Rapid7 Vulnerability & Exploit Database

RHSA-2006:0161: RHAPS security and enhancement update

Back to Search

RHSA-2006:0161: RHAPS security and enhancement update

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
11/06/2005
Created
07/25/2018
Added
11/26/2007
Modified
07/04/2017

Description

Red Hat Application Server Release 2 Update 1 is now available. This update contains an upgrade of several RHAPS components to newer releases, including JOnAS 4.6.3, Tomcat 5.5.12 and Struts 1.2.8. This update has been rated as having moderate security impact by the Red Hat Security Response Team.

Red Hat Application Server packages provide a J2EE Application Server and Web container as well as the underlying Java stack. A denial of service flaw was found in the way Apache Tomcat displays directory listings. A remote attacker could cause Tomcat to consume large amounts of CPU resources by sending multiple requests for a directory containing a large number of files. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3510 to this issue. This update contains a version of Apache Tomcat that will recover after the aforementioned attack. Users are also advised to disable directory listing for web directories that contain very large numbers of files. A cross-site scripting flaw was found in the way Struts displays error pages. It may be possible for an attacker to construct a specially crafted URL which could fool a victim into believing they are viewing a trusted site. The Common Vulnerabilities and Exposures project has assigned the name CVE-2005-3745 to this issue. Please note that this issue does not affect Struts running on Tomcat or JOnAS, which is our supported usage of Struts. Additionally, this update replaces some other outdated packages with new versions. Several bug fixes and enhancements are included in these new versions. IMPORTANT: Before applying this update, read the detailed installation/upgrade instructions in the RELEASE_NOTES document. All users of Red Hat Application Server should upgrade to these updated packages, which contain packages that are not vulnerable to these issues.

Solution(s)

  • redhat-upgrade-ant-antlr
  • redhat-upgrade-ant-apache-bcel
  • redhat-upgrade-ant-apache-bsf
  • redhat-upgrade-ant-apache-log4j
  • redhat-upgrade-ant-apache-oro
  • redhat-upgrade-ant-apache-regexp
  • redhat-upgrade-ant-apache-resolver
  • redhat-upgrade-ant-commons-logging
  • redhat-upgrade-ant-commons-net
  • redhat-upgrade-ant-javadoc
  • redhat-upgrade-ant-javamail
  • redhat-upgrade-ant-jdepend
  • redhat-upgrade-ant-jmf
  • redhat-upgrade-ant-jsch
  • redhat-upgrade-ant-junit
  • redhat-upgrade-ant-manual
  • redhat-upgrade-ant-nodeps
  • redhat-upgrade-ant-scripts
  • redhat-upgrade-ant-swing
  • redhat-upgrade-ant-trax
  • redhat-upgrade-avalon-logkit-javadoc
  • redhat-upgrade-axis-javadoc
  • redhat-upgrade-axis-manual
  • redhat-upgrade-c-jdbc
  • redhat-upgrade-c-jdbc-javadoc
  • redhat-upgrade-carol
  • redhat-upgrade-carol-irmi
  • redhat-upgrade-carol-irmi-javadoc
  • redhat-upgrade-carol-javadoc
  • redhat-upgrade-classpathx-jaf-javadoc
  • redhat-upgrade-classpathx-mail-javadoc
  • redhat-upgrade-ews-mapper
  • redhat-upgrade-ews-mapper-javadoc
  • redhat-upgrade-geronimo-corba-2-3-apis
  • redhat-upgrade-geronimo-jacc-1-0-api
  • redhat-upgrade-geronimo-jaf-1-0-2-api
  • redhat-upgrade-geronimo-javamail-1-3-1-api
  • redhat-upgrade-geronimo-jaxr-1-0-api
  • redhat-upgrade-geronimo-jaxrpc-1-1-api
  • redhat-upgrade-geronimo-qname-1-1-api
  • redhat-upgrade-geronimo-saaj-1-1-api
  • redhat-upgrade-howl-logger
  • redhat-upgrade-howl-logger-javadoc
  • redhat-upgrade-ishmael
  • redhat-upgrade-jacorb
  • redhat-upgrade-jacorb-demo
  • redhat-upgrade-jacorb-javadoc
  • redhat-upgrade-jacorb-manual
  • redhat-upgrade-jonas
  • redhat-upgrade-jonas-client
  • redhat-upgrade-jonas-docs
  • redhat-upgrade-jonas-examples
  • redhat-upgrade-jonathan-jeremie
  • redhat-upgrade-jonathan-jeremie-javadoc
  • redhat-upgrade-joram
  • redhat-upgrade-joram-adapter
  • redhat-upgrade-joram-adapter-remote
  • redhat-upgrade-joram-for-jonas
  • redhat-upgrade-joram-javadoc
  • redhat-upgrade-jorm
  • redhat-upgrade-jorm-javadoc
  • redhat-upgrade-jorm-rdb-adapter
  • redhat-upgrade-jorm-rdb-adapter-javadoc
  • redhat-upgrade-jotm
  • redhat-upgrade-jotm-demo
  • redhat-upgrade-jotm-javadoc
  • redhat-upgrade-jotm-manual
  • redhat-upgrade-log4j-javadoc
  • redhat-upgrade-log4j-manual
  • redhat-upgrade-medor
  • redhat-upgrade-medor-expression
  • redhat-upgrade-medor-expression-javadoc
  • redhat-upgrade-medor-javadoc
  • redhat-upgrade-mx4j-javadoc
  • redhat-upgrade-mx4j-manual
  • redhat-upgrade-objectweb-emb
  • redhat-upgrade-objectweb-emb-api
  • redhat-upgrade-objectweb-emb-javadoc
  • redhat-upgrade-objectweb-emb-plugins
  • redhat-upgrade-octopus
  • redhat-upgrade-opensaml
  • redhat-upgrade-opensaml-javadoc
  • redhat-upgrade-perseus-cache
  • redhat-upgrade-perseus-cache-javadoc
  • redhat-upgrade-perseus-persistence
  • redhat-upgrade-perseus-persistence-javadoc
  • redhat-upgrade-rh-jonas-docs
  • redhat-upgrade-servletapi3
  • redhat-upgrade-servletapi3-javadoc
  • redhat-upgrade-servletapi4
  • redhat-upgrade-servletapi4-javadoc
  • redhat-upgrade-speedo
  • redhat-upgrade-speedo-client
  • redhat-upgrade-speedo-for-jonas
  • redhat-upgrade-speedo-javadoc
  • redhat-upgrade-speedo-weblogic
  • redhat-upgrade-struts
  • redhat-upgrade-struts-javadoc
  • redhat-upgrade-struts-manual
  • redhat-upgrade-struts-webapps-tomcat3
  • redhat-upgrade-struts-webapps-tomcat4
  • redhat-upgrade-struts-webapps-tomcat5
  • redhat-upgrade-tomcat5
  • redhat-upgrade-tomcat5-admin-webapps
  • redhat-upgrade-tomcat5-common-lib
  • redhat-upgrade-tomcat5-jasper
  • redhat-upgrade-tomcat5-jasper-javadoc
  • redhat-upgrade-tomcat5-jsp-2-0-api
  • redhat-upgrade-tomcat5-jsp-2-0-api-javadoc
  • redhat-upgrade-tomcat5-server-lib
  • redhat-upgrade-tomcat5-servlet-2-4-api
  • redhat-upgrade-tomcat5-servlet-2-4-api-javadoc
  • redhat-upgrade-tomcat5-webapps
  • redhat-upgrade-tribe
  • redhat-upgrade-tribe-demo
  • redhat-upgrade-tribe-javadoc
  • redhat-upgrade-ws-fx-addressing
  • redhat-upgrade-ws-fx-addressing-javadoc
  • redhat-upgrade-wss4j
  • redhat-upgrade-wss4j-javadoc
  • redhat-upgrade-xdoclet
  • redhat-upgrade-xdoclet-javadoc
  • redhat-upgrade-xdoclet-manual
  • redhat-upgrade-xerces-j2-demo
  • redhat-upgrade-xerces-j2-javadoc-apis
  • redhat-upgrade-xerces-j2-javadoc-impl
  • redhat-upgrade-xerces-j2-javadoc-other
  • redhat-upgrade-xerces-j2-javadoc-xni
  • redhat-upgrade-xerces-j2-scripts
  • redhat-upgrade-xml-commons-apis-javadoc
  • redhat-upgrade-xml-commons-apis-manual
  • redhat-upgrade-xml-commons-which
  • redhat-upgrade-xml-commons-which-javadoc
  • redhat-upgrade-xml-security
  • redhat-upgrade-xml-security-demo
  • redhat-upgrade-xml-security-javadoc

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;