Amazon Linux Security Advisory for tomcat7: AL2012-2016-147

Package updates are available for Amazon Linux that fix the following vulnerabilities: CVE-2016-3092: A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long. 1349468: CVE-2016-3092 tomcat: Usage of vulnerable FileUpload package can result in denial of service CVE-2016-0763: 1311093: CVE-2016-0763 tomcat: security manager bypass via setGlobalContext() The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. CVE-2016-0714: The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. 1311082: CVE-2016-0714 tomcat: Security Manager bypass via persistence mechanisms CVE-2016-0706: Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. 1311087: CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet CVE-2015-5351: The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token. 1311076: CVE-2015-5351 tomcat: CSRF token leak CVE-2015-5346: Session fixation vulnerability in Apache Tomcat 7.x before 7.0.66, 8.x before 8.0.30, and 9.x before 9.0.0.M2, when different session settings are used for deployments of multiple versions of the same web application, might allow remote attackers to hijack web sessions by leveraging use of a requestedSessionSSL field for an unintended request, related to CoyoteAdapter.java and Request.java. 1311085: CVE-2015-5346 tomcat: Session fixation CVE-2015-5345: The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.67, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character. 1311089: CVE-2015-5345 tomcat: directory disclosure

Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.

Administrators are advised to apply the appropriate software updates.

Patch:
Following are links for downloading patches to fix the vulnerabilities:

AL2012-2016-147