First published: Thu Nov 02 2017(Updated: )
The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.<br>OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.<br>Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.<br>This release provides an update to httpd, OpenSSL and Tomcat 6/7 for Red Hat JBoss Web Server 2.1.2. The updates are documented in the Release Notes document linked to in the References.<br>This release of Red Hat JBoss Web Server 2.1.2 Service Pack 2 serves as a update for Red Hat JBoss Web Server 2, and includes bug fixes, which are documented in the Release Notes document linked to in the References.<br>Users of Red Hat JBoss Web Server 2 should upgrade to these updated packages, which resolve several security issues.<br>Security Fix(es):<br><li> It was discovered that the httpd's mod_auth_digest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788)</li> <li> A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution. (CVE-2017-12615)</li> <li> A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution. (CVE-2017-12617)</li> <li> A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183)</li> <li> A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)</li> Red Hat would like to thank OpenVPN for reporting CVE-2016-2183 and Hanno Böck for reporting CVE-2017-9798. Upstream acknowledges Karthikeyan Bhargavan (Inria) and Gaëtan Leurent (Inria) as the original reporters of CVE-2016-2183.<br>Bug Fix(es):<br><li> Corruption in nodestatsmem in multiple core dumps but in different functions of each core dump. (BZ#1338640)</li> <li> mod_cluster segfaults in process_info() due to wrongly generated assembler instruction movslq (BZ#1448709)</li> <li> CRL checking of very large CRLs fails with OpenSSL 1.0.2 (BZ#1493075)</li>
Affected Software | Affected Version | How to fix |
---|---|---|
redhat/httpd22 | <2.2.26-58.ep6.el7 | 2.2.26-58.ep6.el7 |
redhat/jbcs-httpd24-openssl | <1.0.2h-14.jbcs.el7 | 1.0.2h-14.jbcs.el7 |
redhat/tomcat6 | <6.0.41-19_patch_04.ep6.el7 | 6.0.41-19_patch_04.ep6.el7 |
redhat/tomcat7 | <7.0.54-28_patch_05.ep6.el7 | 7.0.54-28_patch_05.ep6.el7 |
redhat/httpd22 | <2.2.26-58.ep6.el7 | 2.2.26-58.ep6.el7 |
redhat/httpd22-debuginfo | <2.2.26-58.ep6.el7 | 2.2.26-58.ep6.el7 |
redhat/httpd22-devel | <2.2.26-58.ep6.el7 | 2.2.26-58.ep6.el7 |
redhat/httpd22-manual | <2.2.26-58.ep6.el7 | 2.2.26-58.ep6.el7 |
redhat/httpd22-tools | <2.2.26-58.ep6.el7 | 2.2.26-58.ep6.el7 |
redhat/jbcs-httpd24-openssl | <1.0.2h-14.jbcs.el7 | 1.0.2h-14.jbcs.el7 |
redhat/jbcs-httpd24-openssl-debuginfo | <1.0.2h-14.jbcs.el7 | 1.0.2h-14.jbcs.el7 |
redhat/jbcs-httpd24-openssl-devel | <1.0.2h-14.jbcs.el7 | 1.0.2h-14.jbcs.el7 |
redhat/jbcs-httpd24-openssl-libs | <1.0.2h-14.jbcs.el7 | 1.0.2h-14.jbcs.el7 |
redhat/jbcs-httpd24-openssl-perl | <1.0.2h-14.jbcs.el7 | 1.0.2h-14.jbcs.el7 |
redhat/jbcs-httpd24-openssl-static | <1.0.2h-14.jbcs.el7 | 1.0.2h-14.jbcs.el7 |
redhat/tomcat6 | <6.0.41-19_patch_04.ep6.el7 | 6.0.41-19_patch_04.ep6.el7 |
redhat/tomcat6-admin-webapps | <6.0.41-19_patch_04.ep6.el7 | 6.0.41-19_patch_04.ep6.el7 |
redhat/tomcat6-docs-webapp | <6.0.41-19_patch_04.ep6.el7 | 6.0.41-19_patch_04.ep6.el7 |
redhat/tomcat6-el | <2.1-api-6.0.41-19_patch_04.ep6.el7 | 2.1-api-6.0.41-19_patch_04.ep6.el7 |
redhat/tomcat6-javadoc | <6.0.41-19_patch_04.ep6.el7 | 6.0.41-19_patch_04.ep6.el7 |
redhat/tomcat6-jsp | <2.1-api-6.0.41-19_patch_04.ep6.el7 | 2.1-api-6.0.41-19_patch_04.ep6.el7 |
redhat/tomcat6-lib | <6.0.41-19_patch_04.ep6.el7 | 6.0.41-19_patch_04.ep6.el7 |
redhat/tomcat6-log4j | <6.0.41-19_patch_04.ep6.el7 | 6.0.41-19_patch_04.ep6.el7 |
redhat/tomcat6-maven-devel | <6.0.41-19_patch_04.ep6.el7 | 6.0.41-19_patch_04.ep6.el7 |
redhat/tomcat6-servlet | <2.5-api-6.0.41-19_patch_04.ep6.el7 | 2.5-api-6.0.41-19_patch_04.ep6.el7 |
redhat/tomcat6-webapps | <6.0.41-19_patch_04.ep6.el7 | 6.0.41-19_patch_04.ep6.el7 |
redhat/tomcat7 | <7.0.54-28_patch_05.ep6.el7 | 7.0.54-28_patch_05.ep6.el7 |
redhat/tomcat7-admin-webapps | <7.0.54-28_patch_05.ep6.el7 | 7.0.54-28_patch_05.ep6.el7 |
redhat/tomcat7-docs-webapp | <7.0.54-28_patch_05.ep6.el7 | 7.0.54-28_patch_05.ep6.el7 |
redhat/tomcat7-el | <2.2-api-7.0.54-28_patch_05.ep6.el7 | 2.2-api-7.0.54-28_patch_05.ep6.el7 |
redhat/tomcat7-javadoc | <7.0.54-28_patch_05.ep6.el7 | 7.0.54-28_patch_05.ep6.el7 |
redhat/tomcat7-jsp | <2.2-api-7.0.54-28_patch_05.ep6.el7 | 2.2-api-7.0.54-28_patch_05.ep6.el7 |
redhat/tomcat7-lib | <7.0.54-28_patch_05.ep6.el7 | 7.0.54-28_patch_05.ep6.el7 |
redhat/tomcat7-log4j | <7.0.54-28_patch_05.ep6.el7 | 7.0.54-28_patch_05.ep6.el7 |
redhat/tomcat7-maven-devel | <7.0.54-28_patch_05.ep6.el7 | 7.0.54-28_patch_05.ep6.el7 |
redhat/tomcat7-servlet | <3.0-api-7.0.54-28_patch_05.ep6.el7 | 3.0-api-7.0.54-28_patch_05.ep6.el7 |
redhat/tomcat7-webapps | <7.0.54-28_patch_05.ep6.el7 | 7.0.54-28_patch_05.ep6.el7 |
redhat/httpd | <2.2.26-57.ep6.el6 | 2.2.26-57.ep6.el6 |
redhat/jbcs-httpd24-openssl | <1.0.2h-14.jbcs.el6 | 1.0.2h-14.jbcs.el6 |
redhat/tomcat6 | <6.0.41-19_patch_04.ep6.el6 | 6.0.41-19_patch_04.ep6.el6 |
redhat/tomcat7 | <7.0.54-28_patch_05.ep6.el6 | 7.0.54-28_patch_05.ep6.el6 |
redhat/httpd | <2.2.26-57.ep6.el6 | 2.2.26-57.ep6.el6 |
redhat/httpd-debuginfo | <2.2.26-57.ep6.el6 | 2.2.26-57.ep6.el6 |
redhat/httpd-devel | <2.2.26-57.ep6.el6 | 2.2.26-57.ep6.el6 |
redhat/httpd-manual | <2.2.26-57.ep6.el6 | 2.2.26-57.ep6.el6 |
redhat/httpd-tools | <2.2.26-57.ep6.el6 | 2.2.26-57.ep6.el6 |
redhat/jbcs-httpd24-openssl | <1.0.2h-14.jbcs.el6 | 1.0.2h-14.jbcs.el6 |
redhat/jbcs-httpd24-openssl-debuginfo | <1.0.2h-14.jbcs.el6 | 1.0.2h-14.jbcs.el6 |
redhat/jbcs-httpd24-openssl-devel | <1.0.2h-14.jbcs.el6 | 1.0.2h-14.jbcs.el6 |
redhat/jbcs-httpd24-openssl-libs | <1.0.2h-14.jbcs.el6 | 1.0.2h-14.jbcs.el6 |
redhat/jbcs-httpd24-openssl-perl | <1.0.2h-14.jbcs.el6 | 1.0.2h-14.jbcs.el6 |
redhat/jbcs-httpd24-openssl-static | <1.0.2h-14.jbcs.el6 | 1.0.2h-14.jbcs.el6 |
redhat/tomcat6 | <6.0.41-19_patch_04.ep6.el6 | 6.0.41-19_patch_04.ep6.el6 |
redhat/tomcat6-admin-webapps | <6.0.41-19_patch_04.ep6.el6 | 6.0.41-19_patch_04.ep6.el6 |
redhat/tomcat6-docs-webapp | <6.0.41-19_patch_04.ep6.el6 | 6.0.41-19_patch_04.ep6.el6 |
redhat/tomcat6-el | <2.1-api-6.0.41-19_patch_04.ep6.el6 | 2.1-api-6.0.41-19_patch_04.ep6.el6 |
redhat/tomcat6-javadoc | <6.0.41-19_patch_04.ep6.el6 | 6.0.41-19_patch_04.ep6.el6 |
redhat/tomcat6-jsp | <2.1-api-6.0.41-19_patch_04.ep6.el6 | 2.1-api-6.0.41-19_patch_04.ep6.el6 |
redhat/tomcat6-lib | <6.0.41-19_patch_04.ep6.el6 | 6.0.41-19_patch_04.ep6.el6 |
redhat/tomcat6-log4j | <6.0.41-19_patch_04.ep6.el6 | 6.0.41-19_patch_04.ep6.el6 |
redhat/tomcat6-maven-devel | <6.0.41-19_patch_04.ep6.el6 | 6.0.41-19_patch_04.ep6.el6 |
redhat/tomcat6-servlet | <2.5-api-6.0.41-19_patch_04.ep6.el6 | 2.5-api-6.0.41-19_patch_04.ep6.el6 |
redhat/tomcat6-webapps | <6.0.41-19_patch_04.ep6.el6 | 6.0.41-19_patch_04.ep6.el6 |
redhat/tomcat7 | <7.0.54-28_patch_05.ep6.el6 | 7.0.54-28_patch_05.ep6.el6 |
redhat/tomcat7-admin-webapps | <7.0.54-28_patch_05.ep6.el6 | 7.0.54-28_patch_05.ep6.el6 |
redhat/tomcat7-docs-webapp | <7.0.54-28_patch_05.ep6.el6 | 7.0.54-28_patch_05.ep6.el6 |
redhat/tomcat7-el | <2.2-api-7.0.54-28_patch_05.ep6.el6 | 2.2-api-7.0.54-28_patch_05.ep6.el6 |
redhat/tomcat7-javadoc | <7.0.54-28_patch_05.ep6.el6 | 7.0.54-28_patch_05.ep6.el6 |
redhat/tomcat7-jsp | <2.2-api-7.0.54-28_patch_05.ep6.el6 | 2.2-api-7.0.54-28_patch_05.ep6.el6 |
redhat/tomcat7-lib | <7.0.54-28_patch_05.ep6.el6 | 7.0.54-28_patch_05.ep6.el6 |
redhat/tomcat7-log4j | <7.0.54-28_patch_05.ep6.el6 | 7.0.54-28_patch_05.ep6.el6 |
redhat/tomcat7-maven-devel | <7.0.54-28_patch_05.ep6.el6 | 7.0.54-28_patch_05.ep6.el6 |
redhat/tomcat7-servlet | <3.0-api-7.0.54-28_patch_05.ep6.el6 | 3.0-api-7.0.54-28_patch_05.ep6.el6 |
redhat/tomcat7-webapps | <7.0.54-28_patch_05.ep6.el6 | 7.0.54-28_patch_05.ep6.el6 |
redhat/httpd-debuginfo | <2.2.26-57.ep6.el6 | 2.2.26-57.ep6.el6 |
redhat/httpd-devel | <2.2.26-57.ep6.el6 | 2.2.26-57.ep6.el6 |
redhat/httpd-manual | <2.2.26-57.ep6.el6 | 2.2.26-57.ep6.el6 |
redhat/httpd-tools | <2.2.26-57.ep6.el6 | 2.2.26-57.ep6.el6 |
redhat/jbcs-httpd24-openssl-debuginfo | <1.0.2h-14.jbcs.el6 | 1.0.2h-14.jbcs.el6 |
redhat/jbcs-httpd24-openssl-devel | <1.0.2h-14.jbcs.el6 | 1.0.2h-14.jbcs.el6 |
redhat/jbcs-httpd24-openssl-libs | <1.0.2h-14.jbcs.el6 | 1.0.2h-14.jbcs.el6 |
redhat/jbcs-httpd24-openssl-perl | <1.0.2h-14.jbcs.el6 | 1.0.2h-14.jbcs.el6 |
redhat/jbcs-httpd24-openssl-static | <1.0.2h-14.jbcs.el6 | 1.0.2h-14.jbcs.el6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of RHSA-2017:3113 is classified as important.
To fix RHSA-2017:3113, update the affected packages to their recommended versions as specified in the advisory.
Affected packages include httpd, jbcs-httpd24-openssl, tomcat6, and tomcat7.
RHSA-2017:3113 addresses security vulnerabilities related to the Apache HTTP Server and OpenSSL.
Yes, RHSA-2017:3113 is applicable for both EL6 and EL7 versions.