ALAS-2017-873


Amazon Linux AMI Security Advisory: ALAS-2017-873
Advisory Release Date: 2017-08-31 23:16 Pacific
Severity: Important

Issue Overview:

Security constrained bypass in error page mechanism:
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.(CVE-2017-5664 )

Calls to application listeners did not use the appropriate facade object:
A vulnerability was discovered in tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application. (CVE-2017-5648 )

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.(CVE-2017-7674 )


Affected Packages:

tomcat7


Issue Correction:
Run yum update tomcat7 to update your system.

New Packages:
noarch:
    tomcat7-admin-webapps-7.0.79-1.28.amzn1.noarch
    tomcat7-jsp-2.2-api-7.0.79-1.28.amzn1.noarch
    tomcat7-webapps-7.0.79-1.28.amzn1.noarch
    tomcat7-lib-7.0.79-1.28.amzn1.noarch
    tomcat7-7.0.79-1.28.amzn1.noarch
    tomcat7-el-2.2-api-7.0.79-1.28.amzn1.noarch
    tomcat7-servlet-3.0-api-7.0.79-1.28.amzn1.noarch
    tomcat7-docs-webapp-7.0.79-1.28.amzn1.noarch
    tomcat7-log4j-7.0.79-1.28.amzn1.noarch
    tomcat7-javadoc-7.0.79-1.28.amzn1.noarch

src:
    tomcat7-7.0.79-1.28.amzn1.src