RHSA-2016:1648: Important: Red Hat JBoss Web Server 2.1.1 security update on RHEL 7
First published: Mon Aug 22 2016(Updated: )
Red Hat JBoss Web Server is a fully integrated and certified set of<br>components for hosting Java web applications. It is comprised of the Apache<br>HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector<br>(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat<br>Native library.<br>This release serves as a replacement for Red Hat JBoss Web Server 2.1.0,<br>and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.1<br>Release Notes for information on the most significant of these changes,<br>available shortly from <a href="https://access.redhat.com/site/documentation/" target="_blank">https://access.redhat.com/site/documentation/</a> All users of Red Hat JBoss Web Server 2.1.0 on Red Hat Enterprise Linux 7<br>are advised to upgrade to Red Hat JBoss Web Server 2.1.1. The JBoss server<br>process must be restarted for this update to take effect.<br>Security Fix(es):<br><li> It was discovered that httpd used the value of the Proxy header from HTTP</li> requests to initialize the HTTP_PROXY environment variable for CGI scripts,<br>which in turn was incorrectly used by certain HTTP client implementations<br>to configure the proxy for outgoing HTTP requests. A remote attacker could<br>possibly use this flaw to redirect HTTP requests performed by a CGI script<br>to an attacker-controlled proxy via a malicious HTTP request.<br>(CVE-2016-5387)<br><li> An integer overflow flaw, leading to a buffer overflow, was found in the</li> way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of<br>input data. A remote attacker could use this flaw to crash an application<br>using OpenSSL or, possibly, execute arbitrary code with the permissions of<br>the user running that application. (CVE-2016-2105)<br><li> An integer overflow flaw, leading to a buffer overflow, was found in the</li> way the EVP_EncryptUpdate() function of OpenSSL parsed very large amounts<br>of input data. A remote attacker could use this flaw to crash an<br>application using OpenSSL or, possibly, execute arbitrary code with the<br>permissions of the user running that application. (CVE-2016-2106)<br><li> It was discovered that it is possible to remotely Segfault Apache http</li> server with a specially crafted string sent to the mod_cluster via service<br>messages (MCMP). (CVE-2016-3110)<br>Red Hat would like to thank Scott Geary (VendHQ) for reporting<br>CVE-2016-5387; the OpenSSL project for reporting CVE-2016-2105 and<br>CVE-2016-2106; and Michal Karm Babacek for reporting CVE-2016-3110.<br>Upstream acknowledges Guido Vranken as the original reporter of<br>CVE-2016-2105 and CVE-2016-2106.
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/httpd22 | <2.2.26-56.ep6.el7 | 2.2.26-56.ep6.el7 |
| redhat/jbcs-httpd24-openssl | <1.0.2h-4.jbcs.el7 | 1.0.2h-4.jbcs.el7 |
| redhat/tomcat-native | <1.1.34-5.redhat_1.ep6.el7 | 1.1.34-5.redhat_1.ep6.el7 |
| redhat/httpd22 | <2.2.26-56.ep6.el7 | 2.2.26-56.ep6.el7 |
| redhat/httpd22-debuginfo | <2.2.26-56.ep6.el7 | 2.2.26-56.ep6.el7 |
| redhat/httpd22-devel | <2.2.26-56.ep6.el7 | 2.2.26-56.ep6.el7 |
| redhat/httpd22-manual | <2.2.26-56.ep6.el7 | 2.2.26-56.ep6.el7 |
| redhat/httpd22-tools | <2.2.26-56.ep6.el7 | 2.2.26-56.ep6.el7 |
| redhat/jbcs-httpd24 | <1-3.jbcs.el7 | 1-3.jbcs.el7 |
| redhat/jbcs-httpd24-openssl | <1.0.2h-4.jbcs.el7 | 1.0.2h-4.jbcs.el7 |
| redhat/jbcs-httpd24-openssl-debuginfo | <1.0.2h-4.jbcs.el7 | 1.0.2h-4.jbcs.el7 |
| redhat/jbcs-httpd24-openssl-devel | <1.0.2h-4.jbcs.el7 | 1.0.2h-4.jbcs.el7 |
| redhat/jbcs-httpd24-openssl-libs | <1.0.2h-4.jbcs.el7 | 1.0.2h-4.jbcs.el7 |
| redhat/jbcs-httpd24-openssl-perl | <1.0.2h-4.jbcs.el7 | 1.0.2h-4.jbcs.el7 |
| redhat/jbcs-httpd24-openssl-static | <1.0.2h-4.jbcs.el7 | 1.0.2h-4.jbcs.el7 |
| redhat/jbcs-httpd24-runtime | <1-3.jbcs.el7 | 1-3.jbcs.el7 |
| redhat/tomcat-native | <1.1.34-5.redhat_1.ep6.el7 | 1.1.34-5.redhat_1.ep6.el7 |
| redhat/tomcat-native-debuginfo | <1.1.34-5.redhat_1.ep6.el7 | 1.1.34-5.redhat_1.ep6.el7 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://bugzilla.redhat.com/show_bug.cgi?id=1326320
- https://bugzilla.redhat.com/show_bug.cgi?id=1331441
- https://bugzilla.redhat.com/show_bug.cgi?id=1331536
- https://bugzilla.redhat.com/show_bug.cgi?id=1337151
- https://bugzilla.redhat.com/show_bug.cgi?id=1337155
- https://bugzilla.redhat.com/show_bug.cgi?id=1337397
- https://bugzilla.redhat.com/show_bug.cgi?id=1353755
- https://bugzilla.redhat.com/show_bug.cgi?id=1358118
- http://www.redhat.com/security/updates/classification/#normal
- https://access.redhat.com/errata/RHSA-2016:1648 (Advisory)
Frequently Asked Questions
What is the severity of RHSA-2016:1648?
The severity of RHSA-2016:1648 is classified as important.
How do I fix RHSA-2016:1648?
To fix RHSA-2016:1648, update the affected packages to the specified remedied versions provided in the advisory.
Which packages are affected by RHSA-2016:1648?
The affected packages include httpd22, jbcs-httpd24-openssl, and tomcat-native among others.
What systems are impacted by RHSA-2016:1648?
RHSA-2016:1648 impacts systems using Red Hat JBoss Web Server integrated with Apache HTTP Server and Tomcat.
Is there a workaround for RHSA-2016:1648?
No specific workaround is suggested for RHSA-2016:1648; applying the update is recommended.
- agent/description
- agent/event
- agent/first-publish-date
- agent/last-modified-date
- agent/references
- agent/remedy
- agent/severity
- agent/softwarecombine
- agent/tags
- agent/title
- agent/type
- agent/weakness
- collector/redhat-errata
- anchor-id/RHSA-2016:1648
- package-manager/redhat