Synopsis: Low: tomcat security, bug fix, and enhancement update Advisory ID: SLSA-2017:2247-1 Issue Date: 2017-08-02 CVE Numbers: CVE-2016-6797 CVE-2016-6796 CVE-2016-6794 CVE-2016-5018 CVE-2016-0762 -- The following packages have been upgraded to a later upstream version: tomcat (7.0.76). Security Fix(es): * The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. (CVE-2016-0762) * It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications. (CVE-2016-5018) * It was discovered that when a SecurityManager was configured, Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. (CVE-2016-6794) * It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. (CVE-2016-6796) * It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. (CVE-2016-6797) -- SL7 noarch tomcat-servlet-3.0-api-7.0.76-2.el7.noarch.rpm tomcat-7.0.76-2.el7.noarch.rpm tomcat-admin-webapps-7.0.76-2.el7.noarch.rpm tomcat-docs-webapp-7.0.76-2.el7.noarch.rpm tomcat-el-2.2-api-7.0.76-2.el7.noarch.rpm tomcat-javadoc-7.0.76-2.el7.noarch.rpm tomcat-jsp-2.2-api-7.0.76-2.el7.noarch.rpm tomcat-jsvc-7.0.76-2.el7.noarch.rpm tomcat-lib-7.0.76-2.el7.noarch.rpm tomcat-webapps-7.0.76-2.el7.noarch.rpm - Scientific Linux Development Team