security update in Fedora 24 for tomcat

Status: stable 2 years ago

This updates includes a rebase from tomcat 8.0.36 up to 8.0.38 which resolves multiple CVEs and a problem that 8.0.37 introduces to freeipa:

  • #1375581 - CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header
  • #1390532 - CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 tomcat: various flaws

and includes two additional CVE fixes along with one bug fix:

  • #1383210 - CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service
  • #1383216 - CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation
  • #1370262 - catalina.out is no longer in use in the main package, but still gets rotated

How to install

sudo dnf upgrade --advisory=FEDORA-2016-c1b01b9278

Comments 16

This update has been submitted for testing by csutherl.

This update has been pushed to testing.

This update broke Dogtag PKI setup during FreeIPA server installation:

Configuring certificate server (pki-tomcatd). Estimated time: 3 minutes 30 seconds
  [1/25]: creating certificate server user
  [2/25]: configuring certificate server instance
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL Failed to configure CA instance: Command '/usr/sbin/pkispawn -s CA -f    /tmp/tmp9kNE80' returned non-zero exit status 1
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL See the installation logs and the following files/directories for more information:
ipa.ipaserver.install.cainstance.CAInstance: CRITICAL   /var/log/pki/pki-tomcat
  [error] RuntimeError: CA configuration failed.
 Your system may be partly configured.
Run /usr/sbin/ipa-server-install --uninstall to clean up.

ipa.ipapython.install.cli.install_tool(Replica): ERROR    CA configuration failed.
ipa.ipapython.install.cli.install_tool(Replica): ERROR    The ipa-replica-install command failed. See /var/log/ipareplica-install.log for more information

See also the following cornucopia of stack traces in the pki-tomcat service journal log: https://paste.fedoraproject.org/460589/77394029

giving negative karma until the issue is fixed either on tomcat or dogtag side.

karma: -1

After upgrade a restart of FreeIPA fails. In catalina log I can see there is a missing java class that cannot be found:

25-Oct-2016 14:29:18.278 SEVERE [localhost-startStop-1] org.apache.jasper.security.SecurityClassLoad.securityClassLoad SecurityClassLoad
 java.lang.ClassNotFoundException: org.apache.jasper.runtime.JspRuntimeLibrary$PrivilegedIntrospectHelper
    at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
    at org.apache.jasper.security.SecurityClassLoad.securityClassLoad(SecurityClassLoad.java:47)
    at org.apache.jasper.servlet.JasperInitializer.<clinit>(JasperInitializer.java:52)
    at java.lang.Class.forName0(Native Method)
    at java.lang.Class.forName(Class.java:348)
    at org.apache.catalina.startup.WebappServiceLoader.loadServices(WebappServiceLoader.java:186)
    at org.apache.catalina.startup.WebappServiceLoader.load(WebappServiceLoader.java:157)
    at org.apache.catalina.startup.ContextConfig.processServletContainerInitializers(ContextConfig.java:1631)
    at org.apache.catalina.startup.ContextConfig.webConfig(ContextConfig.java:1140)
    at org.apache.catalina.startup.ContextConfig.configureStart(ContextConfig.java:783)
    at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:307)
    at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:95)
    at org.apache.catalina.util.LifecycleBase.fireLifecycleEvent(LifecycleBase.java:90)
    at org.apache.catalina.core.StandardContext.startInternal(StandardContext.java:5213)
    at org.apache.catalina.util.LifecycleBase.start(LifecycleBase.java:145)
    at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:725)
    at org.apache.catalina.core.ContainerBase.access$000(ContainerBase.java:131)
    at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:153)
    at org.apache.catalina.core.ContainerBase$PrivilegedAddChild.run(ContainerBase.java:143)
    at java.security.AccessController.doPrivileged(Native Method)
    at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:699)
    at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:717)
    at org.apache.catalina.startup.HostConfig.deployDescriptor(HostConfig.java:587)
    at org.apache.catalina.startup.HostConfig$DeployDescriptor.run(HostConfig.java:1798)
    at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
    at java.util.concurrent.FutureTask.run(FutureTask.java:266)
    at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
    at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
    at java.lang.Thread.run(Thread.java:745)
karma: -1

Note that the only java packages upgraded were from tomcat:

Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Upgrading   : tomcat-servlet-3.1-api-1:8.0.37-3.fc24.noarch                                                 1/12 
  Upgrading   : tomcat-el-3.0-api-1:8.0.37-3.fc24.noarch                                                      2/12 
  Upgrading   : tomcat-jsp-2.3-api-1:8.0.37-3.fc24.noarch                                                     3/12 
  Upgrading   : tomcat-lib-1:8.0.37-3.fc24.noarch                                                             4/12 
  Upgrading   : tomcat-1:8.0.37-3.fc24.noarch                                                                 5/12 
  Upgrading   : pcre-8.39-6.fc24.x86_64                                                                       6/12 
  Cleanup     : tomcat-1:8.0.36-2.fc24.noarch                                                                 7/12 
  Cleanup     : tomcat-lib-1:8.0.36-2.fc24.noarch                                                             8/12 
  Cleanup     : tomcat-jsp-2.3-api-1:8.0.36-2.fc24.noarch                                                     9/12 
  Cleanup     : tomcat-el-3.0-api-1:8.0.36-2.fc24.noarch                                                     10/12 
  Cleanup     : tomcat-servlet-3.1-api-1:8.0.36-2.fc24.noarch                                                11/12 
  Cleanup     : pcre-8.39-5.fc24.x86_64                                                                      12/12 
  Verifying   : pcre-8.39-6.fc24.x86_64                                                                       1/12 
  Verifying   : tomcat-1:8.0.37-3.fc24.noarch                                                                 2/12 
  Verifying   : tomcat-lib-1:8.0.37-3.fc24.noarch                                                             3/12 
  Verifying   : tomcat-el-3.0-api-1:8.0.37-3.fc24.noarch                                                      4/12 
  Verifying   : tomcat-jsp-2.3-api-1:8.0.37-3.fc24.noarch                                                     5/12 
  Verifying   : tomcat-servlet-3.1-api-1:8.0.37-3.fc24.noarch                                                 6/12 
  Verifying   : tomcat-servlet-3.1-api-1:8.0.36-2.fc24.noarch                                                 7/12 
  Verifying   : tomcat-1:8.0.36-2.fc24.noarch                                                                 8/12 
  Verifying   : tomcat-el-3.0-api-1:8.0.36-2.fc24.noarch                                                      9/12 
  Verifying   : tomcat-jsp-2.3-api-1:8.0.36-2.fc24.noarch                                                    10/12 
  Verifying   : tomcat-lib-1:8.0.36-2.fc24.noarch                                                            11/12 
  Verifying   : pcre-8.39-5.fc24.x86_64                                                                      12/12

  pcre.x86_64 8.39-6.fc24                               tomcat.noarch 1:8.0.37-3.fc24                             
  tomcat-el-3.0-api.noarch 1:8.0.37-3.fc24              tomcat-jsp-2.3-api.noarch 1:8.0.37-3.fc24                 
  tomcat-lib.noarch 1:8.0.37-3.fc24                     tomcat-servlet-3.1-api.noarch 1:8.0.37-3.fc24

[root@f24-master ~]# ipactl stop
Stopping ipa-dnskeysyncd Service
Stopping ipa-otpd Service
Stopping winbind Service
Stopping smb Service
Stopping pki-tomcatd Service
Stopping ntpd Service
Stopping ipa-custodia Service
Stopping httpd Service
Stopping ipa_memcached Service
Stopping named Service
Stopping kadmin Service
Stopping krb5kdc Service
Stopping Directory Service
ipa: INFO: The ipactl command was successful
[root@f24-master ~]# ipactl start
Starting Directory Service
    debugging enabled, suppressing output.
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Shutting down
Hint: You can use --ignore-service-failure option for forced start in case that a non-critical service failed
Aborting ipactl

Corresponding Apache bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=60101

So we need to get 8.0.38 packaged.

Thanks for pinning that down @abbra; I'll rebase to 8.0.38 asap.

csutherl edited this update.

New build(s):

  • tomcat-8.0.38-1.fc24

Removed build(s):

  • tomcat-8.0.37-3.fc24

This update has been submitted for testing by csutherl.

Is it possible to remove the tomcat-8.0.37-3.fc24 package from updates-testing?

I was under the impression that adding a new build would remove the old one, but maybe that isn't the case. I do see that this update is pending the push to testing, so maybe when that happens the old build will be removed. I'm going to wait and see what happens when this update is pushed to testing. If it doesn't resolve it, I'll try untagging the 8.0.37-3 build.

This update has been pushed to testing.

csutherl edited this update.

This update has reached 7 days in testing and can be pushed to stable now if the maintainer wishes

This update has been submitted for stable by csutherl.

This update has been pushed to stable.

Content Type
Test Gating
Submitted by
Update Type
Update Severity
stable threshold: 3
unstable threshold: -3
submitted 2 years ago
in testing 2 years ago
in stable 2 years ago
modified 2 years ago

Related Bugs 5

00 #1370262 catalina.out is no longer in use in the main package, but still gets rotated
00 #1375581 CVE-2016-5388 Tomcat: CGI sets environmental variable based on user supplied Proxy request header [fedora-all]
00 #1383210 CVE-2016-5425 tomcat: Local privilege escalation via systemd-tmpfiles service [fedora-all]
00 #1383216 CVE-2016-6325 tomcat: tomcat writable config files allow privilege escalation [fedora-all]
00 #1390532 CVE-2016-0762 CVE-2016-5018 CVE-2016-6794 CVE-2016-6796 CVE-2016-6797 tomcat: various flaws [fedora-all]

Automated Test Results