__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Tomcat Security Update [Red Hat RHSA-2007:0871-5] September 27, 2007 17:00 GMT Number R-359 [REVISED 8 Oct 2007] [REVISED 10 Jan 2008] [REVISED 14 Jan 2008] ______________________________________________________________________________ PROBLEM: There are several security vulnerabilities in Tomcat. PLATFORM: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) HP-UX B.11.11, B.11.23, B.11.31 running Apache Debian GNU/Linux 4.0 (stable) DAMAGE: Could allow a session hijacking and/or arbitrary HTML and web scripts. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is LOW. Could allow a session hijacking and/or ASSESSMENT: arbitrary HTML and web scripts. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/r-359.shtml ORIGINAL BULLETIN: https://rhn.redhat.com/errata/RHSA-2007-0871.html ADDITIONAL LINKS: Visit Hewlett-Packard's Subscription Service for: HPSBUX02262 SSRT071447 rev. 1 http://www.debian.org/security/2008/dsa-1453 http://www.debian.org/security/2008/dsa-1447 CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 ______________________________________________________________________________ REVISION HISTORY: 10/08/2007 - revised R-359 to add a link to Hewlett-Packard's Subscription Service for HPSBUX02262 SSRT071447 rev. 1 for HP-UX B.00.00, B.11.23, B.11.31 running Apache. 01/10/2008 - revised R-359 to add a link to Debian Security Advisory DSA-1453-1 for Debian GNU/Linux 4.0 (stable). 01/14/2008 - revised R-359 to add a link to Debian Security Advisory DSA-1447-1 for Debian GNU/Linux 4.0 (stable). [***** Start Red Hat RHSA-2007:0871-5 *****] tomcat security update Advisory: RHSA-2007:0871-5 Type: Security Advisory Severity: Moderate Issued on: 2007-09-26 Last updated on: 2007-09-26 Affected Products: RHEL Desktop Workstation (v. 5 client) Red Hat Enterprise Linux (v. 5 server) Red Hat Enterprise Linux Desktop (v. 5 client) OVAL: com.redhat.rhsa-20070871.xml CVEs (cve.mitre.org): CVE-2007-3382 CVE-2007-3385 CVE-2007-3386 Details Updated tomcat packages that fix several security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having moderate security impact by the Red Hat Security Response Team. Tomcat is a servlet container for Java Servlet and Java Server Pages technologies. Tomcat was found treating single quote characters -- ' -- as delimiters in cookies. This could allow remote attackers to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3382). It was reported Tomcat did not properly handle the following character sequence in a cookie: \" (a backslash followed by a double-quote). It was possible remote attackers could use this failure to obtain sensitive information, such as session IDs, for session hijacking attacks (CVE-2007-3385). A cross-site scripting (XSS) vulnerability existed in the Host Manager Servlet. This allowed remote attackers to inject arbitrary HTML and web script via crafted requests (CVE-2007-3386). Users of Tomcat should update to these erratum packages, which contain backported patches and are not vulnerable to these issues. Solution Before applying this update, make sure that all previously-released errata relevant to your system have been applied. This update is available via Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at http://kbase.redhat.com/faq/FAQ_58_10188 Updated packages RHEL Desktop Workstation (v. 5 client) -------------------------------------------------------------------------------- IA-32: tomcat5-5.5.23-0jpp.3.0.2.el5.i386.rpm 7d71ed89d94341f41b171293ad013d6b tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.i386.rpm f0cfcd9ec14bf30223576796c3d86254 tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.i386.rpm c8ab874847b19faec830f6d002ef5700 tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.i386.rpm b128c5e933557b9e90aa7cb71ad86f72 tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm 7166ea7ab11411ba0d0adf715657ac89 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm 34159a09da8641ba7d7a61335b9a3685 tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.i386.rpm ec84df22f55b68f172123dfb39680230 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm 4d9285f3236fb71cc4f1595cdaceb2c0 tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.i386.rpm 14685a050088e338be428d4b315bed15 x86_64: tomcat5-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 9a0875239aee9d021c8d4a56b42bb2a6 tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 11619162c8e0adc036756a7ac03ce559 tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.x86_64.rpm d95026b2750fff774772c44a57f74792 tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 9d3ddc4acf0c2ab389488f735aadf345 tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 3f2f6100623f9acb18d990fc52d9aa82 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 1b51651253a8fe556bba1ddc565147f0 tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 86702ce51dbe4da513827d49758858d9 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 1be1106c350b4f834c5959e144cbfdb5 tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 9ce3022090cc5cc036bec3f2edf75f49 Red Hat Enterprise Linux (v. 5 server) -------------------------------------------------------------------------------- SRPMS: tomcat5-5.5.23-0jpp.3.0.2.el5.src.rpm 4cd5017f99a44689fd97bfaddb4d1e49 IA-32: tomcat5-5.5.23-0jpp.3.0.2.el5.i386.rpm 7d71ed89d94341f41b171293ad013d6b tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.i386.rpm f0cfcd9ec14bf30223576796c3d86254 tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.i386.rpm c8ab874847b19faec830f6d002ef5700 tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.i386.rpm b128c5e933557b9e90aa7cb71ad86f72 tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm 7166ea7ab11411ba0d0adf715657ac89 tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.i386.rpm 226f3d1465041197fc02615be82163fb tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm 34159a09da8641ba7d7a61335b9a3685 tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.i386.rpm ec84df22f55b68f172123dfb39680230 tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.i386.rpm deb113e7d216237760505d9780b73a76 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.i386.rpm 4d9285f3236fb71cc4f1595cdaceb2c0 tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.i386.rpm 14685a050088e338be428d4b315bed15 IA-64: tomcat5-5.5.23-0jpp.3.0.2.el5.ia64.rpm d1243dc5b592ce4c5058abba7d315345 tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.ia64.rpm a2cf1700b014cec10c29031a0bb543cf tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.ia64.rpm f7c35060c547b32906d0152513198f52 tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.ia64.rpm d3ebf74a70ed5e96600beca2cbc619d9 tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.ia64.rpm 678a8878ac383ec4b1d30f1e19623520 tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.ia64.rpm c15745c6040cf2c3f3f7ba9de185654d tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.ia64.rpm d9597bc0b803984b99ffefbdb631a9d0 tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.ia64.rpm 95526b81e80b1ed513e399279901bfc5 tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.ia64.rpm e237eff013f4913f67709b0b27e90d6b tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.ia64.rpm 9543decf3e658d3bbcdf22a9ed151f87 tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.ia64.rpm 5d19ef46e5fc9b59f382c63160dd3c59 PPC: tomcat5-5.5.23-0jpp.3.0.2.el5.ppc.rpm d2113dd83880307a85683247a02eb3a0 tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.ppc.rpm 1befc45ebca6fcebdde8ea58255592db tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.ppc.rpm 661cb595807b4be529c5fee444f53f73 tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.ppc.rpm af2381512f812c196346fcfcedccc599 tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.ppc.rpm 0a5499eea93ae7230728764d6f5433c9 tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.ppc.rpm 39d4dbd2ffcdafe5595c8fcba0d36c82 tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.ppc.rpm 916fb1dedfc9f27e67c722d872e019d8 tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.ppc.rpm f0a5fe0ea04ff15df8e1488e2e337606 tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.ppc.rpm 6ebdac439d0d3f640ee6bae5eb7d0db0 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.ppc.rpm de8148bb55edd17fd09dda369b2b5621 tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.ppc.rpm d4c08ad82261464da948463712f7362d s390x: tomcat5-5.5.23-0jpp.3.0.2.el5.s390x.rpm c594c99a882748d4c8a6a26542fb5214 tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.s390x.rpm 3fc2ddbb8cfd1b570b85ec2bcbbd1684 tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.s390x.rpm 5c0178460eaade94169af229a57c6764 tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.s390x.rpm 85590df0cf18b16e41309da3382bb5ff tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.s390x.rpm 74a06cfefa4d31dc17d5d9f4fa71f345 tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.s390x.rpm 2cbeb5dfc8464099c090434b8c5a8e0b tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.s390x.rpm fa035a0f0cd0b80a1e866c0e7c35899f tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.s390x.rpm 8cb6883fa810bc4ad606724209f0bc15 tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.s390x.rpm 474dfcf43451a02d422506d8a12876a5 tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.s390x.rpm fedb0523b1a126613ca04fce2674546c tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.s390x.rpm e9402bc61b20745f61ffed678af844f5 x86_64: tomcat5-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 9a0875239aee9d021c8d4a56b42bb2a6 tomcat5-admin-webapps-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 11619162c8e0adc036756a7ac03ce559 tomcat5-common-lib-5.5.23-0jpp.3.0.2.el5.x86_64.rpm d95026b2750fff774772c44a57f74792 tomcat5-jasper-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 9d3ddc4acf0c2ab389488f735aadf345 tomcat5-jasper-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 3f2f6100623f9acb18d990fc52d9aa82 tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.x86_64.rpm fe8527d96dc984611e17982a0dfce68b tomcat5-jsp-2.0-api-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 1b51651253a8fe556bba1ddc565147f0 tomcat5-server-lib-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 86702ce51dbe4da513827d49758858d9 tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.x86_64.rpm c831207357291c3dd091964e9aa49ebc tomcat5-servlet-2.4-api-javadoc-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 1be1106c350b4f834c5959e144cbfdb5 tomcat5-webapps-5.5.23-0jpp.3.0.2.el5.x86_64.rpm 9ce3022090cc5cc036bec3f2edf75f49 Red Hat Enterprise Linux Desktop (v. 5 client) -------------------------------------------------------------------------------- SRPMS: tomcat5-5.5.23-0jpp.3.0.2.el5.src.rpm 4cd5017f99a44689fd97bfaddb4d1e49 IA-32: tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.i386.rpm 226f3d1465041197fc02615be82163fb tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.i386.rpm deb113e7d216237760505d9780b73a76 x86_64: tomcat5-jsp-2.0-api-5.5.23-0jpp.3.0.2.el5.x86_64.rpm fe8527d96dc984611e17982a0dfce68b tomcat5-servlet-2.4-api-5.5.23-0jpp.3.0.2.el5.x86_64.rpm c831207357291c3dd091964e9aa49ebc (The unlinked packages above are only available from the Red Hat Network) Bugs fixed (see bugzilla for more information) 247972 - CVE-2007-3382 tomcat handling of cookies 247976 - CVE-2007-3385 tomcat handling of cookie values 247994 - CVE-2007-3386 tomcat host manager xss References http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3382 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3385 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3386 http://tomcat.apache.org/security-5.html http://www.redhat.com/security/updates/classification/#moderate -------------------------------------------------------------------------------- These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from: https://www.redhat.com/security/team/key/#package The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/ [***** End Red Hat RHSA-2007:0871-5 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Red Hat for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) R-349: Apple Quicktime Vulnerability R-350: Gt Security Update R-351: Denial of Service Vulnerabilities in Content Switching Module R-352: The Cisco Adaptive Security Appliance Vulnerability R-353: phpWiki Security Vulnerabilities R-354: Earth Resources Mapping NCSView ActiveX Vulnerabilities R-355: PHP Security Update R-356: OpenOffice.org Security Update R-357: HP-UX Running logins(1M) Vulnerability R-358: kdebase Vulnerability