__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Tomcat Security Update [Red Hat RHSA:2007:0569-2] July 17, 2007 18:00 GMT Number R-305 [REVISED 8 Oct 2007] [REVISED 23 Jan 2008] [REVISED 28 Jan 2008] ______________________________________________________________________________ PROBLEM: Some JSPs within the 'examples' web application did not excape user provided data. PLATFORM: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) HP-UX B.11.11, B.11.23, B.11.31 running Apache Debian GNU/Linux 4.0 (stable) DAMAGE: Could allow a remote attacker to perform cross-site scripting attacks. SOLUTION: Upgrade to the appropritate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Could allow a remote attacker to perform ASSESSMENT: cross-site scripting attacks. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-305.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2007-0569.html ADDITIONAL LINKS: Visit Hewlett-Packard's Subscription Service for: HPSBUX02262 SSRT071447 rev. 1 http://www.securityfocus.com/bid/24475/discuss http://www.debian.org/security/2008/dsa-1468 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-2449 CVE-2007-2450 ______________________________________________________________________________ REVISION HISTORY: 10/08/2007 - revised R-305 to add a link to Hewlett-Packard's Subscription Service for HPSBUX02262 SSRT071447 rev. 1 for HP-UX B.00.00, B.11.23, B.11.31 running Apache. 01/23/2008 - revised R-305 to add a link to Security Focus 24475. 01/28/2008 - revised R-305 to add a link to Debian Security Advisory DSA-1468-1 for Debian GNU/Linux 4.0 (stable). [***** Start Red Hat RHSA:2007:0569-2 *****] Moderate: tomcat security update Advisory: RHSA-2007:0569-2 Type: Security Advisory Severity: Moderate Issued on: 2007-07-17 Last updated on: 2007-07-17 Affected Products: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) OVAL: com.redhat.rhsa-20070569.xml CVEs (cve.mitre.org): CVE-2007-2449 CVE-2007-2450 Details Updated tomcat packages that fix two security issues and a packaging bug are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tomcat is a servlet container for Java Servlet and JavaServer Pages (JSP) technologies. Some JSPs within the 'examples' web application did not escape user provided data. If the JSP examples were accessible, this flaw could allow a remote attacker to perform cross-site scripting attacks (CVE-2007-2449). Note: it is recommended the 'examples' web application not be installed on a production system. The Manager and Host Manager web applications did not escape user provided data. If a user is logged in to the Manager or Host Manager web application, an attacker could perform a cross-site scripting attack (CVE-2007-2450). Users of Tomcat should update to these erratum packages, which contain backported patches to correct these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Workstation (v. 5 client) -------------------------------------------------------------------------------- IA-32: tomcat5-5.5.23-0jpp.1.0.4.el5.i386.rpm afa9a78630f8858f46db1434ad45fa7b tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.i386.rpm 8c0ecbce40287f71f530360b0a769361 tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.i386.rpm 7f2628a9557c146febed5442c522a6e0 tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.i386.rpm bc130f7c90ee690dc860712461ab9f82 tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm b653cc7d8aae4bb246079a9a9ce950d8 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm 80429d018c31e87244213a9762ad10d3 tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.i386.rpm 3e564a9d6f0abf8f74ac5fe00cc3de25 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm b8f6d1c37c68d463fbdee1426352618d tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.i386.rpm 7b4b8e5a891d09005bc8a1d2e1194d99 x86_64: tomcat5-5.5.23-0jpp.1.0.4.el5.x86_64.rpm 1db5f282b62d759beda12cf35f83734f tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.x86_64.rpm 74544541ba072e94b9970b5919db3892 tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.x86_64.rpm 3694bc19303c73cd46e75ca23d1051a4 tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.x86_64.rpm 901f900e947eb38b8d17ef31238523cc tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm 6835af3f3c0b9aa0deddac7e67ed79e0 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm c4df3c21719e1cf5d38c19491651aa7e tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.x86_64.rpm 0d5f131c789ca95f59d0886939aa8fe7 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm 66c20908529976c99cbf6bb41eecfbee tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.x86_64.rpm 672951c48aacff47f1124c896445b887 Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: tomcat5-5.5.23-0jpp.1.0.4.el5.src.rpm 15852dbd79c1d28ddc2a607b8c2cced6 IA-32: tomcat5-5.5.23-0jpp.1.0.4.el5.i386.rpm afa9a78630f8858f46db1434ad45fa7b tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.i386.rpm 8c0ecbce40287f71f530360b0a769361 tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.i386.rpm 7f2628a9557c146febed5442c522a6e0 tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.i386.rpm bc130f7c90ee690dc860712461ab9f82 tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm b653cc7d8aae4bb246079a9a9ce950d8 tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.i386.rpm 3100ed0342502126a609c5c15e78c764 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm 80429d018c31e87244213a9762ad10d3 tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.i386.rpm 3e564a9d6f0abf8f74ac5fe00cc3de25 tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.i386.rpm 47ffd27d607f4755b5da7fa1a65c5c48 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.i386.rpm b8f6d1c37c68d463fbdee1426352618d tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.i386.rpm 7b4b8e5a891d09005bc8a1d2e1194d99 IA-64: tomcat5-5.5.23-0jpp.1.0.4.el5.ia64.rpm 1fbb19614a5c9a5d72c120e29b5094d3 tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.ia64.rpm 77b1bf61e1ccb7e2af21d93105951997 tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.ia64.rpm e1b01f270313d22a6b957c4336352bd6 tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.ia64.rpm e1d93c56b0d3730914fe90694e7db9cd tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.ia64.rpm 9205bc162daa17e9f6314ed14e1f31bb tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.ia64.rpm 55ae893c5887213a4cc85cff3f482ec3 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.ia64.rpm cf286fcf847a5325c0b3d2c8c1ff1c58 tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.ia64.rpm b404c9faa4503e4fe41d1fe8b3a4a721 tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.ia64.rpm d697720c77f93baaada1540e35913198 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.ia64.rpm 56e8a796da04decd34bee5ba8616c284 tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.ia64.rpm fd8352214a62573bd2456c252f8fc186 PPC: tomcat5-5.5.23-0jpp.1.0.4.el5.ppc.rpm f8625d3b5ef073ac8de77b1bdf9f01a4 tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.ppc.rpm d7804d9e2ee85e8adaadc3695f9a1fcf tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.ppc.rpm 861f24537832282f47248a4d494eaad5 tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.ppc.rpm 36cee8546f804c0ea91fad586d9db6cd tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.ppc.rpm e84767196956742319016c08fc59f4b9 tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.ppc.rpm 05085799e57547f7b95370cf93097ad1 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.ppc.rpm a9ff8fe3c28adfacc923accc2e02238f tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.ppc.rpm a32d42fb280bb96daa06abd576a315a2 tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.ppc.rpm 37746d0e7931671779fbad9b61877703 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.ppc.rpm d91221a346ce66fa021701440b6bc429 tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.ppc.rpm 2d1ab7c457ae33a9fe00f13c6a0f8b6a s390x: tomcat5-5.5.23-0jpp.1.0.4.el5.s390x.rpm 3d86afce9e1b0a269701b5b2225d0ebb tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.s390x.rpm 36b7b3706abeda4f31fdce022e6f266d tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.s390x.rpm deabcb46f038caa0aff7f173e2430db7 tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.s390x.rpm 3e2c4780d83adf2ec2f75dabeeebc573 tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.s390x.rpm 8e0ecac842e2079335a0a12a588b6cbc tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.s390x.rpm 3389c6531f4ab0df5644f9a75890f798 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.s390x.rpm fb0e8d1800a1154fdf9685e657471db5 tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.s390x.rpm 0a7e68052ce02e1f12561c4ba81804b9 tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.s390x.rpm 36d5b39eab1d8319e35672856ce73732 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.s390x.rpm a5b178ad39e13481070be36675b936f0 tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.s390x.rpm b76e10eb457da5b811e8b340400e872b x86_64: tomcat5-5.5.23-0jpp.1.0.4.el5.x86_64.rpm 1db5f282b62d759beda12cf35f83734f tomcat5-admin-webapps-5.5.23-0jpp.1.0.4.el5.x86_64.rpm 74544541ba072e94b9970b5919db3892 tomcat5-common-lib-5.5.23-0jpp.1.0.4.el5.x86_64.rpm 3694bc19303c73cd46e75ca23d1051a4 tomcat5-jasper-5.5.23-0jpp.1.0.4.el5.x86_64.rpm 901f900e947eb38b8d17ef31238523cc tomcat5-jasper-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm 6835af3f3c0b9aa0deddac7e67ed79e0 tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.x86_64.rpm cbfcdf5f827921a71fda67293f3e44a7 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm c4df3c21719e1cf5d38c19491651aa7e tomcat5-server-lib-5.5.23-0jpp.1.0.4.el5.x86_64.rpm 0d5f131c789ca95f59d0886939aa8fe7 tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.x86_64.rpm c25daaf3feb30744afc65c08a359635b tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.1.0.4.el5.x86_64.rpm 66c20908529976c99cbf6bb41eecfbee tomcat5-webapps-5.5.23-0jpp.1.0.4.el5.x86_64.rpm 672951c48aacff47f1124c896445b887 Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: tomcat5-5.5.23-0jpp.1.0.4.el5.src.rpm 15852dbd79c1d28ddc2a607b8c2cced6 IA-32: tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.i386.rpm 3100ed0342502126a609c5c15e78c764 tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.i386.rpm 47ffd27d607f4755b5da7fa1a65c5c48 x86_64: tomcat5-jsp-2.0-api-5.5.23-0jpp.1.0.4.el5.x86_64.rpm cbfcdf5f827921a71fda67293f3e44a7 tomcat5-servlet-2.4-api-5.5.23-0jpp.1.0.4.el5.x86_64.rpm c25daaf3feb30744afc65c08a359635b (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 244804 - CVE-2007-2449 tomcat examples jsp XSS 244808 - CVE-2007-2450 tomcat host manager XSS 244846 - /var/tmp/rpm-tmp.25596: line 5: /usr/bin/rebuild-gcj-db: No such file or directory References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2449 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2450 http://tomcat.apache.org/security-5.html http://www.redhat.com/security/updates/classification/#moderate -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA:2007:0569-2 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-295: Vulnerabilities in .NET Framework (931212) R-296: Vulnerability in Microsoft Internet Information Services (939373) R-297: Vulnerabilities in Microsoft Excel (936542) R-298: Vulnerability in Windows Vista Firewall (935807) R-299: Vulnerability in Microsoft Office Publisher 2007 (936548) R-300: Flash Player Vulnerability R-301: Security Vulnerability in the rcp(1) Command R-302: Security Vulnerability inJava Web Start URL Parsing Code R-303: VideoLan Vulnerability R-304: Java Runtime Environment Vulnerability