漏洞类别:Amazon Linux
漏洞等级: 
漏洞信息
Package updates are available for Amazon Linux that fix the following vulnerabilities:
CVE-2016-8735: The JmxRemoteLifecycleListener was not updated to take account of Oracle's fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance.
1397485: CVE-2016-8735 tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener
CVE-2016-6816: 1397484: CVE-2016-6816 tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack, or obtain sensitive information from requests other then their own.
CVE-2016-6797: 1390493: CVE-2016-6797 tomcat: unrestricted access to global resources
CVE-2016-6796: 1390515: CVE-2016-6796 tomcat: security manager bypass via JSP Servlet config parameters
CVE-2016-6794: 1390520: CVE-2016-6794 tomcat: system property disclosure
CVE-2016-5018: 1390525: CVE-2016-5018 tomcat: security manager bypass via IntrospectHelper utility function
CVE-2016-0762: 1390526: CVE-2016-0762 tomcat: timing attack in Realm implementation
漏洞危害
Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
解决方案
Administrators are advised to apply the appropriate software updates.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
0day
文章评论