Oval Definition:	oval:org.opensuse.security:def:59621
Revision Date: 2020-12-01 Version: 1 Title: Security update for tomcat (Important) Description: This update for tomcat fixes the following issues: CVE-2020-9484 (bsc#1171928) Apache Tomcat Remote Code Execution via session persistence If an attacker was able to control the contents and name of a file on a server configured to use the PersistenceManager, then the attacker could have triggered a remote code execution via deserialization of the file under their control. CVE-2019-12418 (bsc#1159723) Local privilege escalation by manipulating the RMI registry and performing a man-in-the-middle attack When Tomcat is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files was able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker could then use these credentials to access the JMX interface and gain complete control over the Tomcat instance. CVE-2019-0221 (bsc#1136085) The SSI printenv command echoed user provided data without escaping, which made it vulnerable to XSS. CVE-2019-17563 (bsc#1159729) When using FORM authentication there was a narrow window where an attacker could perform a session fixation attack. CVE-2019-17569 (bsc#1164825) Invalid Transfer-Encoding headers were incorrectly processed leading to a possibility of HTTP Request Smuggling if Tomcat was located behind a reverse proxy that incorrectly handled the invalid Transfer-Encoding header. Family: unix Class: patch Status: Reference(s): 1012382 1015342 1015343 1017967 1019695 1019699 1020412 1021121 1022604 1024361 1024365 1024376 1027968 1030552 1031492 1033962 1042286 1048317 1048510 1050431 1052481 1053685 1055014 1056596 1062604 1063646 1064232 1065276 1065364 1066156 1066223 1068032 1068075 1068251 1069138 1070428 1071558 1074254 1075724 1076308 1078921 1080157 1082023 1083663 1085042 1085536 1085539 1086457 1086825 1087092 1089066 1090888 1091171 1091860 1092098 1096254 1096748 1097105 1098253 1098822 1098998 1099597 1099810 1099811 1099813 1099832 1099844 1099845 1099846 1099849 1099863 1099864 1099922 1099999 1100000 1100001 1100132 1101822 1101841 1102346 1102486 1102517 1102715 1102797 1103269 1103445 1103717 1104319 1104485 1104494 1104495 1104683 1104897 1105271 1105292 1105322 1105323 1105392 1105396 1105524 1105536 1105769 1106016 1106105 1106185 1106229 1106271 1106275 1106276 1106278 1106281 1106283 1106369 1106509 1106511 1106697 1106929 1106934 1106995 1107060 1107078 1107319 1107320 1107689 1107735 1107966 1108752 1108756 1108757 1108761 1108762 1111622 1120644 1121826 1122191 1122668 1136085 1158785 1158787 1158788 1158789 1158790 1158791 1158792 1158793 1158795 1159723 1159729 1164825 1167231 1169659 1170313 1170423 1171928 1173576 1173613 1178171 897422 945190 963575 966170 966172 969470 969476 969477 970506 CVE-2009-0023 CVE-2009-2412 CVE-2009-3560 CVE-2009-3720 CVE-2010-1623 CVE-2014-3577 CVE-2014-8767 CVE-2014-8768 CVE-2014-8769 CVE-2014-9140 CVE-2015-0261 CVE-2015-2153 CVE-2015-2154 CVE-2015-2155 CVE-2015-3138 CVE-2015-5262 CVE-2016-7922 CVE-2016-7923 CVE-2016-7924 CVE-2016-7925 CVE-2016-7926 CVE-2016-7927 CVE-2016-7928 CVE-2016-7929 CVE-2016-7930 CVE-2016-7931 CVE-2016-7932 CVE-2016-7933 CVE-2016-7934 CVE-2016-7935 CVE-2016-7936 CVE-2016-7937 CVE-2016-7938 CVE-2016-7939 CVE-2016-7940 CVE-2016-7973 CVE-2016-7974 CVE-2016-7975 CVE-2016-7983 CVE-2016-7984 CVE-2016-7985 CVE-2016-7986 CVE-2016-7992 CVE-2016-7993 CVE-2016-8574 CVE-2016-8575 CVE-2017-1000117 CVE-2017-15908 CVE-2017-5202 CVE-2017-5203 CVE-2017-5204 CVE-2017-5205 CVE-2017-5341 CVE-2017-5342 CVE-2017-5482 CVE-2017-5483 CVE-2017-5484 CVE-2017-5485 CVE-2017-5486 CVE-2018-1000301 CVE-2018-1049 CVE-2018-10876 CVE-2018-10877 CVE-2018-10878 CVE-2018-10879 CVE-2018-10880 CVE-2018-10881 CVE-2018-10882 CVE-2018-10883 CVE-2018-10902 CVE-2018-10938 CVE-2018-1128 CVE-2018-1129 CVE-2018-12359 CVE-2018-12360 CVE-2018-12362 CVE-2018-12363 CVE-2018-12364 CVE-2018-12365 CVE-2018-12366 CVE-2018-12368 CVE-2018-12896 CVE-2018-13093 CVE-2018-13094 CVE-2018-13095 CVE-2018-15572 CVE-2018-16658 CVE-2018-16741 CVE-2018-16742 CVE-2018-16743 CVE-2018-16744 CVE-2018-16745 CVE-2018-18074 CVE-2018-20406 CVE-2018-5156 CVE-2018-5188 CVE-2018-6554 CVE-2018-6555 CVE-2018-9363 CVE-2019-0221 CVE-2019-12418 CVE-2019-12519 CVE-2019-12520 CVE-2019-12521 CVE-2019-12524 CVE-2019-1348 CVE-2019-1349 CVE-2019-1350 CVE-2019-1351 CVE-2019-1352 CVE-2019-1353 CVE-2019-1354 CVE-2019-1387 CVE-2019-17563 CVE-2019-17569 CVE-2019-19604 CVE-2019-5010 CVE-2019-6133 CVE-2020-11945 CVE-2020-12402 CVE-2020-12415 CVE-2020-12416 CVE-2020-12417 CVE-2020-12418 CVE-2020-12419 CVE-2020-12420 CVE-2020-12421 CVE-2020-12422 CVE-2020-12423 CVE-2020-12424 CVE-2020-12425 CVE-2020-12426 CVE-2020-9484 SUSE-SU-2017:2320-1 SUSE-SU-2018:0299-1 SUSE-SU-2018:2776-1 SUSE-SU-2018:2979-1 SUSE-SU-2019:2035-1 SUSE-SU-2019:3311-1 SUSE-SU-2020:0555-1 SUSE-SU-2020:1498-1 SUSE-SU-2020:1899-1 SUSE-SU-2020:3149-1 Platform(s): openSUSE Leap 15.0 openSUSE Leap 15.1 SUSE Linux Enterprise Server 12 SP2-BCL SUSE Linux Enterprise Server 12 SP2-ESPOS SUSE Linux Enterprise Server 12 SP3 SUSE Linux Enterprise Server 12 SP3-BCL SUSE Linux Enterprise Server 12 SP3-ESPOS SUSE Linux Enterprise Server 12 SP3-LTSS SUSE Linux Enterprise Server 12 SP3-TERADATA SUSE Linux Enterprise Server 12 SP4 SUSE OpenStack Cloud 8 SUSE OpenStack Cloud Crowbar 8 SUSE OpenStack Cloud Crowbar 9 Product(s): Definition Synopsis openSUSE Leap 15.0 is installed AND Package Information libxcb-composite0-1.13-lp150.1 is installed OR libxcb-damage0-1.13-lp150.1 is installed OR libxcb-dpms0-1.13-lp150.1 is installed OR libxcb-dri2-0-1.13-lp150.1 is installed OR libxcb-dri3-0-1.13-lp150.1 is installed OR libxcb-glx0-1.13-lp150.1 is installed OR libxcb-present0-1.13-lp150.1 is installed OR libxcb-randr0-1.13-lp150.1 is installed OR libxcb-record0-1.13-lp150.1 is installed OR libxcb-render0-1.13-lp150.1 is installed OR libxcb-res0-1.13-lp150.1 is installed OR libxcb-shape0-1.13-lp150.1 is installed OR libxcb-shm0-1.13-lp150.1 is installed OR libxcb-sync1-1.13-lp150.1 is installed OR libxcb-xfixes0-1.13-lp150.1 is installed OR libxcb-xinerama0-1.13-lp150.1 is installed OR libxcb-xinput0-1.13-lp150.1 is installed OR libxcb-xkb1-1.13-lp150.1 is installed OR libxcb-xv0-1.13-lp150.1 is installed OR libxcb1-1.13-lp150.1 is installed Definition Synopsis openSUSE Leap 15.1 is installed AND Package Information libjavascriptcoregtk-4_0-18-2.24.2-lp151.2.3 is installed OR libjavascriptcoregtk-4_0-18-32bit-2.24.2-lp151.2.3 is installed OR libwebkit2gtk-4_0-37-2.24.2-lp151.2.3 is installed OR libwebkit2gtk-4_0-37-32bit-2.24.2-lp151.2.3 is installed OR libwebkit2gtk3-lang-2.24.2-lp151.2.3 is installed OR typelib-1_0-JavaScriptCore-4_0-2.24.2-lp151.2.3 is installed OR typelib-1_0-WebKit2-4_0-2.24.2-lp151.2.3 is installed OR typelib-1_0-WebKit2WebExtension-4_0-2.24.2-lp151.2.3 is installed OR webkit-jsc-4-2.24.2-lp151.2.3 is installed OR webkit2gtk-4_0-injected-bundles-2.24.2-lp151.2.3 is installed OR webkit2gtk3-2.24.2-lp151.2.3 is installed OR webkit2gtk3-devel-2.24.2-lp151.2.3 is installed OR webkit2gtk3-minibrowser-2.24.2-lp151.2.3 is installed OR webkit2gtk3-plugin-process-gtk2-2.24.2-lp151.2.3 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP2-BCL is installed AND Package Information tomcat-8.0.53-29.27 is installed OR tomcat-admin-webapps-8.0.53-29.27 is installed OR tomcat-docs-webapp-8.0.53-29.27 is installed OR tomcat-el-3_0-api-8.0.53-29.27 is installed OR tomcat-javadoc-8.0.53-29.27 is installed OR tomcat-jsp-2_3-api-8.0.53-29.27 is installed OR tomcat-lib-8.0.53-29.27 is installed OR tomcat-servlet-3_1-api-8.0.53-29.27 is installed OR tomcat-webapps-8.0.53-29.27 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP2-ESPOS is installed AND Package Information MozillaFirefox-52.9.0esr-109.38 is installed OR MozillaFirefox-devel-52.9.0esr-109.38 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP3 is installed AND Package Information libapr-util1-1.5.3-1 is installed OR libapr-util1-dbd-sqlite3-1.5.3-1 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP3-BCL is installed AND Package Information libsolv-0.6.36-2.27.19 is installed OR libsolv-tools-0.6.36-2.27.19 is installed OR libzypp-16.20.2-27.60 is installed OR perl-solv-0.6.36-2.27.19 is installed OR python-solv-0.6.36-2.27.19 is installed OR zypper-1.13.54-18.40 is installed OR zypper-log-1.13.54-18.40 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP3-ESPOS is installed AND Package Information java-1_8_0-ibm-1.8.0_sr5.40-30.54 is installed OR java-1_8_0-ibm-alsa-1.8.0_sr5.40-30.54 is installed OR java-1_8_0-ibm-plugin-1.8.0_sr5.40-30.54 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP3-LTSS is installed AND Package Information MozillaFirefox-60.9.0-109.86 is installed OR MozillaFirefox-translations-common-60.9.0-109.86 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP3-TERADATA is installed AND shadow-4.2.1-27.19 is installed Definition Synopsis SUSE Linux Enterprise Server 12 SP4 is installed AND Package Information file-5.22-10.6 is installed OR file-magic-5.22-10.6 is installed OR libmagic1-5.22-10.6 is installed OR libmagic1-32bit-5.22-10.6 is installed Definition Synopsis SUSE OpenStack Cloud 8 is installed AND Package Information git-2.12.3-27.22 is installed OR git-core-2.12.3-27.22 is installed Definition Synopsis SUSE OpenStack Cloud Crowbar 8 is installed AND Package Information libpolkit0-0.113-5.18 is installed OR polkit-0.113-5.18 is installed OR typelib-1_0-Polkit-1_0-0.113-5.18 is installed Definition Synopsis SUSE OpenStack Cloud Crowbar 9 is installed AND Package Information LibVNCServer-0.9.9-17.31 is installed OR libvncclient0-0.9.9-17.31 is installed OR libvncserver0-0.9.9-17.31 is installed
BACK