RHSA-2016:1649: Important: Red Hat JBoss Web Server 2.1.1 security update on RHEL 6

First published: Mon Aug 22 2016(Updated: )

Red Hat JBoss Web Server is a fully integrated and certified set of<br>components for hosting Java web applications. It is comprised of the Apache<br>HTTP Server, the Apache Tomcat Servlet container, Apache Tomcat Connector<br>(mod_jk), JBoss HTTP Connector (mod_cluster), Hibernate, and the Tomcat<br>Native library.<br>This release serves as a replacement for Red Hat JBoss Web Server 2.1.0,<br>and includes several bug fixes. Refer to the Red Hat JBoss Web Server 2.1.1<br>Release Notes, linked to in the References section, for information on the<br>most significant of these changes.<br>All users of Red Hat JBoss Web Server 2.1.0 on Red Hat Enterprise Linux 6<br>are advised to upgrade to Red Hat JBoss Web Server 2.1.1. The JBoss server<br>process must be restarted for this update to take effect.<br>Security Fix(es):<br><li> It was discovered that httpd used the value of the Proxy header from HTTP</li> requests to initialize the HTTP_PROXY environment variable for CGI scripts,<br>which in turn was incorrectly used by certain HTTP client implementations<br>to configure the proxy for outgoing HTTP requests. A remote attacker could<br>possibly use this flaw to redirect HTTP requests performed by a CGI script<br>to an attacker-controlled proxy via a malicious HTTP request.<br>(CVE-2016-5387)<br><li> An integer overflow flaw, leading to a buffer overflow, was found in the</li> way the EVP_EncodeUpdate() function of OpenSSL parsed very large amounts of<br>input data. A remote attacker could use this flaw to crash an application<br>using OpenSSL or, possibly, execute arbitrary code with the permissions of<br>the user running that application. (CVE-2016-2105)<br><li> An integer overflow flaw, leading to a buffer overflow, was found in the</li> way the EVP_EncryptUpdate() function of OpenSSL parsed very large amounts<br>of input data. A remote attacker could use this flaw to crash an<br>application using OpenSSL or, possibly, execute arbitrary code with the<br>permissions of the user running that application. (CVE-2016-2106)<br><li> It was discovered that it is possible to remotely Segfault Apache http</li> server with a specially crafted string sent to the mod_cluster via service<br>messages (MCMP). (CVE-2016-3110)<br>Red Hat would like to thank Scott Geary (VendHQ) for reporting<br>CVE-2016-5387; the OpenSSL project for reporting CVE-2016-2105 and<br>CVE-2016-2106; and Michal Karm Babacek for reporting CVE-2016-3110.<br>Upstream acknowledges Guido Vranken as the original reporter of<br>CVE-2016-2105 and CVE-2016-2106.

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• collector/redhat-errata
• anchor-id/RHSA-2016:1649
• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness
• package-manager/redhat