Medium: tomcat6

2016-03-1016:30:00

alas.aws.amazon.com

7.8 High

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:N/I:N/A:C

0.073 Low

EPSS

Percentile

94.1%

JSON

Issue Overview:

It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. (CVE-2014-7810)

It was found that Tomcat would keep connections open after processing requests with a large enough request body. A remote attacker could potentially use this flaw to exhaust the pool of available connections and preventing further, legitimate connections to the Tomcat server to be made. (CVE-2014-0230)

Affected Packages:

tomcat6

Issue Correction:
Run yum update tomcat6 to update your system.

New Packages:

noarch:  
    tomcat6-el-2.1-api-6.0.44-1.3.amzn1.noarch  
    tomcat6-6.0.44-1.3.amzn1.noarch  
    tomcat6-lib-6.0.44-1.3.amzn1.noarch  
    tomcat6-servlet-2.5-api-6.0.44-1.3.amzn1.noarch  
    tomcat6-admin-webapps-6.0.44-1.3.amzn1.noarch  
    tomcat6-javadoc-6.0.44-1.3.amzn1.noarch  
    tomcat6-jsp-2.1-api-6.0.44-1.3.amzn1.noarch  
    tomcat6-webapps-6.0.44-1.3.amzn1.noarch  
    tomcat6-docs-webapp-6.0.44-1.3.amzn1.noarch  
  
src:  
    tomcat6-6.0.44-1.3.amzn1.src

Additional References

Red Hat: CVE-2014-0230, CVE-2014-7810

Mitre: CVE-2014-0230, CVE-2014-7810

OSVersionArchitecturePackageVersionFilename
Amazon Linux1noarchtomcat6-el-2.1-api< 6.0.44-1.3.amzn1tomcat6-el-2.1-api-6.0.44-1.3.amzn1.noarch.rpm
Amazon Linux1noarchtomcat6< 6.0.44-1.3.amzn1tomcat6-6.0.44-1.3.amzn1.noarch.rpm
Amazon Linux1noarchtomcat6-lib< 6.0.44-1.3.amzn1tomcat6-lib-6.0.44-1.3.amzn1.noarch.rpm
Amazon Linux1noarchtomcat6-servlet-2.5-api< 6.0.44-1.3.amzn1tomcat6-servlet-2.5-api-6.0.44-1.3.amzn1.noarch.rpm
Amazon Linux1noarchtomcat6-admin-webapps< 6.0.44-1.3.amzn1tomcat6-admin-webapps-6.0.44-1.3.amzn1.noarch.rpm
Amazon Linux1noarchtomcat6-javadoc< 6.0.44-1.3.amzn1tomcat6-javadoc-6.0.44-1.3.amzn1.noarch.rpm
Amazon Linux1noarchtomcat6-jsp-2.1-api< 6.0.44-1.3.amzn1tomcat6-jsp-2.1-api-6.0.44-1.3.amzn1.noarch.rpm
Amazon Linux1noarchtomcat6-webapps< 6.0.44-1.3.amzn1tomcat6-webapps-6.0.44-1.3.amzn1.noarch.rpm
Amazon Linux1noarchtomcat6-docs-webapp< 6.0.44-1.3.amzn1tomcat6-docs-webapp-6.0.44-1.3.amzn1.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	1	noarch	tomcat6-el-2.1-api	< 6.0.44-1.3.amzn1	tomcat6-el-2.1-api-6.0.44-1.3.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat6	< 6.0.44-1.3.amzn1	tomcat6-6.0.44-1.3.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat6-lib	< 6.0.44-1.3.amzn1	tomcat6-lib-6.0.44-1.3.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat6-servlet-2.5-api	< 6.0.44-1.3.amzn1	tomcat6-servlet-2.5-api-6.0.44-1.3.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat6-admin-webapps	< 6.0.44-1.3.amzn1	tomcat6-admin-webapps-6.0.44-1.3.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat6-javadoc	< 6.0.44-1.3.amzn1	tomcat6-javadoc-6.0.44-1.3.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat6-jsp-2.1-api	< 6.0.44-1.3.amzn1	tomcat6-jsp-2.1-api-6.0.44-1.3.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat6-webapps	< 6.0.44-1.3.amzn1	tomcat6-webapps-6.0.44-1.3.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat6-docs-webapp	< 6.0.44-1.3.amzn1	tomcat6-docs-webapp-6.0.44-1.3.amzn1.noarch.rpm