tomcat-8.0.36-3.3 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2024:10446 Final 1 1 2024-06-17T21:45:33Z current 2024-06-17T21:45:33Z 2024-06-17T21:45:33Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z tomcat-8.0.36-3.3 on GA media These are all security issues fixed in the tomcat-8.0.36-3.3 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2024-10446 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) E-Mail link for openSUSE-SU-2024:10446 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2013-1976/ SUSE CVE CVE-2013-1976 page https://www.suse.com/security/cve/CVE-2014-0050/ SUSE CVE CVE-2014-0050 page https://www.suse.com/security/cve/CVE-2015-5174/ SUSE CVE CVE-2015-5174 page https://www.suse.com/security/cve/CVE-2015-5345/ SUSE CVE CVE-2015-5345 page https://www.suse.com/security/cve/CVE-2015-5346/ SUSE CVE CVE-2015-5346 page https://www.suse.com/security/cve/CVE-2015-5351/ SUSE CVE CVE-2015-5351 page https://www.suse.com/security/cve/CVE-2016-0706/ SUSE CVE CVE-2016-0706 page https://www.suse.com/security/cve/CVE-2016-0714/ SUSE CVE CVE-2016-0714 page https://www.suse.com/security/cve/CVE-2016-0763/ SUSE CVE CVE-2016-0763 page https://www.suse.com/security/cve/CVE-2016-3092/ SUSE CVE CVE-2016-3092 page openSUSE Tumbleweed tomcat-8.0.36-3.3 tomcat-admin-webapps-8.0.36-3.3 tomcat-docs-webapp-8.0.36-3.3 tomcat-el-3_0-api-8.0.36-3.3 tomcat-embed-8.0.36-3.3 tomcat-javadoc-8.0.36-3.3 tomcat-jsp-2_3-api-8.0.36-3.3 tomcat-jsvc-8.0.36-3.3 tomcat-lib-8.0.36-3.3 tomcat-servlet-3_1-api-8.0.36-3.3 tomcat-webapps-8.0.36-3.3 tomcat-8.0.36-3.3 as a component of openSUSE Tumbleweed tomcat-admin-webapps-8.0.36-3.3 as a component of openSUSE Tumbleweed tomcat-docs-webapp-8.0.36-3.3 as a component of openSUSE Tumbleweed tomcat-el-3_0-api-8.0.36-3.3 as a component of openSUSE Tumbleweed tomcat-embed-8.0.36-3.3 as a component of openSUSE Tumbleweed tomcat-javadoc-8.0.36-3.3 as a component of openSUSE Tumbleweed tomcat-jsp-2_3-api-8.0.36-3.3 as a component of openSUSE Tumbleweed tomcat-jsvc-8.0.36-3.3 as a component of openSUSE Tumbleweed tomcat-lib-8.0.36-3.3 as a component of openSUSE Tumbleweed tomcat-servlet-3_1-api-8.0.36-3.3 as a component of openSUSE Tumbleweed tomcat-webapps-8.0.36-3.3 as a component of openSUSE Tumbleweed The (1) tomcat5, (2) tomcat6, and (3) tomcat7 init scripts, as used in the RPM distribution of Tomcat for JBoss Enterprise Web Server 1.0.2 and 2.0.0, and Red Hat Enterprise Linux 5 and 6, allow local users to change the ownership of arbitrary files via a symlink attack on (a) tomcat5-initd.log, (b) tomcat6-initd.log, (c) catalina.out, or (d) tomcat7-initd.log. CVE-2013-1976 openSUSE Tumbleweed:tomcat-8.0.36-3.3 openSUSE Tumbleweed:tomcat-admin-webapps-8.0.36-3.3 openSUSE Tumbleweed:tomcat-docs-webapp-8.0.36-3.3 openSUSE Tumbleweed:tomcat-el-3_0-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-embed-8.0.36-3.3 openSUSE Tumbleweed:tomcat-javadoc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsp-2_3-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsvc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-lib-8.0.36-3.3 openSUSE Tumbleweed:tomcat-servlet-3_1-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-webapps-8.0.36-3.3 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2013-1976.html CVE-2013-1976 https://bugzilla.suse.com/822177 SUSE Bug 822177 MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions. CVE-2014-0050 openSUSE Tumbleweed:tomcat-8.0.36-3.3 openSUSE Tumbleweed:tomcat-admin-webapps-8.0.36-3.3 openSUSE Tumbleweed:tomcat-docs-webapp-8.0.36-3.3 openSUSE Tumbleweed:tomcat-el-3_0-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-embed-8.0.36-3.3 openSUSE Tumbleweed:tomcat-javadoc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsp-2_3-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsvc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-lib-8.0.36-3.3 openSUSE Tumbleweed:tomcat-servlet-3_1-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-webapps-8.0.36-3.3 important To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2014-0050.html CVE-2014-0050 https://bugzilla.suse.com/862781 SUSE Bug 862781 Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. CVE-2015-5174 openSUSE Tumbleweed:tomcat-8.0.36-3.3 openSUSE Tumbleweed:tomcat-admin-webapps-8.0.36-3.3 openSUSE Tumbleweed:tomcat-docs-webapp-8.0.36-3.3 openSUSE Tumbleweed:tomcat-el-3_0-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-embed-8.0.36-3.3 openSUSE Tumbleweed:tomcat-javadoc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsp-2_3-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsvc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-lib-8.0.36-3.3 openSUSE Tumbleweed:tomcat-servlet-3_1-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-webapps-8.0.36-3.3 moderate 4.3 AV:A/AC:M/Au:N/C:P/I:P/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-5174.html CVE-2015-5174 https://bugzilla.suse.com/967967 SUSE Bug 967967 The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. CVE-2015-5345 openSUSE Tumbleweed:tomcat-8.0.36-3.3 openSUSE Tumbleweed:tomcat-admin-webapps-8.0.36-3.3 openSUSE Tumbleweed:tomcat-docs-webapp-8.0.36-3.3 openSUSE Tumbleweed:tomcat-el-3_0-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-embed-8.0.36-3.3 openSUSE Tumbleweed:tomcat-javadoc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsp-2_3-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsvc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-lib-8.0.36-3.3 openSUSE Tumbleweed:tomcat-servlet-3_1-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-webapps-8.0.36-3.3 moderate 5 AV:N/AC:L/Au:N/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-5345.html CVE-2015-5345 https://bugzilla.suse.com/967965 SUSE Bug 967965 Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. CVE-2015-5346 openSUSE Tumbleweed:tomcat-8.0.36-3.3 openSUSE Tumbleweed:tomcat-admin-webapps-8.0.36-3.3 openSUSE Tumbleweed:tomcat-docs-webapp-8.0.36-3.3 openSUSE Tumbleweed:tomcat-el-3_0-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-embed-8.0.36-3.3 openSUSE Tumbleweed:tomcat-javadoc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsp-2_3-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsvc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-lib-8.0.36-3.3 openSUSE Tumbleweed:tomcat-servlet-3_1-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-webapps-8.0.36-3.3 moderate 5.4 AV:A/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-5346.html CVE-2015-5346 https://bugzilla.suse.com/967814 SUSE Bug 967814 The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. CVE-2015-5351 openSUSE Tumbleweed:tomcat-8.0.36-3.3 openSUSE Tumbleweed:tomcat-admin-webapps-8.0.36-3.3 openSUSE Tumbleweed:tomcat-docs-webapp-8.0.36-3.3 openSUSE Tumbleweed:tomcat-el-3_0-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-embed-8.0.36-3.3 openSUSE Tumbleweed:tomcat-javadoc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsp-2_3-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsvc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-lib-8.0.36-3.3 openSUSE Tumbleweed:tomcat-servlet-3_1-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-webapps-8.0.36-3.3 moderate 5.4 AV:A/AC:M/Au:N/C:P/I:P/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2015-5351.html CVE-2015-5351 https://bugzilla.suse.com/967812 SUSE Bug 967812 Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. CVE-2016-0706 openSUSE Tumbleweed:tomcat-8.0.36-3.3 openSUSE Tumbleweed:tomcat-admin-webapps-8.0.36-3.3 openSUSE Tumbleweed:tomcat-docs-webapp-8.0.36-3.3 openSUSE Tumbleweed:tomcat-el-3_0-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-embed-8.0.36-3.3 openSUSE Tumbleweed:tomcat-javadoc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsp-2_3-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsvc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-lib-8.0.36-3.3 openSUSE Tumbleweed:tomcat-servlet-3_1-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-webapps-8.0.36-3.3 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-0706.html CVE-2016-0706 https://bugzilla.suse.com/967815 SUSE Bug 967815 https://bugzilla.suse.com/971085 SUSE Bug 971085 https://bugzilla.suse.com/988489 SUSE Bug 988489 The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. CVE-2016-0714 openSUSE Tumbleweed:tomcat-8.0.36-3.3 openSUSE Tumbleweed:tomcat-admin-webapps-8.0.36-3.3 openSUSE Tumbleweed:tomcat-docs-webapp-8.0.36-3.3 openSUSE Tumbleweed:tomcat-el-3_0-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-embed-8.0.36-3.3 openSUSE Tumbleweed:tomcat-javadoc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsp-2_3-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsvc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-lib-8.0.36-3.3 openSUSE Tumbleweed:tomcat-servlet-3_1-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-webapps-8.0.36-3.3 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-0714.html CVE-2016-0714 https://bugzilla.suse.com/967964 SUSE Bug 967964 https://bugzilla.suse.com/971085 SUSE Bug 971085 The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. CVE-2016-0763 openSUSE Tumbleweed:tomcat-8.0.36-3.3 openSUSE Tumbleweed:tomcat-admin-webapps-8.0.36-3.3 openSUSE Tumbleweed:tomcat-docs-webapp-8.0.36-3.3 openSUSE Tumbleweed:tomcat-el-3_0-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-embed-8.0.36-3.3 openSUSE Tumbleweed:tomcat-javadoc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsp-2_3-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsvc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-lib-8.0.36-3.3 openSUSE Tumbleweed:tomcat-servlet-3_1-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-webapps-8.0.36-3.3 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-0763.html CVE-2016-0763 https://bugzilla.suse.com/967966 SUSE Bug 967966 https://bugzilla.suse.com/971085 SUSE Bug 971085 The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string. CVE-2016-3092 openSUSE Tumbleweed:tomcat-8.0.36-3.3 openSUSE Tumbleweed:tomcat-admin-webapps-8.0.36-3.3 openSUSE Tumbleweed:tomcat-docs-webapp-8.0.36-3.3 openSUSE Tumbleweed:tomcat-el-3_0-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-embed-8.0.36-3.3 openSUSE Tumbleweed:tomcat-javadoc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsp-2_3-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-jsvc-8.0.36-3.3 openSUSE Tumbleweed:tomcat-lib-8.0.36-3.3 openSUSE Tumbleweed:tomcat-servlet-3_1-api-8.0.36-3.3 openSUSE Tumbleweed:tomcat-webapps-8.0.36-3.3 moderate 4.3 AV:N/AC:M/Au:N/C:N/I:N/A:P To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2016-3092.html CVE-2016-3092 https://bugzilla.suse.com/1068865 SUSE Bug 1068865 https://bugzilla.suse.com/986359 SUSE Bug 986359 https://bugzilla.suse.com/988489 SUSE Bug 988489