Subject: [ASA-201611-22] tomcat6: multiple issues Arch Linux Security Advisory ASA-201611-22 ========================================== Severity: High Date : 2016-11-23 CVE-ID : CVE-2016-6816 CVE-2016-8735 Package : tomcat6 Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-84 Summary ======= The package tomcat6 before version 6.0.48-1 is vulnerable to multiple issues including arbitrary code execution and information disclosure. Resolution ========== Upgrade to 6.0.48-1. # pacman -Syu "tomcat6>=6.0.48-1" The problems have been fixed upstream in version 6.0.48. Workaround ========== None. Description =========== - CVE-2016-6816 (information disclosure) The code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response, the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own. - CVE-2016-8735 (arbitrary code execution) The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. Therefore, Tomcat installations using this listener remained vulnerable to a similar remote code execution vulnerability. Impact ====== A remote attacker is able to execute arbitrary code and disclose sensitive information. References ========== https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.48 http://www.openwall.com/lists/oss-security/2016/11/22/17 http://www.openwall.com/lists/oss-security/2016/11/22/16 https://security.archlinux.org/CVE-2016-6816 https://security.archlinux.org/CVE-2016-8735