Security update for tomcat SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:3069-1 Final 1 1 2017-11-23T17:31:48Z current 2017-11-23T17:31:48Z 2017-11-23T17:31:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tomcat This update for tomcat fixes the following issues: Security issues fixed: - CVE-2017-5664: A problem in handling error pages was fixed, to avoid potential file overwrites during error page handling. (bsc#1042910). - CVE-2017-7674: A CORS Filter issue could lead to client and server side cache poisoning (bsc#1053352) - CVE-2017-12617: A remote code execution possibility via JSP Upload was fixed (bsc#1059554) Non security bugs fixed: - Fix tomcat-digest classpath error (bsc#977410) - Fix packaged /etc/alternatives symlinks for api libs that caused rpm -V to report link mismatch (bsc#1019016) This update was imported from the SUSE:SLE-12-SP2:Update update project. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-11/msg00033.html E-Mail link for openSUSE-SU-2017:3069-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.2 openSUSE Leap 42.3 tomcat-8.0.43-9.1 tomcat-admin-webapps-8.0.43-9.1 tomcat-docs-webapp-8.0.43-9.1 tomcat-el-3_0-api-8.0.43-9.1 tomcat-embed-8.0.43-9.1 tomcat-javadoc-8.0.43-9.1 tomcat-jsp-2_3-api-8.0.43-9.1 tomcat-jsvc-8.0.43-9.1 tomcat-lib-8.0.43-9.1 tomcat-servlet-3_1-api-8.0.43-9.1 tomcat-webapps-8.0.43-9.1 tomcat-8.0.43-9.1 as a component of openSUSE Leap 42.2 tomcat-admin-webapps-8.0.43-9.1 as a component of openSUSE Leap 42.2 tomcat-docs-webapp-8.0.43-9.1 as a component of openSUSE Leap 42.2 tomcat-el-3_0-api-8.0.43-9.1 as a component of openSUSE Leap 42.2 tomcat-embed-8.0.43-9.1 as a component of openSUSE Leap 42.2 tomcat-javadoc-8.0.43-9.1 as a component of openSUSE Leap 42.2 tomcat-jsp-2_3-api-8.0.43-9.1 as a component of openSUSE Leap 42.2 tomcat-jsvc-8.0.43-9.1 as a component of openSUSE Leap 42.2 tomcat-lib-8.0.43-9.1 as a component of openSUSE Leap 42.2 tomcat-servlet-3_1-api-8.0.43-9.1 as a component of openSUSE Leap 42.2 tomcat-webapps-8.0.43-9.1 as a component of openSUSE Leap 42.2 tomcat-8.0.43-9.1 as a component of openSUSE Leap 42.3 tomcat-admin-webapps-8.0.43-9.1 as a component of openSUSE Leap 42.3 tomcat-docs-webapp-8.0.43-9.1 as a component of openSUSE Leap 42.3 tomcat-el-3_0-api-8.0.43-9.1 as a component of openSUSE Leap 42.3 tomcat-embed-8.0.43-9.1 as a component of openSUSE Leap 42.3 tomcat-javadoc-8.0.43-9.1 as a component of openSUSE Leap 42.3 tomcat-jsp-2_3-api-8.0.43-9.1 as a component of openSUSE Leap 42.3 tomcat-jsvc-8.0.43-9.1 as a component of openSUSE Leap 42.3 tomcat-lib-8.0.43-9.1 as a component of openSUSE Leap 42.3 tomcat-servlet-3_1-api-8.0.43-9.1 as a component of openSUSE Leap 42.3 tomcat-webapps-8.0.43-9.1 as a component of openSUSE Leap 42.3 When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server. CVE-2017-12617 openSUSE Leap 42.2:tomcat-8.0.43-9.1 openSUSE Leap 42.2:tomcat-admin-webapps-8.0.43-9.1 openSUSE Leap 42.2:tomcat-docs-webapp-8.0.43-9.1 openSUSE Leap 42.2:tomcat-el-3_0-api-8.0.43-9.1 openSUSE Leap 42.2:tomcat-embed-8.0.43-9.1 openSUSE Leap 42.2:tomcat-javadoc-8.0.43-9.1 openSUSE Leap 42.2:tomcat-jsp-2_3-api-8.0.43-9.1 openSUSE Leap 42.2:tomcat-jsvc-8.0.43-9.1 openSUSE Leap 42.2:tomcat-lib-8.0.43-9.1 openSUSE Leap 42.2:tomcat-servlet-3_1-api-8.0.43-9.1 openSUSE Leap 42.2:tomcat-webapps-8.0.43-9.1 openSUSE Leap 42.3:tomcat-8.0.43-9.1 openSUSE Leap 42.3:tomcat-admin-webapps-8.0.43-9.1 openSUSE Leap 42.3:tomcat-docs-webapp-8.0.43-9.1 openSUSE Leap 42.3:tomcat-el-3_0-api-8.0.43-9.1 openSUSE Leap 42.3:tomcat-embed-8.0.43-9.1 openSUSE Leap 42.3:tomcat-javadoc-8.0.43-9.1 openSUSE Leap 42.3:tomcat-jsp-2_3-api-8.0.43-9.1 openSUSE Leap 42.3:tomcat-jsvc-8.0.43-9.1 openSUSE Leap 42.3:tomcat-lib-8.0.43-9.1 openSUSE Leap 42.3:tomcat-servlet-3_1-api-8.0.43-9.1 openSUSE Leap 42.3:tomcat-webapps-8.0.43-9.1 moderate 9.3 AV:N/AC:M/Au:N/C:C/I:C/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-11/msg00033.html https://www.suse.com/security/cve/CVE-2017-12617.html CVE-2017-12617 https://bugzilla.suse.com/1059554 SUSE Bug 1059554 https://bugzilla.suse.com/1180947 SUSE Bug 1180947 The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method. CVE-2017-5664 openSUSE Leap 42.2:tomcat-8.0.43-9.1 openSUSE Leap 42.2:tomcat-admin-webapps-8.0.43-9.1 openSUSE Leap 42.2:tomcat-docs-webapp-8.0.43-9.1 openSUSE Leap 42.2:tomcat-el-3_0-api-8.0.43-9.1 openSUSE Leap 42.2:tomcat-embed-8.0.43-9.1 openSUSE Leap 42.2:tomcat-javadoc-8.0.43-9.1 openSUSE Leap 42.2:tomcat-jsp-2_3-api-8.0.43-9.1 openSUSE Leap 42.2:tomcat-jsvc-8.0.43-9.1 openSUSE Leap 42.2:tomcat-lib-8.0.43-9.1 openSUSE Leap 42.2:tomcat-servlet-3_1-api-8.0.43-9.1 openSUSE Leap 42.2:tomcat-webapps-8.0.43-9.1 openSUSE Leap 42.3:tomcat-8.0.43-9.1 openSUSE Leap 42.3:tomcat-admin-webapps-8.0.43-9.1 openSUSE Leap 42.3:tomcat-docs-webapp-8.0.43-9.1 openSUSE Leap 42.3:tomcat-el-3_0-api-8.0.43-9.1 openSUSE Leap 42.3:tomcat-embed-8.0.43-9.1 openSUSE Leap 42.3:tomcat-javadoc-8.0.43-9.1 openSUSE Leap 42.3:tomcat-jsp-2_3-api-8.0.43-9.1 openSUSE Leap 42.3:tomcat-jsvc-8.0.43-9.1 openSUSE Leap 42.3:tomcat-lib-8.0.43-9.1 openSUSE Leap 42.3:tomcat-servlet-3_1-api-8.0.43-9.1 openSUSE Leap 42.3:tomcat-webapps-8.0.43-9.1 moderate 5 AV:N/AC:L/Au:N/C:N/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-11/msg00033.html https://www.suse.com/security/cve/CVE-2017-5664.html CVE-2017-5664 https://bugzilla.suse.com/1042910 SUSE Bug 1042910 The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. CVE-2017-7674 openSUSE Leap 42.2:tomcat-8.0.43-9.1 openSUSE Leap 42.2:tomcat-admin-webapps-8.0.43-9.1 openSUSE Leap 42.2:tomcat-docs-webapp-8.0.43-9.1 openSUSE Leap 42.2:tomcat-el-3_0-api-8.0.43-9.1 openSUSE Leap 42.2:tomcat-embed-8.0.43-9.1 openSUSE Leap 42.2:tomcat-javadoc-8.0.43-9.1 openSUSE Leap 42.2:tomcat-jsp-2_3-api-8.0.43-9.1 openSUSE Leap 42.2:tomcat-jsvc-8.0.43-9.1 openSUSE Leap 42.2:tomcat-lib-8.0.43-9.1 openSUSE Leap 42.2:tomcat-servlet-3_1-api-8.0.43-9.1 openSUSE Leap 42.2:tomcat-webapps-8.0.43-9.1 openSUSE Leap 42.3:tomcat-8.0.43-9.1 openSUSE Leap 42.3:tomcat-admin-webapps-8.0.43-9.1 openSUSE Leap 42.3:tomcat-docs-webapp-8.0.43-9.1 openSUSE Leap 42.3:tomcat-el-3_0-api-8.0.43-9.1 openSUSE Leap 42.3:tomcat-embed-8.0.43-9.1 openSUSE Leap 42.3:tomcat-javadoc-8.0.43-9.1 openSUSE Leap 42.3:tomcat-jsp-2_3-api-8.0.43-9.1 openSUSE Leap 42.3:tomcat-jsvc-8.0.43-9.1 openSUSE Leap 42.3:tomcat-lib-8.0.43-9.1 openSUSE Leap 42.3:tomcat-servlet-3_1-api-8.0.43-9.1 openSUSE Leap 42.3:tomcat-webapps-8.0.43-9.1 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-11/msg00033.html https://www.suse.com/security/cve/CVE-2017-7674.html CVE-2017-7674 https://bugzilla.suse.com/1053352 SUSE Bug 1053352