Basic search

K
amazonAmazonALAS-2016-764
HistoryNov 10, 2016 - 6:00 p.m.

Important: tomcat6, tomcat7, tomcat8

2016-11-1018:00:00
alas.aws.amazon.com
18

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.002 Low

EPSS

Percentile

53.6%

Issue Overview:

It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)

A malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018)

The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762)

When a SecurityManager is configured, a web application’s ability to read system properties should be controlled by the SecurityManager. Tomcat’s system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794)

A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796)

The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797)

Affected Packages:

tomcat6, tomcat7, tomcat8

Issue Correction:
Run yum update tomcat6 to update your system.
Run yum update tomcat7 to update your system.
Run yum update tomcat8 to update your system.

New Packages:

noarch:  
    tomcat6-webapps-6.0.47-1.7.amzn1.noarch  
    tomcat6-servlet-2.5-api-6.0.47-1.7.amzn1.noarch  
    tomcat6-jsp-2.1-api-6.0.47-1.7.amzn1.noarch  
    tomcat6-javadoc-6.0.47-1.7.amzn1.noarch  
    tomcat6-docs-webapp-6.0.47-1.7.amzn1.noarch  
    tomcat6-el-2.1-api-6.0.47-1.7.amzn1.noarch  
    tomcat6-6.0.47-1.7.amzn1.noarch  
    tomcat6-admin-webapps-6.0.47-1.7.amzn1.noarch  
    tomcat6-lib-6.0.47-1.7.amzn1.noarch  
    tomcat7-el-2.2-api-7.0.72-1.21.amzn1.noarch  
    tomcat7-7.0.72-1.21.amzn1.noarch  
    tomcat7-admin-webapps-7.0.72-1.21.amzn1.noarch  
    tomcat7-log4j-7.0.72-1.21.amzn1.noarch  
    tomcat7-javadoc-7.0.72-1.21.amzn1.noarch  
    tomcat7-docs-webapp-7.0.72-1.21.amzn1.noarch  
    tomcat7-jsp-2.2-api-7.0.72-1.21.amzn1.noarch  
    tomcat7-lib-7.0.72-1.21.amzn1.noarch  
    tomcat7-webapps-7.0.72-1.21.amzn1.noarch  
    tomcat7-servlet-3.0-api-7.0.72-1.21.amzn1.noarch  
    tomcat8-el-3.0-api-8.0.38-1.65.amzn1.noarch  
    tomcat8-admin-webapps-8.0.38-1.65.amzn1.noarch  
    tomcat8-log4j-8.0.38-1.65.amzn1.noarch  
    tomcat8-lib-8.0.38-1.65.amzn1.noarch  
    tomcat8-8.0.38-1.65.amzn1.noarch  
    tomcat8-servlet-3.1-api-8.0.38-1.65.amzn1.noarch  
    tomcat8-jsp-2.3-api-8.0.38-1.65.amzn1.noarch  
    tomcat8-docs-webapp-8.0.38-1.65.amzn1.noarch  
    tomcat8-webapps-8.0.38-1.65.amzn1.noarch  
    tomcat8-javadoc-8.0.38-1.65.amzn1.noarch  
  
src:  
    tomcat6-6.0.47-1.7.amzn1.src  
    tomcat7-7.0.72-1.21.amzn1.src  
    tomcat8-8.0.38-1.65.amzn1.src  

Additional References

Red Hat: CVE-2016-0762, CVE-2016-5018, CVE-2016-6325, CVE-2016-6794, CVE-2016-6796, CVE-2016-6797

Mitre: CVE-2016-0762, CVE-2016-5018, CVE-2016-6325, CVE-2016-6794, CVE-2016-6796, CVE-2016-6797

9.1 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

7.2 High

CVSS2

Access Vector

LOCAL

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:L/AC:L/Au:N/C:C/I:C/A:C

0.002 Low

EPSS

Percentile

53.6%