openSUSE Security Update : tomcat (openSUSE-2016-384)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

This update for tomcat fixes the following issues :

Tomcat 8 was updated from 8.0.23 to 8.0.32, to fix bugs and security
issues.

Fixed security issues :

- CVE-2015-5174: Directory traversal vulnerability in
RequestUtil.java in Apache Tomcat allowed remote
authenticated users to bypass intended SecurityManager
restrictions and list a parent directory via a /..
(slash dot dot) in a pathname used by a web application
in a getResource, getResourceAsStream, or
getResourcePaths call, as demonstrated by the
$CATALINA_BASE/webapps directory. (bsc#967967)

- CVE-2015-5346: Session fixation vulnerability in Apache
Tomcat when different session settings are used for
deployments of multiple versions of the same web
application, might have allowed remote attackers to
hijack web sessions by leveraging use of a
requestedSessionSSL field for an unintended request,
related to CoyoteAdapter.java and Request.java.
(bsc#967814)

- CVE-2015-5345: The Mapper component in Apache Tomcat
processes redirects before considering security
constraints and Filters, which allowed remote attackers
to determine the existence of a directory via a URL that
lacks a trailing / (slash) character. (bsc#967965)

- CVE-2015-5351: The (1) Manager and (2) Host Manager
applications in Apache Tomcat established sessions and
send CSRF tokens for arbitrary new requests, which
allowed remote attackers to bypass a CSRF protection
mechanism by using a token. (bsc#967812)

- CVE-2016-0706: Apache Tomcat did not place
org.apache.catalina.manager.StatusManagerServlet on the
org/apache/catalina/core/RestrictedServlets.properties
list, which allowed remote authenticated users to bypass
intended SecurityManager restrictions and read arbitrary
HTTP requests, and consequently discover session ID
values, via a crafted web application. (bsc#967815)

- CVE-2016-0714: The session-persistence implementation in
Apache Tomcat mishandled session attributes, which
allowed remote authenticated users to bypass intended
SecurityManager restrictions and execute arbitrary code
in a privileged context via a web application that
places a crafted object in a session. (bsc#967964)

- CVE-2016-0763: The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in
Apache Tomcat did not consider whether
ResourceLinkFactory.setGlobalContext callers are
authorized, which allowed remote authenticated users to
bypass intended SecurityManager restrictions and read or
write to arbitrary application data, or cause a denial
of service (application disruption), via a web
application that sets a crafted global context.
(bsc#967966)

The full changes can be read on:
http://tomcat.apache.org/tomcat-8.0-doc/changelog.html

This update was imported from the SUSE:SLE-12-SP1:Update update
project.

See also :

http://tomcat.apache.org/tomcat-8.0-doc/changelog.html
https://bugzilla.opensuse.org/show_bug.cgi?id=967812
https://bugzilla.opensuse.org/show_bug.cgi?id=967814
https://bugzilla.opensuse.org/show_bug.cgi?id=967815
https://bugzilla.opensuse.org/show_bug.cgi?id=967964
https://bugzilla.opensuse.org/show_bug.cgi?id=967965
https://bugzilla.opensuse.org/show_bug.cgi?id=967966
https://bugzilla.opensuse.org/show_bug.cgi?id=967967

Solution :

Update the affected tomcat packages.

Risk factor :

Medium / CVSS Base Score : 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)

Family: SuSE Local Security Checks

Nessus Plugin ID: 90136 ()

Bugtraq ID:

CVE ID: CVE-2015-5174
CVE-2015-5345
CVE-2015-5346
CVE-2015-5351
CVE-2016-0706
CVE-2016-0714
CVE-2016-0763

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now