Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
redhatRedHatRHSA-2017:2494
HistoryAug 21, 2017 - 3:21 p.m.

(RHSA-2017:2494) Important: Red Hat JBoss Web Server 2 security update

2017-08-2115:21:48
access.redhat.com
82

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.458 Medium

EPSS

Percentile

97.4%

JSON

OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.

Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.

This release provides an update to OpenSSL and Tomcat 6/7 for Red Hat JBoss Web Server 2.1.2. The updates are documented in the Release Notes document linked to in the References.

Users of Red Hat JBoss Web Server 2.1.2 should upgrade to these updated packages, which resolve several security issues.

Security Fix(es):

  • A memory leak flaw was found in the way OpenSSL handled TLS status request extension data during session renegotiation. A remote attacker could cause a TLS server using OpenSSL to consume an excessive amount of memory and, possibly, exit unexpectedly after exhausting all available memory, if it enabled OCSP stapling support. (CVE-2016-6304)

  • A vulnerability was discovered in tomcat’s handling of pipelined requests when “Sendfile” was used. If sendfile processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could lead to invalid responses or information disclosure. (CVE-2017-5647)

  • A vulnerability was discovered in the error page mechanism in Tomcat’s DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664)

  • A denial of service flaw was found in the way the TLS/SSL protocol defined processing of ALERT packets during a connection handshake. A remote attacker could use this flaw to make a TLS/SSL server consume an excessive amount of CPU and fail to accept connections from other clients. (CVE-2016-8610)

Red Hat would like to thank the OpenSSL project for reporting CVE-2016-6304 and Shi Lei (Gear Team of Qihoo 360 Inc.) for reporting CVE-2016-8610. Upstream acknowledges Shi Lei (Gear Team of Qihoo 360 Inc.) as the original reporter of CVE-2016-6304.

Related

nessus 38
redhat 8
oraclelinux 2
ibm 40
openvas 28
ubuntu 1
centos 3
debian 8
tomcat 7
cve 4
ubuntucve 4
redhatcve 2
mageia 1
amazon 4
debiancve 4
osv 10
fedora 3
myhack58 3
veracode 7
archlinux 2
prion 4
f5 6
github 2
paloalto 1
freebsd_advisory 1
freebsd 1
zdt 1
hackerone 1
alpinelinux 1
checkpoint_advisories 1
openssl 1
nessus
nessus
RHEL 6 / 7 : JBoss Web Server (RHSA-2017:2493)
2017-08-23 00:00:00
Symantec Content Analysis < 2.3.5.1 affected by Multiple Vulnerabilities (SYMSA1419)
2019-05-31 00:00:00
RHEL 6 / 7 : Red Hat JBoss Web Server 3.1.0 Service Pack 1 (RHSA-2017:1801)
2018-08-29 00:00:00
redhat
redhat
(RHSA-2017:2493) Important: Red Hat JBoss Web Server 2 security update
2017-08-21 15:21:19
(RHSA-2017:1801) Important: Red Hat JBoss Web Server 3.1.0 Service Pack 1 security update
2017-07-25 16:31:15
(RHSA-2017:1802) Important: Red Hat JBoss Web Server Service Pack 1 security update
2017-07-25 17:45:08
oraclelinux
oraclelinux
tomcat security update
2017-07-27 00:00:00
tomcat6 security update
2017-10-29 00:00:00
ibm
ibm
Security Bulletin: Security vulnerabilities have been identified in Jazz Team Server shipped with Jazz Reporting Service
2018-06-17 05:22:45
Security Bulletin: Security vulnerabilities have been identified in Jazz Reporting Service shipped with Rational Reporting for Development Intelligence
2018-06-17 05:22:45
Security Bulletin: Rational Build Forge Security Advisory (CVE-2016-8610, CVE-2017-6056, CVE-2017-5647, CVE-2017-5648)
2018-06-17 05:21:06
openvas
openvas
RedHat Update for tomcat6 RHSA-2017:3080-01
2017-10-30 00:00:00
Ubuntu Update for tomcat8 USN-3519-1
2018-01-09 00:00:00
CentOS Update for tomcat6 CESA-2017:3080 centos6
2017-11-02 00:00:00
ubuntu
ubuntu
Tomcat vulnerabilities
2018-01-08 00:00:00
centos
centos
tomcat6 security update
2017-10-30 11:27:14
tomcat security update
2017-07-27 15:49:22
openssl security update
2017-02-21 11:44:42
debian
debian
[SECURITY] [DLA 924-2] tomcat7 regression update
2017-05-10 20:08:15
[SECURITY] [DLA 996-1] tomcat7 security update
2017-06-20 21:34:44
[SECURITY] [DSA 3891-1] tomcat8 security update
2017-06-22 08:05:13
tomcat
tomcat
Fixed in Apache Tomcat 7.0.77
2017-04-02 00:00:00
Fixed in Apache Tomcat 8.5.15
2017-05-10 00:00:00
Fixed in Apache Tomcat 8.0.44
2017-05-16 00:00:00
cve
cve
CVE-2017-5647
2017-04-17 16:59:00
CVE-2017-5664
2017-06-06 14:29:00
CVE-2016-8610
2017-11-13 22:29:00
ubuntucve
ubuntucve
CVE-2017-5647
2017-04-17 00:00:00
CVE-2017-5664
2017-06-06 00:00:00
CVE-2016-8610
2016-10-24 00:00:00
redhatcve
redhatcve
CVE-2017-5664
2021-02-07 15:15:32
CVE-2017-5647
2017-04-11 12:48:12
mageia
mageia
Updated tomcat packages fix security vulnerability
2017-06-30 00:40:57
amazon
amazon
Important: tomcat8
2017-07-06 17:25:00
Important: tomcat7
2017-07-06 17:24:00
Important: tomcat6
2017-04-20 06:17:00
debiancve
debiancve
CVE-2017-5664
2017-06-06 14:29:00
CVE-2017-5647
2017-04-17 16:59:00
CVE-2016-8610
2017-11-13 22:29:00
osv
osv
tomcat7 - security update
2017-06-20 00:00:00
tomcat8 - security update
2017-06-22 00:00:00
tomcat7 - security update
2017-06-22 00:00:00
fedora
fedora
[SECURITY] Fedora 24 Update: tomcat-8.0.44-1.fc24
2017-06-29 23:50:43
[SECURITY] Fedora 25 Update: tomcat-8.0.44-1.fc25
2017-06-30 00:50:27
[SECURITY] Fedora 26 Update: tomcat-8.0.44-1.fc26
2017-07-07 23:13:38
myhack58
myhack58
Tomcat Security Constraint Bypass CVE-2017-5664 analysis-vulnerability warning-the black bar safety net
2017-07-27 00:00:00
Upgrade the openssl version to fix high-risk vulnerabilities--“the OpenSSL Red Alert”vulnerability-vulnerability warning-the black bar safety net
2016-10-29 00:00:00
Apache Tomcat security restrictions bypass Vulnerability, CVE-2017-5664-a vulnerability warning-the black bar safety net
2017-06-12 00:00:00
veracode
veracode
Security Constraint Bypass
2017-06-07 02:00:46
Denial Of Service (DoS) In SSL Alert Handling
2019-01-15 09:15:53
Information Disclosure
2017-04-11 05:42:07
archlinux
archlinux
[ASA-201706-7] tomcat8: access restriction bypass
2017-06-06 00:00:00
[ASA-201706-6] tomcat7: access restriction bypass
2017-06-06 00:00:00
prion
prion
Design/Logic Flaw
2017-06-06 14:29:00
Server side request forgery (ssrf)
2017-04-17 16:59:00
Code injection
2017-11-13 22:29:00
f5
f5
K49000195 : Apache Tomcat vulnerability CVE-2017-5647
2017-05-05 00:00:00
K11307303 : OpenSSL vulnerability CVE-2016-8610
2016-11-21 00:00:00
K01225001 : Apache Tomcat vulnerability CVE-2017-5664
2017-06-23 00:00:00
github
github
Improper Handling of Exceptional Conditions in Apache Tomcat
2022-05-13 01:46:15
Exposure of Sensitive Information to an Unauthorized Actor in Apache Tomcat
2022-05-14 01:10:16
paloalto
paloalto
OpenSSL Vulnerability
2017-06-07 00:25:00
freebsd_advisory
freebsd_advisory
FreeBSD-SA-16:35.openssl
2016-11-02 00:00:00
freebsd
freebsd
FreeBSD -- OpenSSL Remote DoS vulnerability
2016-11-02 00:00:00
zdt
zdt
OpenSSL OCSP Status Request Extension Unbounded Memory Growth Vulnerability
2016-10-21 00:00:00
hackerone
hackerone
Internet Bug Bounty: OCSP Status Request extension unbounded memory growth (CVE-2016-6304)
2017-03-29 01:24:57
alpinelinux
alpinelinux
CVE-2016-6304
2016-09-26 19:59:00
checkpoint_advisories
checkpoint_advisories
OpenSSL OCSP Extension Unbounded Memory Denial of Service (CVE-2016-6304)
2016-09-22 00:00:00
openssl
openssl
Vulnerability in OpenSSL CVE-2016-6304
2016-09-22 00:00:00

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

7.8 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.458 Medium

EPSS

Percentile

97.4%

JSON
Related for RHSA-2017:2494
nessus38redhat8oraclelinux2ibm40openvas28ubuntu1centos3debian8tomcat7cve4ubuntucve4redhatcve2mageia1amazon4debiancve4osv10fedora3myhack583veracode7archlinux2prion4f56github2paloalto1freebsd_advisory1freebsd1zdt1hackerone1alpinelinux1checkpoint_advisories1openssl1