漏洞类别:Amazon Linux
漏洞等级: 
漏洞信息
Security constrained bypass in error page mechanism:
A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation. A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page. (CVE-2017-5664 )
QID Detection Logic:
This authenticated QID verifies if the version of the following files is lesser than 8.0.45-1.72.amzn1: tomcat8-webapps, tomcat8-docs-webapp, tomcat8, tomcat8-javadoc, tomcat8-lib, tomcat8-servlet-3.1-api, tomcat8-admin-webapps, tomcat8-el-3.0-api, tomcat8-jsp-2.3-api, tomcat8-log4j
漏洞危害
Allows unauthorized disclosure of information; allows unauthorized modification; allows disruption of service.
解决方案
Please refer to Amazon advisory ALAS-2017-862 for affected packages and patching details, or update with your package manager.
Patch:
Following are links for downloading patches to fix the vulnerabilities:
ALAS-2017-862: Amazon Linux (tomcat8 (8.0.45-1.72.amzn1) on src)
ALAS-2017-862: Amazon Linux (tomcat8 (8.0.45-1.72.amzn1) on noarch)
0daybank
文章评论