pepelyaevip/vuln-list-alt
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
vuln-list-alt/oval/c10f1/ALT-PU-2017-2558/definitions.json

303 lines
16 KiB
JSON
Raw Normal View History

ALT Vulnerability
2024-06-28 13:17:52 +00:00
{
"Definition": [
{
"ID": "oval:org.altlinux.errata:def:20172558",
"Version": "oval:org.altlinux.errata:def:20172558",
"Class": "patch",
"Metadata": {
"Title": "ALT-PU-2017-2558: package `tomcat` update to version 8.0.43-alt1_1jpp8",
"AffectedList": [
{
"Family": "unix",
"Platforms": [
"ALT Linux branch c10f1"
],
"Products": [
"ALT SP Workstation",
"ALT SP Server"
]
}
],
"References": [
{
"RefID": "ALT-PU-2017-2558",
"RefURL": "https://errata.altlinux.org/ALT-PU-2017-2558",
"Source": "ALTPU"
},
{
"RefID": "BDU:2016-01698",
"RefURL": "https://bdu.fstec.ru/vul/2016-01698",
"Source": "BDU"
},
{
"RefID": "BDU:2017-01545",
"RefURL": "https://bdu.fstec.ru/vul/2017-01545",
"Source": "BDU"
},
{
"RefID": "BDU:2022-04494",
"RefURL": "https://bdu.fstec.ru/vul/2022-04494",
"Source": "BDU"
},
{
"RefID": "CVE-2016-0762",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-0762",
"Source": "CVE"
},
{
"RefID": "CVE-2016-3092",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-3092",
"Source": "CVE"
},
{
"RefID": "CVE-2016-5018",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-5018",
"Source": "CVE"
},
{
"RefID": "CVE-2016-6794",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-6794",
"Source": "CVE"
},
{
"RefID": "CVE-2016-6796",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-6796",
"Source": "CVE"
},
{
"RefID": "CVE-2016-6797",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-6797",
"Source": "CVE"
},
{
"RefID": "CVE-2016-6816",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-6816",
"Source": "CVE"
},
{
"RefID": "CVE-2016-8735",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-8735",
"Source": "CVE"
},
{
"RefID": "CVE-2016-8745",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2016-8745",
"Source": "CVE"
},
{
"RefID": "CVE-2017-5647",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-5647",
"Source": "CVE"
},
{
"RefID": "CVE-2017-5648",
"RefURL": "https://nvd.nist.gov/vuln/detail/CVE-2017-5648",
"Source": "CVE"
}
],
"Description": "This update upgrades tomcat to version 8.0.43-alt1_1jpp8. \nSecurity Fix(es):\n\n * BDU:2016-01698: Уязвимость библиотеки Сommons FileUpload, позволяющая нарушителю вызвать отказ в обслуживании\n\n * BDU:2017-01545: Уязвимость сервера приложений Apache Tomcat, позволяющая нарушителю выполнить произвольный код\n\n * BDU:2022-04494: Уязвимость реализации Realm сервера приложений Apache Tomcat, связанная с раскрытием информации через несоответствие, позволяющая нарушителю определить все существующие имена пользователей\n\n * CVE-2016-0762: The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.\n\n * CVE-2016-3092: The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.\n\n * CVE-2016-5018: In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.\n\n * CVE-2016-6794: When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.\n\n * CVE-2016-6796: A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.\n\n * CVE-2016-6797: The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.\n\n * CVE-2016-6816: The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.\n\n * CVE-2016-8735: Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.\n\n * CVE-2016-8745: A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9
"Advisory": {
"From": "errata.altlinux.org",
"Severity": "Critical",
"Rights": "Copyright 2024 BaseALT Ltd.",
"Issued": {
"Date": "2017-11-01"
},
"Updated": {
"Date": "2017-11-01"
},
"BDUs": [
{
"ID": "BDU:2016-01698",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"CWE": "CWE-20",
"Href": "https://bdu.fstec.ru/vul/2016-01698",
"Impact": "High",
"Public": "20160705"
},
{
"ID": "BDU:2017-01545",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"CWE": "CWE-284",
"Href": "https://bdu.fstec.ru/vul/2017-01545",
"Impact": "High",
"Public": "20170407"
},
{
"ID": "BDU:2022-04494",
"CVSS": "AV:N/AC:H/Au:N/C:C/I:N/A:N",
"CVSS3": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-203",
"Href": "https://bdu.fstec.ru/vul/2022-04494",
"Impact": "Low",
"Public": "20160202"
}
],
"CVEs": [
{
"ID": "CVE-2016-0762",
"CVSS": "AV:N/AC:M/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-203",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-0762",
"Impact": "Low",
"Public": "20170810"
},
{
"ID": "CVE-2016-3092",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:N/A:C",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"CWE": "CWE-20",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-3092",
"Impact": "High",
"Public": "20160704"
},
{
"ID": "CVE-2016-5018",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"CWE": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-5018",
"Impact": "Critical",
"Public": "20170810"
},
{
"ID": "CVE-2016-6794",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"CWE": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-6794",
"Impact": "Low",
"Public": "20170810"
},
{
"ID": "CVE-2016-6796",
"CVSS": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"CWE": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-6796",
"Impact": "High",
"Public": "20170811"
},
{
"ID": "CVE-2016-6797",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-863",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-6797",
"Impact": "High",
"Public": "20170810"
},
{
"ID": "CVE-2016-6816",
"CVSS": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
"CWE": "CWE-20",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-6816",
"Impact": "High",
"Public": "20170320"
},
{
"ID": "CVE-2016-8735",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
"CVSS3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"CWE": "NVD-CWE-noinfo",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-8735",
"Impact": "Critical",
"Public": "20170406"
},
{
"ID": "CVE-2016-8745",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-388",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2016-8745",
"Impact": "High",
"Public": "20170810"
},
{
"ID": "CVE-2017-5647",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:N/A:N",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"CWE": "CWE-200",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-5647",
"Impact": "High",
"Public": "20170417"
},
{
"ID": "CVE-2017-5648",
"CVSS": "AV:N/AC:L/Au:N/C:P/I:P/A:N",
"CVSS3": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"CWE": "CWE-668",
"Href": "https://nvd.nist.gov/vuln/detail/CVE-2017-5648",
"Impact": "Critical",
"Public": "20170417"
}
],
"AffectedCPEs": {
"CPEs": [
"cpe:/o:alt:spworkstation:10",
"cpe:/o:alt:spserver:10"
]
}
}
},
"Criteria": {
"Operator": "AND",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:4001",
"Comment": "ALT Linux must be installed"
}
],
"Criterias": [
{
"Operator": "OR",
"Criterions": [
{
"TestRef": "oval:org.altlinux.errata:tst:20172558001",
"Comment": "tomcat is earlier than 1:8.0.43-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20172558002",
"Comment": "tomcat-admin-webapps is earlier than 1:8.0.43-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20172558003",
"Comment": "tomcat-docs-webapp is earlier than 1:8.0.43-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20172558004",
"Comment": "tomcat-el-3.0-api is earlier than 1:8.0.43-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20172558005",
"Comment": "tomcat-javadoc is earlier than 1:8.0.43-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20172558006",
"Comment": "tomcat-jsp-2.3-api is earlier than 1:8.0.43-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20172558007",
"Comment": "tomcat-jsvc is earlier than 1:8.0.43-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20172558008",
"Comment": "tomcat-lib is earlier than 1:8.0.43-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20172558009",
"Comment": "tomcat-servlet-3.1-api is earlier than 1:8.0.43-alt1_1jpp8"
},
{
"TestRef": "oval:org.altlinux.errata:tst:20172558010",
"Comment": "tomcat-webapps is earlier than 1:8.0.43-alt1_1jpp8"
}
]
}
]
}
}
]
}
Reference in New Issue Copy Permalink