Security update for tomcat SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2017:1292-1 Final 1 1 2017-05-15T13:25:25Z current 2017-05-15T13:25:25Z 2017-05-15T13:25:25Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tomcat This update for tomcat fixes the following issues: - CVE-2017-5647 Pipelined requests could lead to information disclosure (bsc#1033448) - CVE-2017-5648 Untrusted application could retain listener leading to information disclosure (bsc#1033447) - CVE-2016-8745 shared Processor on Connector code could lead to information disclosure (bsc#1015119) This update was imported from the SUSE:SLE-12-SP1:Update and SUSE:SLE-12-SP2:Update update projects. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2017-05/msg00037.html E-Mail link for openSUSE-SU-2017:1292-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings openSUSE Leap 42.1 openSUSE Leap 42.2 tomcat-8.0.43-6.7.1 tomcat-admin-webapps-8.0.43-6.7.1 tomcat-docs-webapp-8.0.43-6.7.1 tomcat-el-3_0-api-8.0.43-6.7.1 tomcat-embed-8.0.43-6.7.1 tomcat-javadoc-8.0.43-6.7.1 tomcat-jsp-2_3-api-8.0.43-6.7.1 tomcat-jsvc-8.0.43-6.7.1 tomcat-lib-8.0.43-6.7.1 tomcat-servlet-3_1-api-8.0.43-6.7.1 tomcat-webapps-8.0.43-6.7.1 tomcat-8.0.43-6.7.1 as a component of openSUSE Leap 42.1 tomcat-admin-webapps-8.0.43-6.7.1 as a component of openSUSE Leap 42.1 tomcat-docs-webapp-8.0.43-6.7.1 as a component of openSUSE Leap 42.1 tomcat-el-3_0-api-8.0.43-6.7.1 as a component of openSUSE Leap 42.1 tomcat-embed-8.0.43-6.7.1 as a component of openSUSE Leap 42.1 tomcat-javadoc-8.0.43-6.7.1 as a component of openSUSE Leap 42.1 tomcat-jsp-2_3-api-8.0.43-6.7.1 as a component of openSUSE Leap 42.1 tomcat-jsvc-8.0.43-6.7.1 as a component of openSUSE Leap 42.1 tomcat-lib-8.0.43-6.7.1 as a component of openSUSE Leap 42.1 tomcat-servlet-3_1-api-8.0.43-6.7.1 as a component of openSUSE Leap 42.1 tomcat-webapps-8.0.43-6.7.1 as a component of openSUSE Leap 42.1 tomcat-8.0.43-6.7.1 as a component of openSUSE Leap 42.2 tomcat-admin-webapps-8.0.43-6.7.1 as a component of openSUSE Leap 42.2 tomcat-docs-webapp-8.0.43-6.7.1 as a component of openSUSE Leap 42.2 tomcat-el-3_0-api-8.0.43-6.7.1 as a component of openSUSE Leap 42.2 tomcat-embed-8.0.43-6.7.1 as a component of openSUSE Leap 42.2 tomcat-javadoc-8.0.43-6.7.1 as a component of openSUSE Leap 42.2 tomcat-jsp-2_3-api-8.0.43-6.7.1 as a component of openSUSE Leap 42.2 tomcat-jsvc-8.0.43-6.7.1 as a component of openSUSE Leap 42.2 tomcat-lib-8.0.43-6.7.1 as a component of openSUSE Leap 42.2 tomcat-servlet-3_1-api-8.0.43-6.7.1 as a component of openSUSE Leap 42.2 tomcat-webapps-8.0.43-6.7.1 as a component of openSUSE Leap 42.2 A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions. CVE-2016-8745 openSUSE Leap 42.1:tomcat-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-admin-webapps-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-docs-webapp-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-el-3_0-api-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-embed-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-javadoc-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-jsp-2_3-api-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-jsvc-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-lib-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-servlet-3_1-api-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-webapps-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-admin-webapps-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-docs-webapp-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-el-3_0-api-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-embed-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-javadoc-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-jsp-2_3-api-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-jsvc-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-lib-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-servlet-3_1-api-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-webapps-8.0.43-6.7.1 moderate 2.6 AV:N/AC:H/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-05/msg00037.html https://www.suse.com/security/cve/CVE-2016-8745.html CVE-2016-8745 https://bugzilla.suse.com/1015119 SUSE Bug 1015119 A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C. CVE-2017-5647 openSUSE Leap 42.1:tomcat-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-admin-webapps-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-docs-webapp-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-el-3_0-api-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-embed-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-javadoc-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-jsp-2_3-api-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-jsvc-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-lib-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-servlet-3_1-api-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-webapps-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-admin-webapps-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-docs-webapp-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-el-3_0-api-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-embed-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-javadoc-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-jsp-2_3-api-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-jsvc-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-lib-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-servlet-3_1-api-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-webapps-8.0.43-6.7.1 moderate 4.9 AV:N/AC:M/Au:S/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-05/msg00037.html https://www.suse.com/security/cve/CVE-2017-5647.html CVE-2017-5647 https://bugzilla.suse.com/1033448 SUSE Bug 1033448 https://bugzilla.suse.com/1036642 SUSE Bug 1036642 While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. CVE-2017-5648 openSUSE Leap 42.1:tomcat-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-admin-webapps-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-docs-webapp-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-el-3_0-api-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-embed-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-javadoc-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-jsp-2_3-api-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-jsvc-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-lib-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-servlet-3_1-api-8.0.43-6.7.1 openSUSE Leap 42.1:tomcat-webapps-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-admin-webapps-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-docs-webapp-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-el-3_0-api-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-embed-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-javadoc-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-jsp-2_3-api-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-jsvc-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-lib-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-servlet-3_1-api-8.0.43-6.7.1 openSUSE Leap 42.2:tomcat-webapps-8.0.43-6.7.1 low 1.5 AV:L/AC:M/Au:S/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2017-05/msg00037.html https://www.suse.com/security/cve/CVE-2017-5648.html CVE-2017-5648 https://bugzilla.suse.com/1033447 SUSE Bug 1033447