Amazon Linux AMI update for tomcat7
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 2 |
| CVE-ID | CVE-2017-5664 CVE-2017-5648 |
| CWE-ID | CWE-20 CWE-284 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
Amazon Linux AMI Operating systems & Components / Operating system |
| Vendor | Amazon Web Services |
Security Bulletin
This security bulletin contains information about 2 vulnerabilities.
1) Security bypass
EUVDB-ID: #VU6950
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-5664
CWE-ID:
CWE-20 - Improper input validation
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to improper handling of certain HTTP request methods for static error pages in Default Servlet. A remote attacker can bypass HTTP method restrictions and cause the error page to be deleted or replaced.
Successful exploitation of the vulnerability results in information modification.
Update the affected packages.
noarch:Vulnerable software versions
tomcat7-admin-webapps-7.0.79-1.28.amzn1.noarch
tomcat7-jsp-2.2-api-7.0.79-1.28.amzn1.noarch
tomcat7-webapps-7.0.79-1.28.amzn1.noarch
tomcat7-lib-7.0.79-1.28.amzn1.noarch
tomcat7-7.0.79-1.28.amzn1.noarch
tomcat7-el-2.2-api-7.0.79-1.28.amzn1.noarch
tomcat7-servlet-3.0-api-7.0.79-1.28.amzn1.noarch
tomcat7-docs-webapp-7.0.79-1.28.amzn1.noarch
tomcat7-log4j-7.0.79-1.28.amzn1.noarch
tomcat7-javadoc-7.0.79-1.28.amzn1.noarch
src:
tomcat7-7.0.79-1.28.amzn1.src
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2017-873.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Security restrictions bypass
EUVDB-ID: #VU6675
Risk: Low
CVSSv4.0: 2.7 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2017-5648
CWE-ID:
CWE-284 - Improper Access Control
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to bypass security restrictions on the target system.
The weakness exists due to the failure to use the appropriate facade object by certain application listener calls. A remote attacker can access and modify arbitrary data.
Update the affected packages.
noarch:Vulnerable software versions
tomcat7-admin-webapps-7.0.79-1.28.amzn1.noarch
tomcat7-jsp-2.2-api-7.0.79-1.28.amzn1.noarch
tomcat7-webapps-7.0.79-1.28.amzn1.noarch
tomcat7-lib-7.0.79-1.28.amzn1.noarch
tomcat7-7.0.79-1.28.amzn1.noarch
tomcat7-el-2.2-api-7.0.79-1.28.amzn1.noarch
tomcat7-servlet-3.0-api-7.0.79-1.28.amzn1.noarch
tomcat7-docs-webapp-7.0.79-1.28.amzn1.noarch
tomcat7-log4j-7.0.79-1.28.amzn1.noarch
tomcat7-javadoc-7.0.79-1.28.amzn1.noarch
src:
tomcat7-7.0.79-1.28.amzn1.src
Amazon Linux AMI: All versions
CPE2.3 External linkshttps://alas.aws.amazon.com/ALAS-2017-873.html
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
