Security update for tomcat SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2017:1229-1 Final 1 1 2017-05-10T12:37:48Z current 2017-05-10T12:37:48Z 2017-05-10T12:37:48Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tomcat This update for tomcat fixes the following issues: - CVE-2017-5647 Pipelined requests could lead to information disclosure (bsc#1033448) - CVE-2017-5648 Untrusted application could retain listener leading to information disclosure (bsc#1033447) - CVE-2016-8745 shared Processor on Connector code could lead to information disclosure (bsc#1015119) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-RPI-12-SP2-2017-733,SUSE-SLE-SERVER-12-SP2-2017-733 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2017/suse-su-20171229-1/ Link for SUSE-SU-2017:1229-1 https://lists.suse.com/pipermail/sle-security-updates/2017-May/002852.html E-Mail link for SUSE-SU-2017:1229-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1015119 SUSE Bug 1015119 https://bugzilla.suse.com/1033447 SUSE Bug 1033447 https://bugzilla.suse.com/1033448 SUSE Bug 1033448 https://www.suse.com/security/cve/CVE-2016-8745/ SUSE CVE CVE-2016-8745 page https://www.suse.com/security/cve/CVE-2017-5647/ SUSE CVE CVE-2017-5647 page https://www.suse.com/security/cve/CVE-2017-5648/ SUSE CVE CVE-2017-5648 page SUSE Linux Enterprise Server 12 SP2 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 SUSE Linux Enterprise Server for SAP Applications 12 SP2 tomcat-8.0.43-23.1 tomcat-admin-webapps-8.0.43-23.1 tomcat-docs-webapp-8.0.43-23.1 tomcat-el-3_0-api-8.0.43-23.1 tomcat-javadoc-8.0.43-23.1 tomcat-jsp-2_3-api-8.0.43-23.1 tomcat-lib-8.0.43-23.1 tomcat-servlet-3_1-api-8.0.43-23.1 tomcat-webapps-8.0.43-23.1 tomcat-8.0.43-23.1 as a component of SUSE Linux Enterprise Server 12 SP2 tomcat-admin-webapps-8.0.43-23.1 as a component of SUSE Linux Enterprise Server 12 SP2 tomcat-docs-webapp-8.0.43-23.1 as a component of SUSE Linux Enterprise Server 12 SP2 tomcat-el-3_0-api-8.0.43-23.1 as a component of SUSE Linux Enterprise Server 12 SP2 tomcat-javadoc-8.0.43-23.1 as a component of SUSE Linux Enterprise Server 12 SP2 tomcat-jsp-2_3-api-8.0.43-23.1 as a component of SUSE Linux Enterprise Server 12 SP2 tomcat-lib-8.0.43-23.1 as a component of SUSE Linux Enterprise Server 12 SP2 tomcat-servlet-3_1-api-8.0.43-23.1 as a component of SUSE Linux Enterprise Server 12 SP2 tomcat-webapps-8.0.43-23.1 as a component of SUSE Linux Enterprise Server 12 SP2 tomcat-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 tomcat-admin-webapps-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 tomcat-docs-webapp-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 tomcat-el-3_0-api-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 tomcat-javadoc-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 tomcat-jsp-2_3-api-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 tomcat-lib-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 tomcat-servlet-3_1-api-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 tomcat-webapps-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for Raspberry Pi 12 SP2 tomcat-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 tomcat-admin-webapps-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 tomcat-docs-webapp-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 tomcat-el-3_0-api-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 tomcat-javadoc-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 tomcat-jsp-2_3-api-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 tomcat-lib-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 tomcat-servlet-3_1-api-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 tomcat-webapps-8.0.43-23.1 as a component of SUSE Linux Enterprise Server for SAP Applications 12 SP2 A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions. CVE-2016-8745 SUSE Linux Enterprise Server 12 SP2:tomcat-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-admin-webapps-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-docs-webapp-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-el-3_0-api-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-javadoc-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-jsp-2_3-api-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-lib-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-servlet-3_1-api-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-webapps-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-admin-webapps-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-docs-webapp-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-el-3_0-api-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-javadoc-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-jsp-2_3-api-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-lib-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-servlet-3_1-api-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-webapps-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-admin-webapps-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-docs-webapp-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-el-3_0-api-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-javadoc-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-jsp-2_3-api-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-lib-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-servlet-3_1-api-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-webapps-8.0.43-23.1 important 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20171229-1/ https://www.suse.com/security/cve/CVE-2016-8745.html CVE-2016-8745 https://bugzilla.suse.com/1015119 SUSE Bug 1015119 A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. CVE-2017-5647 SUSE Linux Enterprise Server 12 SP2:tomcat-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-admin-webapps-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-docs-webapp-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-el-3_0-api-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-javadoc-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-jsp-2_3-api-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-lib-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-servlet-3_1-api-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-webapps-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-admin-webapps-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-docs-webapp-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-el-3_0-api-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-javadoc-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-jsp-2_3-api-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-lib-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-servlet-3_1-api-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-webapps-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-admin-webapps-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-docs-webapp-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-el-3_0-api-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-javadoc-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-jsp-2_3-api-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-lib-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-servlet-3_1-api-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-webapps-8.0.43-23.1 important 4.9 AV:N/AC:M/Au:S/C:P/I:P/A:N 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20171229-1/ https://www.suse.com/security/cve/CVE-2017-5647.html CVE-2017-5647 https://bugzilla.suse.com/1033448 SUSE Bug 1033448 While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. CVE-2017-5648 SUSE Linux Enterprise Server 12 SP2:tomcat-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-admin-webapps-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-docs-webapp-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-el-3_0-api-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-javadoc-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-jsp-2_3-api-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-lib-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-servlet-3_1-api-8.0.43-23.1 SUSE Linux Enterprise Server 12 SP2:tomcat-webapps-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-admin-webapps-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-docs-webapp-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-el-3_0-api-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-javadoc-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-jsp-2_3-api-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-lib-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-servlet-3_1-api-8.0.43-23.1 SUSE Linux Enterprise Server for Raspberry Pi 12 SP2:tomcat-webapps-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-admin-webapps-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-docs-webapp-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-el-3_0-api-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-javadoc-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-jsp-2_3-api-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-lib-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-servlet-3_1-api-8.0.43-23.1 SUSE Linux Enterprise Server for SAP Applications 12 SP2:tomcat-webapps-8.0.43-23.1 important 1.5 AV:L/AC:M/Au:S/C:P/I:N/A:N 6.4 AV:N/AC:L/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2017/suse-su-20171229-1/ https://www.suse.com/security/cve/CVE-2017-5648.html CVE-2017-5648 https://bugzilla.suse.com/1033447 SUSE Bug 1033447