Arch Linux alert ASA-201611-22 (tomcat6)
| From: | Levente Polyak <anthraxx@archlinux.org> | |
| To: | arch-security@archlinux.org | |
| Subject: | [arch-security] [ASA-201611-22] tomcat6: multiple issues | |
| Date: | Wed, 23 Nov 2016 17:23:18 +0100 | |
| Message-ID: | <c2abad7f-5a0e-b87a-0fd2-e1569df237ce@archlinux.org> |
Arch Linux Security Advisory ASA-201611-22 ========================================== Severity: High Date : 2016-11-23 CVE-ID : CVE-2016-6816 CVE-2016-8735 Package : tomcat6 Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package tomcat6 before version 6.0.48-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 6.0.48-1. # pacman -Syu "tomcat6>=6.0.48-1" The problems have been fixed upstream in version 6.0.48. Workaround ========== None. Description =========== - CVE-2016-6816 (information disclosure) The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response, the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. - CVE-2016-8735 (arbitrary code execution) The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. Impact ====== A remote attacker is able to execute arbitrary code and disclose sensitive information. References ========== https://tomcat.apache.org/security-6.html#Fixed_in_Apache... http://www.openwall.com/lists/oss-security/2016/11/22/17 http://www.openwall.com/lists/oss-security/2016/11/22/16 https://access.redhat.com/security/cve/CVE-2016-6816 https://access.redhat.com/security/cve/CVE-2016-8735