CVE-2017-5664 Amazon Linux Security Advisory for tomcat7: ALAS-2017-873

Security constrained bypass in error page mechanism:
While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.(CVE-2017-5664 )

Calls to application listeners did not use the appropriate facade object:
A vulnerability was discovered in tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application. (CVE-2017-5648 )

QID Detection Logic:
This authenticated QID verifies if the version of the following files is lesser than 7.0.79-1.28.amzn1: tomcat7-admin-webapps, tomcat7-jsp-2.2-api, tomcat7-webapps, tomcat7-lib, tomcat7, tomcat7-el-2.2-api, tomcat7-servlet-3.0-api, tomcat7-docs-webapp, tomcat7-log4j, tomcat7-javadoc

Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.

Please refer to Amazon advisory ALAS-2017-873 for affected packages and patching details, or update with your package manager.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

ALAS-2017-873: Amazon Linux (tomcat7 (7.0.79-1.28.amzn1) on src)

ALAS-2017-873: Amazon Linux (tomcat7 (7.0.79-1.28.amzn1) on noarch)