(RHSA-2016:1648) Important: Red Hat JBoss Web Server 2.1.1 security update on RHEL 7

Red Hat JBoss Web Server is a fully integrated and certified set of
components for hosting Java web applications. It is comprised of the Apache
HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector
(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat
Native library.

This release serves as a replacement for Red Hat JBoss Web Server 2.1.0,
and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.1
Release Notes for information on the most significant of these changes,
available shortly from https://access.redhat.com/site/documentation/

All users of Red Hat JBoss Web Server 2.1.0 on Red Hat Enterprise Linux 7
are advised to upgrade to Red Hat JBoss Web Server 2.1.1. The JBoss server
process must be restarted for this update to take effect.

Security Fix(es):

• It was discovered that httpd used the value of the Proxy header from HTTP
  requests to initialize the HTTP_PROXY environment variable for CGI scripts,
  which in turn was incorrectly used by certain HTTP client implementations
  to configure the proxy for outgoing HTTP requests. A remote attacker could
  possibly use this flaw to redirect HTTP requests performed by a CGI script
  to an attacker-controlled proxy via a malicious HTTP request.
  (CVE-2016-5387)

• An integer overflow flaw, leading to a buffer overflow, was found in the
  way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of
  input data. A remote attacker could use this flaw to crash an application
  using OpenSSL or, possibly, execute arbitrary code with the permissions of
  the user running that application. (CVE-2016-2105)

• An integer overflow flaw, leading to a buffer overflow, was found in the
  way the EVP_EncryptUpdate() function of OpenSSL parsed very large amounts
  of input data. A remote attacker could use this flaw to crash an
  application using OpenSSL or, possibly, execute arbitrary code with the
  permissions of the user running that application. (CVE-2016-2106)

• It was discovered that it is possible to remotely Segfault Apache http
  server with a specially crafted string sent to the mod_cluster via service
  messages (MCMP). (CVE-2016-3110)

Red Hat would like to thank Scott Geary (VendHQ) for reporting
CVE-2016-5387; the OpenSSL project for reporting CVE-2016-2105 and
CVE-2016-2106; and Michal Karm Babacek for reporting CVE-2016-3110.
Upstream acknowledges Guido Vranken as the original reporter of
CVE-2016-2105 and CVE-2016-2106.