Low: tomcat7

2018-02-0717:13:00

alas.aws.amazon.com

5 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:L/Au:N/C:N/I:P/A:N

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

0.005 Low

EPSS

Percentile

75.3%

JSON

Issue Overview:

Incorrect documentation of CGI Servlet search algorithm may lead to misconfiguration:
As part of the fix for bug 61201, the documentation for Apache Tomcat included an updated description of the search algorithm used by the CGI Servlet to identify which script to execute. The update was not correct. As a result, some scripts may have failed to execute as expected and other scripts may have been executed unexpectedly. Note that the behaviour of the CGI servlet has remained unchanged in this regard. It is only the documentation of the behaviour that was wrong and has been corrected. (CVE-2017-15706)

Affected Packages:

tomcat7

Issue Correction:
Run yum update tomcat7 to update your system.

New Packages:

noarch:  
    tomcat7-javadoc-7.0.84-1.31.amzn1.noarch  
    tomcat7-el-2.2-api-7.0.84-1.31.amzn1.noarch  
    tomcat7-webapps-7.0.84-1.31.amzn1.noarch  
    tomcat7-7.0.84-1.31.amzn1.noarch  
    tomcat7-docs-webapp-7.0.84-1.31.amzn1.noarch  
    tomcat7-log4j-7.0.84-1.31.amzn1.noarch  
    tomcat7-admin-webapps-7.0.84-1.31.amzn1.noarch  
    tomcat7-lib-7.0.84-1.31.amzn1.noarch  
    tomcat7-servlet-3.0-api-7.0.84-1.31.amzn1.noarch  
    tomcat7-jsp-2.2-api-7.0.84-1.31.amzn1.noarch  
  
src:  
    tomcat7-7.0.84-1.31.amzn1.src

Additional References

Red Hat: CVE-2017-15706

Mitre: CVE-2017-15706

OSVersionArchitecturePackageVersionFilename
Amazon Linux1noarchtomcat7-javadoc< 7.0.84-1.31.amzn1tomcat7-javadoc-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux1noarchtomcat7-el-2.2-api< 7.0.84-1.31.amzn1tomcat7-el-2.2-api-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux1noarchtomcat7-webapps< 7.0.84-1.31.amzn1tomcat7-webapps-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux1noarchtomcat7< 7.0.84-1.31.amzn1tomcat7-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux1noarchtomcat7-docs-webapp< 7.0.84-1.31.amzn1tomcat7-docs-webapp-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux1noarchtomcat7-log4j< 7.0.84-1.31.amzn1tomcat7-log4j-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux1noarchtomcat7-admin-webapps< 7.0.84-1.31.amzn1tomcat7-admin-webapps-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux1noarchtomcat7-lib< 7.0.84-1.31.amzn1tomcat7-lib-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux1noarchtomcat7-servlet-3.0-api< 7.0.84-1.31.amzn1tomcat7-servlet-3.0-api-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux1noarchtomcat7-jsp-2.2-api< 7.0.84-1.31.amzn1tomcat7-jsp-2.2-api-7.0.84-1.31.amzn1.noarch.rpm

OS	Version	Architecture	Package	Version	Filename
Amazon Linux	1	noarch	tomcat7-javadoc	< 7.0.84-1.31.amzn1	tomcat7-javadoc-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat7-el-2.2-api	< 7.0.84-1.31.amzn1	tomcat7-el-2.2-api-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat7-webapps	< 7.0.84-1.31.amzn1	tomcat7-webapps-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat7	< 7.0.84-1.31.amzn1	tomcat7-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat7-docs-webapp	< 7.0.84-1.31.amzn1	tomcat7-docs-webapp-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat7-log4j	< 7.0.84-1.31.amzn1	tomcat7-log4j-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat7-admin-webapps	< 7.0.84-1.31.amzn1	tomcat7-admin-webapps-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat7-lib	< 7.0.84-1.31.amzn1	tomcat7-lib-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat7-servlet-3.0-api	< 7.0.84-1.31.amzn1	tomcat7-servlet-3.0-api-7.0.84-1.31.amzn1.noarch.rpm
Amazon Linux	1	noarch	tomcat7-jsp-2.2-api	< 7.0.84-1.31.amzn1	tomcat7-jsp-2.2-api-7.0.84-1.31.amzn1.noarch.rpm