[Bug 1459158] New: CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Bug ID: 1459158 Summary: CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism Product: Security Response Component: vulnerability Keywords: Security Severity: high Priority: high Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: aileenc@redhat.com, alee@redhat.com, apintea@redhat.com, bkundal@redhat.com, bmaxwell@redhat.com, ccoleman@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, csutherl@redhat.com, darran.lofthouse@redhat.com, dedgar@redhat.com, dimitris@redhat.com, dmcphers@redhat.com, dosoudil@redhat.com, felias@redhat.com, fgavrilo@redhat.com, gvarsami@redhat.com, gzaronik@redhat.com, hchiorea@redhat.com, hhorak@redhat.com, ivan.afonichev@gmail.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jclere@redhat.com, jcoleman@redhat.com, jdoyle@redhat.com, jgoulding@redhat.com, joelsmith@redhat.com, jolee@redhat.com, jondruse@redhat.com, jorton@redhat.com, jshepherd@redhat.com, kconner@redhat.com, krzysztof.daniel@gmail.com, ldimaggi@redhat.com, lgao@redhat.com, loleary@redhat.com, mbabacek@redhat.com, me@coolsvap.net, mizdebsk@redhat.com, myarboro@redhat.com, nwallace@redhat.com, pavelp@redhat.com, pgier@redhat.com, pjurak@redhat.com, ppalaga@redhat.com, psakar@redhat.com, pslavice@redhat.com, rnetuka@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rwagner@redhat.com, spinder@redhat.com, sstavrev@redhat.com, tcunning@redhat.com, theute@redhat.com, tkirby@redhat.com, trick@vanstaveren.us, twalsh@redhat.com, vhalbert@redhat.com, vtunka@redhat.com, weli@redhat.com
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method.
If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTT method. Tomcat's Default Servlet did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page.
Affects: 7.0.0 to 7.0.77, 8.0.0.RC1 to 8.0.43, 8.5.0 to 8.5.14
Upstream fixes:
Tomcat 7.x:
https://svn.apache.org/viewvc?view=revision&revision=1793471 https://svn.apache.org/viewvc?view=revision&revision=1793491
Tomcat 8.0.x:
https://svn.apache.org/viewvc?view=revision&revision=1793470 https://svn.apache.org/viewvc?view=revision&revision=1793489
Tomcat 8.5.x:
https://svn.apache.org/viewvc?view=revision&revision=1793469 https://svn.apache.org/viewvc?view=revision&revision=1793488
External References:
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.78 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.44 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.15
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version| |tomcat 7.0.78, tomcat | |8.0.44, tomcat 8.5.15
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1459160, 1459161, 1459162
--- Comment #1 from Adam Mariš amaris@redhat.com --- Created jbossweb tracking bugs for this issue:
Affects: openshift-1 [bug 1459162]
Created tomcat tracking bugs for this issue:
Affects: epel-6 [bug 1459161] Affects: fedora-all [bug 1459160]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1459160 [Bug 1459160] CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1459161 [Bug 1459161] CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism [epel-6]
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1459164
Pavel Polischouk pavelp@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=new,rhscl-2/rh-java-common |=new,rhscl-2/rh-java-common |-tomcat=new,jbews-2/tomcat7 |-tomcat=new,jbews-2/tomcat7 |=new,jws-3/tomcat7=new,jws- |=new,jws-3/tomcat7=new,jws- |3/tomcat8=new,eap-6/tomcat7 |3/tomcat8=new,eap-6/tomcat7 |=new,jdg-6/jbossweb=new,jdv |=new,jdg-6/jbossweb=new,jdv |-6/jbossweb=new,eap-6/jboss |-6/jbossweb=notaffected,eap |web=new,fsw-6/jbossweb=new, |-6/jbossweb=new,fsw-6/jboss |fuse-6/jbossweb=new,fuse-6/ |web=wontfix,fuse-6/jbossweb |tomcat7=new,fuse-6/tomcat8= |=new,fuse-6/tomcat7=new,fus |new,jon-3/jbossweb=new,jpp- |e-6/tomcat8=new,jon-3/jboss |6/jbossweb=new,openshift-1/ |web=new,jpp-6/jbossweb=new, |jbossweb=affected,fedora-al |openshift-1/jbossweb=affect |l/tomcat=affected,epel-6/to |ed,fedora-all/tomcat=affect |mcat=affected |ed,epel-6/tomcat=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Yasuhiro Ozone yozone@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |yozone@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=new,rhscl-2/rh-java-common |=affected,rhscl-2/rh-java-c |-tomcat=new,jbews-2/tomcat7 |ommon-tomcat=new,jbews-2/to |=new,jws-3/tomcat7=new,jws- |mcat7=new,jws-3/tomcat7=new |3/tomcat8=new,eap-6/tomcat7 |,jws-3/tomcat8=new,eap-6/to |=new,jdg-6/jbossweb=new,jdv |mcat7=new,jdg-6/jbossweb=ne |-6/jbossweb=notaffected,eap |w,jdv-6/jbossweb=notaffecte |-6/jbossweb=new,fsw-6/jboss |d,eap-6/jbossweb=new,fsw-6/ |web=wontfix,fuse-6/jbossweb |jbossweb=wontfix,fuse-6/jbo |=new,fuse-6/tomcat7=new,fus |ssweb=new,fuse-6/tomcat7=ne |e-6/tomcat8=new,jon-3/jboss |w,fuse-6/tomcat8=new,jon-3/ |web=new,jpp-6/jbossweb=new, |jbossweb=new,jpp-6/jbossweb |openshift-1/jbossweb=affect |=new,openshift-1/jbossweb=a |ed,fedora-all/tomcat=affect |ffected,fedora-all/tomcat=a |ed,epel-6/tomcat=affected |ffected,epel-6/tomcat=affec | |ted
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1459747, 1459746
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=new,jbews-2/to |ommon-tomcat=new,jbews-2/to |mcat7=new,jws-3/tomcat7=new |mcat7=new,jws-3/tomcat7=new |,jws-3/tomcat8=new,eap-6/to |,jws-3/tomcat8=new,jdg-6/jb |mcat7=new,jdg-6/jbossweb=ne |ossweb=new,jdv-6/jbossweb=n |w,jdv-6/jbossweb=notaffecte |otaffected,eap-6/jbossweb=n |d,eap-6/jbossweb=new,fsw-6/ |ew,fsw-6/jbossweb=wontfix,f |jbossweb=wontfix,fuse-6/jbo |use-6/jbossweb=new,fuse-6/t |ssweb=new,fuse-6/tomcat7=ne |omcat7=new,fuse-6/tomcat8=n |w,fuse-6/tomcat8=new,jon-3/ |ew,jon-3/jbossweb=new,jpp-6 |jbossweb=new,jpp-6/jbossweb |/jbossweb=new,openshift-1/j |=new,openshift-1/jbossweb=a |bossweb=affected,fedora-all |ffected,fedora-all/tomcat=a |/tomcat=affected,epel-6/tom |ffected,epel-6/tomcat=affec |cat=affected |ted |
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=new,jbews-2/to |ommon-tomcat=new,jbews-2/to |mcat7=new,jws-3/tomcat7=new |mcat7=affected,jws-3/tomcat |,jws-3/tomcat8=new,jdg-6/jb |7=new,jws-3/tomcat8=new,jdg |ossweb=new,jdv-6/jbossweb=n |-6/jbossweb=new,jdv-6/jboss |otaffected,eap-6/jbossweb=n |web=notaffected,eap-6/jboss |ew,fsw-6/jbossweb=wontfix,f |web=new,fsw-6/jbossweb=wont |use-6/jbossweb=new,fuse-6/t |fix,fuse-6/jbossweb=new,fus |omcat7=new,fuse-6/tomcat8=n |e-6/tomcat7=new,fuse-6/tomc |ew,jon-3/jbossweb=new,jpp-6 |at8=new,jon-3/jbossweb=new, |/jbossweb=new,openshift-1/j |jpp-6/jbossweb=new,openshif |bossweb=affected,fedora-all |t-1/jbossweb=affected,fedor |/tomcat=affected,epel-6/tom |a-all/tomcat=affected,epel- |cat=affected |6/tomcat=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1459752
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=new,jbews-2/to |ommon-tomcat=new,jbews-2/to |mcat7=affected,jws-3/tomcat |mcat7=affected,jws-3/tomcat |7=new,jws-3/tomcat8=new,jdg |7=affected,jws-3/tomcat8=af |-6/jbossweb=new,jdv-6/jboss |fected,jdg-6/jbossweb=new,j |web=notaffected,eap-6/jboss |dv-6/jbossweb=notaffected,e |web=new,fsw-6/jbossweb=wont |ap-6/jbossweb=new,fsw-6/jbo |fix,fuse-6/jbossweb=new,fus |ssweb=wontfix,fuse-6/jbossw |e-6/tomcat7=new,fuse-6/tomc |eb=new,fuse-6/tomcat7=new,f |at8=new,jon-3/jbossweb=new, |use-6/tomcat8=new,jon-3/jbo |jpp-6/jbossweb=new,openshif |ssweb=new,jpp-6/jbossweb=ne |t-1/jbossweb=affected,fedor |w,openshift-1/jbossweb=affe |a-all/tomcat=affected,epel- |cted,fedora-all/tomcat=affe |6/tomcat=affected |cted,epel-6/tomcat=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Apurbita Mukherjee apmukher@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |apmukher@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=new,jbews-2/to |ommon-tomcat=new,jbews-2/to |mcat7=affected,jws-3/tomcat |mcat7=affected,jws-3/tomcat |7=affected,jws-3/tomcat8=af |7=affected,jws-3/tomcat8=af |fected,jdg-6/jbossweb=new,j |fected,jdg-6/jbossweb=new,j |dv-6/jbossweb=notaffected,e |dv-6/jbossweb=notaffected,e |ap-6/jbossweb=new,fsw-6/jbo |ap-6/jbossweb=affected,fsw- |ssweb=wontfix,fuse-6/jbossw |6/jbossweb=wontfix,fuse-6/j |eb=new,fuse-6/tomcat7=new,f |bossweb=new,fuse-6/tomcat7= |use-6/tomcat8=new,jon-3/jbo |new,fuse-6/tomcat8=new,jon- |ssweb=new,jpp-6/jbossweb=ne |3/jbossweb=new,jpp-6/jbossw |w,openshift-1/jbossweb=affe |eb=new,openshift-1/jbossweb |cted,fedora-all/tomcat=affe |=affected,fedora-all/tomcat |cted,epel-6/tomcat=affected |=affected,epel-6/tomcat=aff | |ected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Masanobu Hatanaka mhatanak@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |mhatanak@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=new,jbews-2/to |ommon-tomcat=notaffected,jb |mcat7=affected,jws-3/tomcat |ews-2/tomcat7=affected,jws- |7=affected,jws-3/tomcat8=af |3/tomcat7=affected,jws-3/to |fected,jdg-6/jbossweb=new,j |mcat8=affected,jdg-6/jbossw |dv-6/jbossweb=notaffected,e |eb=new,jdv-6/jbossweb=notaf |ap-6/jbossweb=affected,fsw- |fected,eap-6/jbossweb=affec |6/jbossweb=wontfix,fuse-6/j |ted,fsw-6/jbossweb=wontfix, |bossweb=new,fuse-6/tomcat7= |fuse-6/jbossweb=new,fuse-6/ |new,fuse-6/tomcat8=new,jon- |tomcat7=new,fuse-6/tomcat8= |3/jbossweb=new,jpp-6/jbossw |new,jon-3/jbossweb=new,jpp- |eb=new,openshift-1/jbossweb |6/jbossweb=new,openshift-1/ |=affected,fedora-all/tomcat |jbossweb=affected,fedora-al |=affected,epel-6/tomcat=aff |l/tomcat=affected,epel-6/to |ected |mcat=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Daniel Murygin dm@sernet.de changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dm@sernet.de
--- Comment #4 from Daniel Murygin dm@sernet.de --- Is Tomcat 6 affected by this bug? Tomcat 6 is still in the repository of RHEL 6. RHEL. Extended support for RHEL 6 ends in November 2020. Will there be a fix for Tomcat 6 in the RHEL 6 repository?
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1460573
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1460573 [Bug 1460573] (CVE-2017-5664) jbossweb: tomcat: Security constrained bypass in error page mechanism [eap-6.4.15]
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1460635
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=notaffected,jb |ommon-tomcat=notaffected,jb |ews-2/tomcat7=affected,jws- |ews-2/tomcat7=affected,jws- |3/tomcat7=affected,jws-3/to |3/tomcat7=affected,jws-3/to |mcat8=affected,jdg-6/jbossw |mcat8=affected,jdg-6/jbossw |eb=new,jdv-6/jbossweb=notaf |eb=new,jdv-6/jbossweb=notaf |fected,eap-6/jbossweb=affec |fected,eap-6/jbossweb=affec |ted,fsw-6/jbossweb=wontfix, |ted,fsw-6/jbossweb=wontfix, |fuse-6/jbossweb=new,fuse-6/ |fuse-6/jbossweb=new,fuse-6/ |tomcat7=new,fuse-6/tomcat8= |tomcat7=new,fuse-6/tomcat8= |new,jon-3/jbossweb=new,jpp- |new,jon-3/jbossweb=new,jpp- |6/jbossweb=new,openshift-1/ |6/jbossweb=new,openshift-1/ |jbossweb=affected,fedora-al |jbossweb=affected,fedora-al |l/tomcat=affected,epel-6/to |l/tomcat=affected,epel-6/to |mcat=affected |mcat=affected,rhel-6/tomcat | |=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=notaffected,jb |ommon-tomcat=notaffected,jb |ews-2/tomcat7=affected,jws- |ews-2/tomcat7=affected,jws- |3/tomcat7=affected,jws-3/to |3/tomcat7=affected,jws-3/to |mcat8=affected,jdg-6/jbossw |mcat8=affected,jdg-6/jbossw |eb=new,jdv-6/jbossweb=notaf |eb=new,jdv-6/jbossweb=notaf |fected,eap-6/jbossweb=affec |fected,eap-6/jbossweb=affec |ted,fsw-6/jbossweb=wontfix, |ted,fsw-6/jbossweb=wontfix, |fuse-6/jbossweb=new,fuse-6/ |fuse-6/jbossweb=new,fuse-6/ |tomcat7=new,fuse-6/tomcat8= |tomcat7=new,fuse-6/tomcat8= |new,jon-3/jbossweb=new,jpp- |new,jon-3/jbossweb=new,jpp- |6/jbossweb=new,openshift-1/ |6/jbossweb=new,openshift-1/ |jbossweb=affected,fedora-al |jbossweb=affected,fedora-al |l/tomcat=affected,epel-6/to |l/tomcat=affected,epel-6/to |mcat=affected,rhel-6/tomcat |mcat=affected,rhel-6/tomcat |=affected |6=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1461291, 1461292
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
--- Comment #10 from Timothy Walsh twalsh@redhat.com --- This flaw can be triggered for static error pages only if the readonly property is set to false in the $CATALINA_HOME/conf/web.xml file. The default for readonly is true.
If it is necessary to have readonly=false, a jsp error page, for example Error404.jsp should be used.
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
--- Comment #11 from Timothy Walsh twalsh@redhat.com --- Mitigation:
If it is necessary to have the DefaultServlet property readonly=false, a jsp error page, for example Error404.jsp should be used.
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=notaffected,jb |ommon-tomcat=notaffected,jb |ews-2/tomcat7=affected,jws- |ews-2/tomcat7=affected,jws- |3/tomcat7=affected,jws-3/to |3/tomcat7=affected,jws-3/to |mcat8=affected,jdg-6/jbossw |mcat8=affected,jdg-6/jbossw |eb=new,jdv-6/jbossweb=notaf |eb=new,jdv-6/jbossweb=notaf |fected,eap-6/jbossweb=affec |fected,eap-6/jbossweb=affec |ted,fsw-6/jbossweb=wontfix, |ted,fsw-6/jbossweb=wontfix, |fuse-6/jbossweb=new,fuse-6/ |fuse-6/jbossweb=new,fuse-6/ |tomcat7=new,fuse-6/tomcat8= |tomcat7=new,fuse-6/tomcat8= |new,jon-3/jbossweb=new,jpp- |new,jon-3/jbossweb=new,jpp- |6/jbossweb=new,openshift-1/ |6/jbossweb=new,openshift-1/ |jbossweb=affected,fedora-al |jbossweb=affected,fedora-al |l/tomcat=affected,epel-6/to |l/tomcat=affected,epel-6/to |mcat=affected,rhel-6/tomcat |mcat=affected,rhel-6/tomcat |6=affected |6=affected,jbews-2/tomcat6= | |affected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1461631
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1446026
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(twalsh@redhat.com | |)
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
kat kbost@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |kbost@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=notaffected,jb |ommon-tomcat=notaffected,jb |ews-2/tomcat7=affected,jws- |ews-2/tomcat7=affected,jws- |3/tomcat7=affected,jws-3/to |3/tomcat7=affected,jws-3/to |mcat8=affected,jdg-6/jbossw |mcat8=affected,jdg-6/jbossw |eb=new,jdv-6/jbossweb=notaf |eb=new,jdv-6/jbossweb=notaf |fected,eap-6/jbossweb=affec |fected,eap-6/jbossweb=affec |ted,fsw-6/jbossweb=wontfix, |ted,fsw-6/jbossweb=wontfix, |fuse-6/jbossweb=new,fuse-6/ |fuse-6/jbossweb=new,fuse-6/ |tomcat7=new,fuse-6/tomcat8= |tomcat7=new,fuse-6/tomcat8= |new,jon-3/jbossweb=new,jpp- |new,jon-3/jbossweb=new,jpp- |6/jbossweb=new,openshift-1/ |6/jbossweb=new,openshift-1/ |jbossweb=affected,fedora-al |jbossweb=affected,fedora-al |l/tomcat=affected,epel-6/to |l/tomcat=affected,epel-6/to |mcat=affected,rhel-6/tomcat |mcat=affected,rhel-6/tomcat |6=affected,jbews-2/tomcat6= |6=wontfix,jbews-2/tomcat6=a |affected |ffected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
--- Comment #15 from Doran Moppert dmoppert@redhat.com --- Statement:
This flaw can be triggered for static error pages only if the readonly property for the DefaultServlet is set to false in the $CATALINA_HOME/conf/web.xml file. The default for readonly is true.
Red Hat Enterprise Linux 6 is now in Production 3 Phase of the support and maintenance life cycle. This issue has been rated as having Important security impact and may be updated in future releases. For additional information, refer to the Red Hat Enterprise Linux Life Cycle: https://access.redhat.com/support/policy/updates/errata/.
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=notaffected,jb |ommon-tomcat=notaffected,jb |ews-2/tomcat7=affected,jws- |ews-2/tomcat7=affected,jws- |3/tomcat7=affected,jws-3/to |3/tomcat7=affected,jws-3/to |mcat8=affected,jdg-6/jbossw |mcat8=affected,jdg-6/jbossw |eb=new,jdv-6/jbossweb=notaf |eb=new,jdv-6/jbossweb=notaf |fected,eap-6/jbossweb=affec |fected,eap-6/jbossweb=affec |ted,fsw-6/jbossweb=wontfix, |ted,fsw-6/jbossweb=wontfix, |fuse-6/jbossweb=new,fuse-6/ |fuse-6/jbossweb=new,fuse-6/ |tomcat7=new,fuse-6/tomcat8= |tomcat7=new,fuse-6/tomcat8= |new,jon-3/jbossweb=new,jpp- |new,jon-3/jbossweb=new,jpp- |6/jbossweb=new,openshift-1/ |6/jbossweb=new,openshift-1/ |jbossweb=affected,fedora-al |jbossweb=affected,fedora-al |l/tomcat=affected,epel-6/to |l/tomcat=affected,epel-6/to |mcat=affected,rhel-6/tomcat |mcat=affected,rhel-6/tomcat |6=wontfix,jbews-2/tomcat6=a |6=defer,jbews-2/tomcat6=aff |ffected |ected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(twalsh@redhat.com | |) |
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1446025
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=notaffected,jb |ommon-tomcat=notaffected,jb |ews-2/tomcat7=affected,jws- |ews-2/tomcat7=affected,jws- |3/tomcat7=affected,jws-3/to |3/tomcat7=affected,jws-3/to |mcat8=affected,jdg-6/jbossw |mcat8=affected,jdg-6/jbossw |eb=new,jdv-6/jbossweb=notaf |eb=new,jdv-6/jbossweb=notaf |fected,eap-6/jbossweb=affec |fected,eap-6/jbossweb=affec |ted,fsw-6/jbossweb=wontfix, |ted,fsw-6/jbossweb=wontfix, |fuse-6/jbossweb=new,fuse-6/ |fuse-6/jbossweb=new,fuse-6/ |tomcat7=new,fuse-6/tomcat8= |tomcat7=new,fuse-6/tomcat8= |new,jon-3/jbossweb=new,jpp- |new,jon-3/jbossweb=affected |6/jbossweb=new,openshift-1/ |,jpp-6/jbossweb=new,openshi |jbossweb=affected,fedora-al |ft-1/jbossweb=affected,fedo |l/tomcat=affected,epel-6/to |ra-all/tomcat=affected,epel |mcat=affected,rhel-6/tomcat |-6/tomcat=affected,rhel-6/t |6=defer,jbews-2/tomcat6=aff |omcat6=defer,jbews-2/tomcat |ected |6=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1463611
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=notaffected,jb |ommon-tomcat=notaffected,jb |ews-2/tomcat7=affected,jws- |ews-2/tomcat7=affected,jws- |3/tomcat7=affected,jws-3/to |3/tomcat7=affected,jws-3/to |mcat8=affected,jdg-6/jbossw |mcat8=affected,jdg-6/jbossw |eb=new,jdv-6/jbossweb=notaf |eb=notaffected,jdv-6/jbossw |fected,eap-6/jbossweb=affec |eb=notaffected,eap-6/jbossw |ted,fsw-6/jbossweb=wontfix, |eb=affected,fsw-6/jbossweb= |fuse-6/jbossweb=new,fuse-6/ |wontfix,fuse-6/jbossweb=new |tomcat7=new,fuse-6/tomcat8= |,fuse-6/tomcat7=new,fuse-6/ |new,jon-3/jbossweb=affected |tomcat8=new,jon-3/jbossweb= |,jpp-6/jbossweb=new,openshi |affected,jpp-6/jbossweb=new |ft-1/jbossweb=affected,fedo |,openshift-1/jbossweb=affec |ra-all/tomcat=affected,epel |ted,fedora-all/tomcat=affec |-6/tomcat=affected,rhel-6/t |ted,epel-6/tomcat=affected, |omcat6=defer,jbews-2/tomcat |rhel-6/tomcat6=defer,jbews- |6=affected |2/tomcat6=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=notaffected,jb |ommon-tomcat=notaffected,jb |ews-2/tomcat7=affected,jws- |ews-2/tomcat7=affected,jws- |3/tomcat7=affected,jws-3/to |3/tomcat7=affected,jws-3/to |mcat8=affected,jdg-6/jbossw |mcat8=affected,jdg-6/jbossw |eb=notaffected,jdv-6/jbossw |eb=notaffected,jdv-6/jbossw |eb=notaffected,eap-6/jbossw |eb=notaffected,eap-6/jbossw |eb=affected,fsw-6/jbossweb= |eb=affected,fsw-6/jbossweb= |wontfix,fuse-6/jbossweb=new |wontfix,fuse-6/jbossweb=new |,fuse-6/tomcat7=new,fuse-6/ |,fuse-6/tomcat7=new,fuse-6/ |tomcat8=new,jon-3/jbossweb= |tomcat8=new,jon-3/jbossweb= |affected,jpp-6/jbossweb=new |affected,jpp-6/jbossweb=aff |,openshift-1/jbossweb=affec |ected,openshift-1/jbossweb= |ted,fedora-all/tomcat=affec |affected,fedora-all/tomcat= |ted,epel-6/tomcat=affected, |affected,epel-6/tomcat=affe |rhel-6/tomcat6=defer,jbews- |cted,rhel-6/tomcat6=defer,j |2/tomcat6=affected |bews-2/tomcat6=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=notaffected,jb |ommon-tomcat=notaffected,jb |ews-2/tomcat7=affected,jws- |ews-2/tomcat7=affected,jws- |3/tomcat7=affected,jws-3/to |3/tomcat7=affected,jws-3/to |mcat8=affected,jdg-6/jbossw |mcat8=affected,jdg-6/jbossw |eb=notaffected,jdv-6/jbossw |eb=notaffected,jdv-6/jbossw |eb=notaffected,eap-6/jbossw |eb=notaffected,eap-6/jbossw |eb=affected,fsw-6/jbossweb= |eb=affected,fsw-6/jbossweb= |wontfix,fuse-6/jbossweb=new |wontfix,fuse-6/jbossweb=new |,fuse-6/tomcat7=new,fuse-6/ |,fuse-6/tomcat7=new,fuse-6/ |tomcat8=new,jon-3/jbossweb= |tomcat8=new,jon-3/jbossweb= |affected,jpp-6/jbossweb=aff |affected,jpp-6/jbossweb=aff |ected,openshift-1/jbossweb= |ected,openshift-1/jbossweb= |affected,fedora-all/tomcat= |defer,fedora-all/tomcat=aff |affected,epel-6/tomcat=affe |ected,epel-6/tomcat=affecte |cted,rhel-6/tomcat6=defer,j |d,rhel-6/tomcat6=defer,jbew |bews-2/tomcat6=affected |s-2/tomcat6=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=notaffected,jb |ommon-tomcat=notaffected,jb |ews-2/tomcat7=affected,jws- |ews-2/tomcat7=affected,jws- |3/tomcat7=affected,jws-3/to |3/tomcat7=affected,jws-3/to |mcat8=affected,jdg-6/jbossw |mcat8=affected,jdg-6/jbossw |eb=notaffected,jdv-6/jbossw |eb=notaffected,jdv-6/jbossw |eb=notaffected,eap-6/jbossw |eb=notaffected,eap-6/jbossw |eb=affected,fsw-6/jbossweb= |eb=affected,fsw-6/jbossweb= |wontfix,fuse-6/jbossweb=new |wontfix,fuse-6/jbossweb=new |,fuse-6/tomcat7=new,fuse-6/ |,fuse-6/tomcat7=new,fuse-6/ |tomcat8=new,jon-3/jbossweb= |tomcat8=new,jon-3/jbossweb= |affected,jpp-6/jbossweb=aff |affected,jpp-6/jbossweb=aff |ected,openshift-1/jbossweb= |ected,openshift-1/jbossweb= |defer,fedora-all/tomcat=aff |defer,fedora-all/tomcat=aff |ected,epel-6/tomcat=affecte |ected,epel-6/tomcat=affecte |d,rhel-6/tomcat6=defer,jbew |d,rhel-6/tomcat6=affected,j |s-2/tomcat6=affected |bews-2/tomcat6=affected Flags| |needinfo?(twalsh@redhat.com | |)
--- Doc Text *updated* --- A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page.
--- Comment #20 from Doran Moppert dmoppert@redhat.com --- Tim, is this doctext accurate?
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dmoppert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(twalsh@redhat.com | |) |
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
--- Doc Text *updated* by Eric Christensen sparks@redhat.com --- A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page.
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Eric Christensen sparks@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |sparks@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1459158 Bug 1459158 depends on bug 1459161, which changed state.
Bug 1459161 Summary: CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1459161
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1459158 Bug 1459158 depends on bug 1459160, which changed state.
Bug 1459160 Summary: CVE-2017-5664 tomcat: Security constrained bypass in error page mechanism [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1459160
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
--- Comment #22 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6
Via RHSA-2017:1801 https://access.redhat.com/errata/RHSA-2017:1801
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
--- Comment #23 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Text-Only Advisories for JWS
Via RHSA-2017:1802 https://access.redhat.com/errata/RHSA-2017:1802
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
--- Comment #24 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:1809 https://access.redhat.com/errata/RHSA-2017:1809
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=notaffected,jb |ommon-tomcat=notaffected,jb |ews-2/tomcat7=affected,jws- |ews-2/tomcat7=affected,jws- |3/tomcat7=affected,jws-3/to |3/tomcat7=affected,jws-3/to |mcat8=affected,jdg-6/jbossw |mcat8=affected,jdg-6/jbossw |eb=notaffected,jdv-6/jbossw |eb=notaffected,jdv-6/jbossw |eb=notaffected,eap-6/jbossw |eb=notaffected,eap-6/jbossw |eb=affected,fsw-6/jbossweb= |eb=affected,fsw-6/jbossweb= |wontfix,fuse-6/jbossweb=new |wontfix,fuse-6/jbossweb=new |,fuse-6/tomcat7=new,fuse-6/ |,fuse-6/tomcat7=new,fuse-6/ |tomcat8=new,jon-3/jbossweb= |tomcat8=new,jon-3/jbossweb= |affected,jpp-6/jbossweb=aff |notaffected,jpp-6/jbossweb= |ected,openshift-1/jbossweb= |affected,openshift-1/jbossw |defer,fedora-all/tomcat=aff |eb=defer,fedora-all/tomcat= |ected,epel-6/tomcat=affecte |affected,epel-6/tomcat=affe |d,rhel-6/tomcat6=affected,j |cted,rhel-6/tomcat6=affecte |bews-2/tomcat6=affected |d,jbews-2/tomcat6=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,rhel-7/tomcat |=affected,rhscl-2/rh-java-c |=affected,rhscl-2/rh-java-c |ommon-tomcat=notaffected,jb |ommon-tomcat=notaffected,jb |ews-2/tomcat7=affected,jws- |ews-2/tomcat7=affected,jws- |3/tomcat7=affected,jws-3/to |3/tomcat7=affected,jws-3/to |mcat8=affected,jdg-6/jbossw |mcat8=affected,jdg-6/jbossw |eb=notaffected,jdv-6/jbossw |eb=notaffected,jdv-6/jbossw |eb=notaffected,eap-6/jbossw |eb=notaffected,eap-6/jbossw |eb=affected,fsw-6/jbossweb= |eb=affected,fsw-6/jbossweb= |wontfix,fuse-6/jbossweb=new |wontfix,fuse-6/jbossweb=new |,fuse-6/tomcat7=new,fuse-6/ |,fuse-6/tomcat7=new,fuse-6/ |tomcat8=new,jon-3/jbossweb= |tomcat8=new,jon-3/jbossweb= |notaffected,jpp-6/jbossweb= |wontfix,jpp-6/jbossweb=affe |affected,openshift-1/jbossw |cted,openshift-1/jbossweb=d |eb=defer,fedora-all/tomcat= |efer,fedora-all/tomcat=affe |affected,epel-6/tomcat=affe |cted,epel-6/tomcat=affected |cted,rhel-6/tomcat6=affecte |,rhel-6/tomcat6=affected,jb |d,jbews-2/tomcat6=affected |ews-2/tomcat6=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Richa rmarwaha@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1479475
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1479475 [Bug 1479475] EWS 2.1.1 Bundle-1 2017 BZ
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Pedro Sampaio psampaio@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1482229
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
--- Comment #25 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server
Via RHSA-2017:2494 https://access.redhat.com/errata/RHSA-2017:2494
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
--- Comment #26 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Red Hat JBoss Enterprise Web Server 2 for RHEL 7
Via RHSA-2017:2493 https://access.redhat.com/errata/RHSA-2017:2493
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,rhel-7/tomcat |U/C:N/I:H/A:N,cwe=CWE-501,r |=affected,rhscl-2/rh-java-c |hel-7/tomcat=affected,rhscl |ommon-tomcat=notaffected,jb |-2/rh-java-common-tomcat=no |ews-2/tomcat7=affected,jws- |taffected,jbews-2/tomcat7=a |3/tomcat7=affected,jws-3/to |ffected,jws-3/tomcat7=affec |mcat8=affected,jdg-6/jbossw |ted,jws-3/tomcat8=affected, |eb=notaffected,jdv-6/jbossw |jdg-6/jbossweb=notaffected, |eb=notaffected,eap-6/jbossw |jdv-6/jbossweb=notaffected, |eb=affected,fsw-6/jbossweb= |eap-6/jbossweb=affected,fsw |wontfix,fuse-6/jbossweb=new |-6/jbossweb=wontfix,fuse-6/ |,fuse-6/tomcat7=new,fuse-6/ |jbossweb=new,fuse-6/tomcat7 |tomcat8=new,jon-3/jbossweb= |=new,fuse-6/tomcat8=new,jon |wontfix,jpp-6/jbossweb=affe |-3/jbossweb=wontfix,jpp-6/j |cted,openshift-1/jbossweb=d |bossweb=affected,openshift- |efer,fedora-all/tomcat=affe |1/jbossweb=defer,fedora-all |cted,epel-6/tomcat=affected |/tomcat=affected,epel-6/tom |,rhel-6/tomcat6=affected,jb |cat=affected,rhel-6/tomcat6 |ews-2/tomcat6=affected |=affected,jbews-2/tomcat6=a | |ffected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Bharti Kundal bkundal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1485997
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,cwe=CWE-501,r |U/C:N/I:H/A:N,cwe=CWE-501,r |hel-7/tomcat=affected,rhscl |hel-7/tomcat=affected,rhscl |-2/rh-java-common-tomcat=no |-2/rh-java-common-tomcat=no |taffected,jbews-2/tomcat7=a |taffected,jbews-2/tomcat7=a |ffected,jws-3/tomcat7=affec |ffected,jws-3/tomcat7=affec |ted,jws-3/tomcat8=affected, |ted,jws-3/tomcat8=affected, |jdg-6/jbossweb=notaffected, |jdg-6/jbossweb=notaffected, |jdv-6/jbossweb=notaffected, |jdv-6/jbossweb=notaffected, |eap-6/jbossweb=affected,fsw |eap-6/jbossweb=affected,fsw |-6/jbossweb=wontfix,fuse-6/ |-6/jbossweb=wontfix,fuse-6/ |jbossweb=new,fuse-6/tomcat7 |jbossweb=new,fuse-6/tomcat7 |=new,fuse-6/tomcat8=new,jon |=new,fuse-6/tomcat8=new,jon |-3/jbossweb=wontfix,jpp-6/j |-3/jbossweb=wontfix,jpp-6/j |bossweb=affected,openshift- |bossweb=affected,openshift- |1/jbossweb=defer,fedora-all |1/jbossweb=affected,fedora- |/tomcat=affected,epel-6/tom |all/tomcat=affected,epel-6/ |cat=affected,rhel-6/tomcat6 |tomcat=affected,rhel-6/tomc |=affected,jbews-2/tomcat6=a |at6=affected,jbews-2/tomcat |ffected |6=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
--- Comment #27 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2017:2633 https://access.redhat.com/errata/RHSA-2017:2633
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
--- Comment #28 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7
Via RHSA-2017:2636 https://access.redhat.com/errata/RHSA-2017:2636
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
--- Comment #29 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5
Via RHSA-2017:2637 https://access.redhat.com/errata/RHSA-2017:2637
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
--- Comment #30 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6
Via RHSA-2017:2635 https://access.redhat.com/errata/RHSA-2017:2635
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
--- Comment #31 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6
Via RHSA-2017:2638 https://access.redhat.com/errata/RHSA-2017:2638
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,cwe=CWE-501,r |U/C:N/I:H/A:N,cwe=CWE-501,r |hel-7/tomcat=affected,rhscl |hel-7/tomcat=affected,rhscl |-2/rh-java-common-tomcat=no |-2/rh-java-common-tomcat=no |taffected,jbews-2/tomcat7=a |taffected,jbews-2/tomcat7=a |ffected,jws-3/tomcat7=affec |ffected,jws-3/tomcat7=affec |ted,jws-3/tomcat8=affected, |ted,jws-3/tomcat8=affected, |jdg-6/jbossweb=notaffected, |jdg-6/jbossweb=notaffected, |jdv-6/jbossweb=notaffected, |jdv-6/jbossweb=notaffected, |eap-6/jbossweb=affected,fsw |eap-6/jbossweb=affected,fsw |-6/jbossweb=wontfix,fuse-6/ |-6/jbossweb=wontfix,fuse-6/ |jbossweb=new,fuse-6/tomcat7 |jbossweb=new,fuse-6/tomcat7 |=new,fuse-6/tomcat8=new,jon |=new,fuse-6/tomcat8=new,jon |-3/jbossweb=wontfix,jpp-6/j |-3/jbossweb=wontfix,jpp-6/j |bossweb=affected,openshift- |bossweb=affected,openshift- |1/jbossweb=affected,fedora- |1/jbossweb=affected,fedora- |all/tomcat=affected,epel-6/ |all/tomcat=affected,epel-6/ |tomcat=affected,rhel-6/tomc |tomcat=affected,rhel-6/tomc |at6=affected,jbews-2/tomcat |at6=affected,jbews-2/tomcat |6=affected |6=affected,eap-5/jbossweb=n | |ew
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,cwe=CWE-501,r |U/C:N/I:H/A:N,cwe=CWE-501,r |hel-7/tomcat=affected,rhscl |hel-7/tomcat=affected,rhscl |-2/rh-java-common-tomcat=no |-2/rh-java-common-tomcat=no |taffected,jbews-2/tomcat7=a |taffected,jbews-2/tomcat7=a |ffected,jws-3/tomcat7=affec |ffected,jws-3/tomcat7=affec |ted,jws-3/tomcat8=affected, |ted,jws-3/tomcat8=affected, |jdg-6/jbossweb=notaffected, |jdg-6/jbossweb=notaffected, |jdv-6/jbossweb=notaffected, |jdv-6/jbossweb=notaffected, |eap-6/jbossweb=affected,fsw |eap-6/jbossweb=affected,fsw |-6/jbossweb=wontfix,fuse-6/ |-6/jbossweb=wontfix,fuse-6/ |jbossweb=new,fuse-6/tomcat7 |jbossweb=new,fuse-6/tomcat7 |=new,fuse-6/tomcat8=new,jon |=new,fuse-6/tomcat8=new,jon |-3/jbossweb=wontfix,jpp-6/j |-3/jbossweb=wontfix,jpp-6/j |bossweb=affected,openshift- |bossweb=affected,openshift- |1/jbossweb=affected,fedora- |1/jbossweb=affected,fedora- |all/tomcat=affected,epel-6/ |all/tomcat=affected,epel-6/ |tomcat=affected,rhel-6/tomc |tomcat=affected,rhel-6/tomc |at6=affected,jbews-2/tomcat |at6=affected,jbews-2/tomcat |6=affected,eap-5/jbossweb=n |6=affected,eap-5/jbossweb=w |ew |ontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
--- Comment #32 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Via RHSA-2017:3080 https://access.redhat.com/errata/RHSA-2017:3080
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
--- Comment #33 from Doran Moppert dmoppert@redhat.com --- Statement:
This flaw can be triggered for static error pages only if the readonly property for the DefaultServlet is set to false in the $CATALINA_HOME/conf/web.xml file. The default for readonly is true.
https://bugzilla.redhat.com/show_bug.cgi?id=1459158
Andrej Nemec anemec@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=important,public=201 |impact=important,public=201 |70606,reported=20170606,sou |70606,reported=20170606,sou |rce=internet,cvss3=7.5/CVSS |rce=internet,cvss3=7.5/CVSS |:3.0/AV:N/AC:L/PR:N/UI:N/S: |:3.0/AV:N/AC:L/PR:N/UI:N/S: |U/C:N/I:H/A:N,cwe=CWE-501,r |U/C:N/I:H/A:N,cwe=CWE-266,r |hel-7/tomcat=affected,rhscl |hel-7/tomcat=affected,rhscl |-2/rh-java-common-tomcat=no |-2/rh-java-common-tomcat=no |taffected,jbews-2/tomcat7=a |taffected,jbews-2/tomcat7=a |ffected,jws-3/tomcat7=affec |ffected,jws-3/tomcat7=affec |ted,jws-3/tomcat8=affected, |ted,jws-3/tomcat8=affected, |jdg-6/jbossweb=notaffected, |jdg-6/jbossweb=notaffected, |jdv-6/jbossweb=notaffected, |jdv-6/jbossweb=notaffected, |eap-6/jbossweb=affected,fsw |eap-6/jbossweb=affected,fsw |-6/jbossweb=wontfix,fuse-6/ |-6/jbossweb=wontfix,fuse-6/ |jbossweb=new,fuse-6/tomcat7 |jbossweb=new,fuse-6/tomcat7 |=new,fuse-6/tomcat8=new,jon |=new,fuse-6/tomcat8=new,jon |-3/jbossweb=wontfix,jpp-6/j |-3/jbossweb=wontfix,jpp-6/j |bossweb=affected,openshift- |bossweb=affected,openshift- |1/jbossweb=affected,fedora- |1/jbossweb=affected,fedora- |all/tomcat=affected,epel-6/ |all/tomcat=affected,epel-6/ |tomcat=affected,rhel-6/tomc |tomcat=affected,rhel-6/tomc |at6=affected,jbews-2/tomcat |at6=affected,jbews-2/tomcat |6=affected,eap-5/jbossweb=w |6=affected,eap-5/jbossweb=w |ontfix |ontfix
java-sig-commits@lists.fedoraproject.org
-
bugzilla@redhat.com