Bug 986359 - (CVE-2016-3092) VUL-0: CVE-2016-3092: tomcat6,tomcat5,tomcat: Usage of vulnerable FileUpload package can result in denial of service
(CVE-2016-3092)
VUL-0: CVE-2016-3092: tomcat6,tomcat5,tomcat: Usage of vulnerable FileUpload ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/170470/
CVSSv2:SUSE:CVE-2016-3092:4.3:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-06-24 06:37 UTC by Marcus Meissner
Modified: 2018-08-23 16:08 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2016-06-24 06:37:51 UTC
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-7.html

Upstream fixes:

Tomcat 8.5.x:

http://svn.apache.org/viewvc?view=revision&revision=1743722

Tomcat 8.0.x:

http://svn.apache.org/viewvc?view=revision&revision=1743738

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1349468

(we need to check if 7 and 5 are also affected, I am currently assuming yes)
Comment 1 Marcus Meissner 2016-06-24 06:47:02 UTC
tomcat7 (SUSE:SLE-12:Update) has similar code
tomcat6 (SUSE:SLE-11:Update) has similar code

tomcat5 does not seem to have the fileupload code embedded.
Comment 3 Swamp Workflow Management 2016-06-24 22:00:13 UTC
bugbot adjusting priority
Comment 4 Matei Albu 2016-07-08 13:37:42 UTC
According to http://www.mail-archive.com/announce@tomcat.apache.org/msg00212.html Tomcat 6 is not affected by this vulnerability.
Comment 7 Swamp Workflow Management 2016-08-30 11:10:17 UTC
SUSE-SU-2016:2188-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 986359,988489
CVE References: CVE-2016-3092,CVE-2016-5388
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    tomcat-8.0.32-8.7
Comment 8 Swamp Workflow Management 2016-09-06 19:10:00 UTC
openSUSE-SU-2016:2252-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 986359,988489
CVE References: CVE-2016-3092,CVE-2016-5388
Sources used:
openSUSE Leap 42.1 (src):    tomcat-8.0.32-8.1
Comment 9 Swamp Workflow Management 2017-06-23 13:11:18 UTC
SUSE-SU-2017:1660-1: An update that fixes 12 vulnerabilities is now available.

Category: security (important)
Bug References: 1007853,1007854,1007855,1007857,1007858,1011805,1011812,1015119,1033447,1033448,986359,988489
CVE References: CVE-2016-0762,CVE-2016-3092,CVE-2016-5018,CVE-2016-5388,CVE-2016-6794,CVE-2016-6796,CVE-2016-6797,CVE-2016-6816,CVE-2016-8735,CVE-2016-8745,CVE-2017-5647,CVE-2017-5648
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    tomcat-7.0.78-7.13.4
SUSE Linux Enterprise Server 12-LTSS (src):    tomcat-7.0.78-7.13.4
Comment 10 Marcus Meissner 2017-07-03 13:21:59 UTC
released