Security update for tomcat

Announcement ID:	SUSE-SU-2017:1660-1
Rating:	important
References:	bsc#1007853 bsc#1007854 bsc#1007855 bsc#1007857 bsc#1007858 bsc#1011805 bsc#1011812 bsc#1015119 bsc#1033447 bsc#1033448 bsc#986359 bsc#988489
Cross-References:	CVE-2016-0762 CVE-2016-3092 CVE-2016-5018 CVE-2016-5388 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 CVE-2016-6816 CVE-2016-8735 CVE-2016-8745 CVE-2017-5647 CVE-2017-5648
CVSS scores:	CVE-2016-0762 ( NVD ): 5.9 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2016-0762 ( NVD ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2016-3092 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-3092 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2016-5018 ( NVD ): 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N CVE-2016-5018 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2016-5388 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-6794 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2016-6794 ( NVD ): 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVE-2016-6796 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2016-6796 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N CVE-2016-6797 ( NVD ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2016-6797 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2016-6816 ( NVD ): 7.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L CVE-2016-8735 ( NVD ): 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2016-8745 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2017-5647 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2017-5647 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVE-2017-5648 ( NVD ): 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Affected Products:	SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server 12 LTSS 12 SUSE Linux Enterprise Server for SAP Applications 12

An update that solves 12 vulnerabilities can now be installed.

Description:

Tomcat was updated to version 7.0.78, fixing various bugs and security issues.

For full details see https://tomcat.apache.org/tomcat-7.0-doc/changelog.html

Security issues fixed:

• CVE-2016-0762: A realm timing attack in tomcat was fixed which could disclose existence of users (bsc#1007854)
• CVE-2016-3092: Usage of vulnerable FileUpload package could have resulted in denial of service (bsc#986359)
• CVE-2016-5018: A security manager bypass via a Tomcat utility method that was accessible to web applications was fixed. (bsc#1007855)
• CVE-2016-5388: Setting HTTP_PROXY environment variable via Proxy header (bsc#988489)
• CVE-2016-6794: A tomcat system property disclosure was fixed. (bsc#1007857)
• CVE-2016-6796: A tomcat security manager bypass via manipulation of the configuration parameters for the JSP Servlet. (bsc#1007858)
• CVE-2016-6797: A tomcat unrestricted access to global resources via ResourceLinkFactory was fixed. (bsc#1007853)
• CVE-2016-6816: A HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests was fixed. (bsc#1011812)
• CVE-2016-8735: A Remote code execution vulnerability in JmxRemoteLifecycleListener was fixed (bsc#1011805)
• CVE-2016-8745: A Tomcat Information Disclosure in the error handling of send file code for the NIO HTTP connector was fixed. (bsc#1015119)
• CVE-2017-5647: A tomcat information disclosure in pipelined request processing was fixed. (bsc#1033448)
• CVE-2017-5648: A tomcat information disclosure due to using incorrect facade objects was fixed (bsc#1033447)

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Linux Enterprise Server for SAP Applications 12
  zypper in -t patch SUSE-SLE-SAP-12-2017-1027=1
• SUSE Linux Enterprise Server 12 LTSS 12
  zypper in -t patch SUSE-SLE-SERVER-12-2017-1027=1

Package List:

• SUSE Linux Enterprise Server for SAP Applications 12 (noarch)
  • tomcat-servlet-3_0-api-7.0.78-7.13.4
  • tomcat-jsp-2_2-api-7.0.78-7.13.4
  • tomcat-javadoc-7.0.78-7.13.4
  • tomcat-el-2_2-api-7.0.78-7.13.4
  • tomcat-admin-webapps-7.0.78-7.13.4
  • tomcat-7.0.78-7.13.4
  • tomcat-webapps-7.0.78-7.13.4
  • tomcat-lib-7.0.78-7.13.4
  • tomcat-docs-webapp-7.0.78-7.13.4
• SUSE Linux Enterprise Server 12 LTSS 12 (noarch)
  • tomcat-servlet-3_0-api-7.0.78-7.13.4
  • tomcat-jsp-2_2-api-7.0.78-7.13.4
  • tomcat-el-2_2-api-7.0.78-7.13.4
  • tomcat-javadoc-7.0.78-7.13.4
  • tomcat-admin-webapps-7.0.78-7.13.4
  • tomcat-7.0.78-7.13.4
  • tomcat-webapps-7.0.78-7.13.4
  • tomcat-lib-7.0.78-7.13.4
  • tomcat-docs-webapp-7.0.78-7.13.4

References:

• https://www.suse.com/security/cve/CVE-2016-0762.html
• https://www.suse.com/security/cve/CVE-2016-3092.html
• https://www.suse.com/security/cve/CVE-2016-5018.html
• https://www.suse.com/security/cve/CVE-2016-5388.html
• https://www.suse.com/security/cve/CVE-2016-6794.html
• https://www.suse.com/security/cve/CVE-2016-6796.html
• https://www.suse.com/security/cve/CVE-2016-6797.html
• https://www.suse.com/security/cve/CVE-2016-6816.html
• https://www.suse.com/security/cve/CVE-2016-8735.html
• https://www.suse.com/security/cve/CVE-2016-8745.html
• https://www.suse.com/security/cve/CVE-2017-5647.html
• https://www.suse.com/security/cve/CVE-2017-5648.html
• https://bugzilla.suse.com/show_bug.cgi?id=1007853
• https://bugzilla.suse.com/show_bug.cgi?id=1007854
• https://bugzilla.suse.com/show_bug.cgi?id=1007855
• https://bugzilla.suse.com/show_bug.cgi?id=1007857
• https://bugzilla.suse.com/show_bug.cgi?id=1007858
• https://bugzilla.suse.com/show_bug.cgi?id=1011805
• https://bugzilla.suse.com/show_bug.cgi?id=1011812
• https://bugzilla.suse.com/show_bug.cgi?id=1015119
• https://bugzilla.suse.com/show_bug.cgi?id=1033447
• https://bugzilla.suse.com/show_bug.cgi?id=1033448
• https://bugzilla.suse.com/show_bug.cgi?id=986359
• https://bugzilla.suse.com/show_bug.cgi?id=988489