RHSA-2017:3114: Important: Red Hat JBoss Web Server security and bug fix update

The httpd packages provide the Apache HTTP Server, a powerful, efficient, and extensible web server.<br>OpenSSL is a toolkit that implements the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols, as well as a full-strength general-purpose cryptography library.<br>Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.<br>This release provides an update to httpd, OpenSSL and Tomcat 6/7 for Red Hat JBoss Web Server 2. The updates are documented in the Release Notes document linked to in the References.<br>This release of Red Hat JBoss Web Server 2.1.2 Service Pack 2 serves as a update for Red Hat JBoss Web Server 2, and includes bug fixes, which are documented in the Release Notes document linked to in the References.<br>Users of Red Hat JBoss Web Server 2 should upgrade to these updated packages, which resolve several security issues<br>Security Fix(es):<br><li> It was discovered that the httpd's modauthdigest module did not properly initialize memory before using it when processing certain headers related to digest authentication. A remote attacker could possibly use this flaw to disclose potentially sensitive information or cause httpd child process to crash by sending specially crafted requests to a server. (CVE-2017-9788)</li> <li> A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution. (CVE-2017-12615)</li> <li> A vulnerability was discovered in Tomcat where if a servlet context was configured with readonly=false and HTTP PUT requests were allowed, an attacker could upload a JSP file to that context and achieve code execution. (CVE-2017-12617)</li> <li> A flaw was found in the way the DES/3DES cipher was used as part of the TLS/SSL protocol. A man-in-the-middle attacker could use this flaw to recover some plaintext data by capturing large amounts of encrypted traffic between TLS/SSL server and client if the communication used a DES/3DES based ciphersuite. (CVE-2016-2183)</li> <li> A use-after-free flaw was found in the way httpd handled invalid and previously unregistered HTTP methods specified in the Limit directive used in an .htaccess file. A remote attacker could possibly use this flaw to disclose portions of the server memory, or cause httpd child process to crash. (CVE-2017-9798)</li> Red Hat would like to thank OpenVPN for reporting CVE-2016-2183 and Hanno Böck for reporting CVE-2017-9798. Upstream acknowledges Karthikeyan Bhargavan (Inria) and Gaëtan Leurent (Inria) as the original reporters of CVE-2016-2183.<br>Bug Fix(es):<br><li> Corruption in nodestatsmem in multiple core dumps but in different functions of each core dump. (BZ#1338640)</li> <li> modcluster segfaults in processinfo() due to wrongly generated assembler instruction movslq (BZ#1448709)</li> <li> CRL checking of very large CRLs fails with OpenSSL 1.0.2 (BZ#1493075)</li> <li> The jboss-ews-application-servers zip README contains incomplete description of fixed CVEs (BZ#1497953)</li>