1. Forum
  2. Fsxnet Message
  3. FSX BOT

  • Tomcat vulnerabilities

    From bugz_ubuntu@21:4/110 to Ubuntu Users on Monday, January 27, 2020 12:10:05
    tomcat8 vulnerabilities

    A security issue affects these releases of Ubuntu and its
    derivatives:

    * Ubuntu 16.04 LTS

    Summary

    Several security issues were fixed in Tomcat.

    Software Description

    * tomcat8 - Servlet and JSP engine

    Details

    It was discovered that Tomcat incorrectly handled the RMI registry
    when configured with the JMX Remote Lifecycle Listener. A local
    attacker could possibly use this issue to obtain credentials and
    gain complete control over the Tomcat instance. (CVE-2019-12418)

    It was discovered that Tomcat incorrectly handled FORM
    authentication. A remote attacker could possibly use this issue to
    perform a session fixation attack. (CVE-2019-17563)

    Update instructions

    The problem can be corrected by updating your system to the
    following package versions:

    Ubuntu 16.04 LTS
    libtomcat8-java - 8.0.32-1ubuntu1.11
    tomcat8 - 8.0.32-1ubuntu1.11

    To update your system, please follow these instructions:
    https://wiki.ubuntu.com/Security/Upgrades.

    In general, a standard system update will make all the necessary
    changes.

    References

    * CVE-2019-12418
    * CVE-2019-17563

    --- Mystic BBS v1.12 A43 (Linux/64)
    * Origin: BZ&BZ BBS (21:4/110)
  • From bugz_ubuntu@21:4/110 to Ubuntu Users on Tuesday, August 04, 2020 16:10:06
    tomcat8 vulnerabilities

    A security issue affects these releases of Ubuntu and its
    derivatives:

    * Ubuntu 16.04 LTS

    Summary

    Several security issues were fixed in Tomcat.

    Software Description

    * tomcat8 - Servlet and JSP engine

    Details

    It was discovered that Tomcat incorrectly validated the payload
    length in a WebSocket frame. A remote attacker could possibly use
    this issue to cause Tomcat to hang, resulting in a denial of
    service. (CVE-2020-13935)

    It was discovered that Tomcat incorrectly handled HTTP header
    parsing. In certain environments where Tomcat is located behind a
    reverse proxy, a remote attacker could possibly use this issue to
    perform HTTP Reqest Smuggling. (CVE-2020-1935)

    It was discovered that Tomcat incorrectly handled certain uncommon
    PersistenceManager with FileStore configurations. A remote
    attacker could possibly use this issue to execute arbitrary code.
    (CVE-2020-9484)

    Update instructions

    The problem can be corrected by updating your system to the
    following package versions:

    Ubuntu 16.04 LTS
    libtomcat8-java - 8.0.32-1ubuntu1.13
    tomcat8 - 8.0.32-1ubuntu1.13

    To update your system, please follow these instructions:
    https://wiki.ubuntu.com/Security/Upgrades.

    In general, a standard system update will make all the necessary
    changes.

    References

    * CVE-2020-13935
    * CVE-2020-1935
    * CVE-2020-9484

    --- Mystic BBS v1.12 A46 (Linux/64)
    * Origin: BZ&BZ BBS (21:4/110)
  • From bugz_ubuntu@21:4/110 to Ubuntu Users on Wednesday, September 30, 2020 16:10:09
    tomcat6 vulnerabilities

    A security issue affects these releases of Ubuntu and its
    derivatives:

    * Ubuntu 16.04 LTS

    Summary

    Several security issues were fixed in Tomcat.

    Software Description

    * tomcat6 - Servlet and JSP engine

    Details

    It was discovered that the Tomcat realm implementations
    incorrectly handled passwords when a username didn't exist. A
    remote attacker could possibly use this issue to enumerate
    usernames. (CVE-2016-0762)

    Alvaro Munoz and Alexander Mirosh discovered that Tomcat
    incorrectly limited use of a certain utility method. A malicious
    application could possibly use this to bypass Security Manager
    restrictions. (CVE-2016-5018)

    It was discovered that Tomcat incorrectly controlled reading
    system properties. A malicious application could possibly use this
    to bypass Security Manager restrictions. (CVE-2016-6794)

    It was discovered that Tomcat incorrectly controlled certain
    configuration parameters. A malicious application could possibly
    use this to bypass Security Manager restrictions. (CVE-2016-6796)

    It was discovered that Tomcat incorrectly limited access to global
    JNDI resources. A malicious application could use this to access
    any global JNDI resource without an explicit ResourceLink.
    (CVE-2016-6797)

    Regis Leroy discovered that Tomcat incorrectly filtered certain
    invalid characters from the HTTP request line. A remote attacker
    could possibly use this issue to inject data into HTTP responses.
    (CVE-2016-6816)

    Pierre Ernst discovered that the Tomcat JmxRemoteLifecycleListener
    did not implement a recommended fix. A remote attacker could
    possibly use this issue to execute arbitrary code. (CVE-2016-8735)

    Update instructions

    The problem can be corrected by updating your system to the
    following package versions:

    Ubuntu 16.04 LTS
    libservlet2.5-java - 6.0.45+dfsg-1ubuntu0.1

    To update your system, please follow these instructions:
    https://wiki.ubuntu.com/Security/Upgrades.

    In general, a standard system update will make all the necessary
    changes.

    References

    * CVE-2016-0762
    * CVE-2016-5018
    * CVE-2016-6794
    * CVE-2016-6796
    * CVE-2016-6797
    * CVE-2016-6816
    * CVE-2016-8735

    --- Mystic BBS v1.12 A46 (Linux/64)
    * Origin: BZ&BZ BBS (21:4/110)
  • From boo_ubuntu@21:4/110 to Ubuntu Users on Wednesday, October 21, 2020 12:10:02
    tomcat9 vulnerabilities

    A security issue affects these releases of Ubuntu and its
    derivatives:

    * Ubuntu 20.04 LTS

    Summary

    Several security issues were fixed in Tomcat.

    Software Description

    * tomcat9 - Apache Tomcat 9 - Servlet and JSP engine

    Details

    It was discovered that Tomcat did not properly manage HTTP/2
    streams. An attacker could possibly use this to cause Tomcat to
    consume resources, resulting in a denial of service.
    (CVE-2020-11996)

    It was discovered that Tomcat did not properly release the
    HTTP/1.1 processor after the upgrade to HTTP/2. An attacker could
    possibly use this to generate an OutOfMemoryException, resulting
    in a denial of service. (CVE-2020-13934)

    It was discovered that Tomcat did not properly validate the
    payload length in a WebSocket frame. An attacker could possibly
    use this to trigger an infinite loop, resulting in a denial of
    service. (CVE-2020-13935)

    It was discovered that Tomcat did not properly deserialize
    untrusted data. An attacker could possibly use this issue to
    execute arbitrary code. (CVE-2020-9484)

    Update instructions

    The problem can be corrected by updating your system to the
    following package versions:

    Ubuntu 20.04 LTS
    libtomcat9-embed-java - 9.0.31-1ubuntu0.1
    libtomcat9-java - 9.0.31-1ubuntu0.1
    tomcat9 - 9.0.31-1ubuntu0.1
    tomcat9-common - 9.0.31-1ubuntu0.1

    To update your system, please follow these instructions:
    https://wiki.ubuntu.com/Security/Upgrades.

    In general, a standard system update will make all the necessary
    changes.

    References

    * CVE-2020-11996
    * CVE-2020-13934
    * CVE-2020-13935
    * CVE-2020-9484

    --- Mystic BBS v1.12 A46 (Linux/64)
    * Origin: BZ&BZ BBS (21:4/110)