174
78	[ 2 ] CVE-2015-5345
79	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5345
80	[ 3 ] CVE-2015-5346
81	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5346
82	[ 4 ] CVE-2015-5351
83	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-5351
84	[ 5 ] CVE-2016-0706
85	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0706
86	[ 6 ] CVE-2016-0714
87	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0714
88	[ 7 ] CVE-2016-0763
89	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0763
90	[ 8 ] CVE-2016-1240
91	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-1240
92	[ 9 ] CVE-2016-3092
93	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-3092
94	[ 10 ] CVE-2016-8745
95	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-8745
96	[ 11 ] CVE-2017-5647
97	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5647
98	[ 12 ] CVE-2017-5648
99	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5648
100	[ 13 ] CVE-2017-5650
101	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5650
102	[ 14 ] CVE-2017-5651
103	http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-5651
104
105	Availability
106	============
107
108	This GLSA and any updates to it are available for viewing at
109	the Gentoo Security Website:
110
111	https://security.gentoo.org/glsa/201705-09
112
113	Concerns?
114	=========
115
116	Security is a primary focus of Gentoo Linux and ensuring the
117	confidentiality and security of our users' machines is of utmost
118	importance to us. Any security concerns should be addressed to
119	security@g.o or alternatively, you may file a bug at
120	https://bugs.gentoo.org.
121
122	License
123	=======
124
125	Copyright 2017 Gentoo Foundation, Inc; referenced text
126	belongs to its owner(s).
127
128	The contents of this document are licensed under the
129	Creative Commons - Attribution / Share Alike license.
130
131	http://creativecommons.org/licenses/by-sa/2.5