Security update for tomcat SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2015:1281-1 Final 1 1 2015-06-18T06:59:00Z current 2015-06-18T06:59:00Z 2015-06-18T06:59:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for tomcat This update fixes the following security issue: - CVE-2014-7810: Security manager bypass via EL expression (bnc#931442) The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). SUSE-SLE-SERVER-12-2015-336 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2015/suse-su-20151281-1/ Link for SUSE-SU-2015:1281-1 https://lists.suse.com/pipermail/sle-security-updates/2015-July/001506.html E-Mail link for SUSE-SU-2015:1281-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/931442 SUSE Bug 931442 https://www.suse.com/security/cve/CVE-2014-7810/ SUSE CVE CVE-2014-7810 page SUSE Linux Enterprise Server 12 SUSE Linux Enterprise Server for SAP Applications 12 tomcat-7.0.55-8.2 tomcat-admin-webapps-7.0.55-8.2 tomcat-docs-webapp-7.0.55-8.2 tomcat-el-2_2-api-7.0.55-8.2 tomcat-javadoc-7.0.55-8.2 tomcat-jsp-2_2-api-7.0.55-8.2 tomcat-lib-7.0.55-8.2 tomcat-servlet-3_0-api-7.0.55-8.2 tomcat-webapps-7.0.55-8.2 tomcat-7.0.55-8.2 as a component of SUSE Linux Enterprise Server 12 tomcat-admin-webapps-7.0.55-8.2 as a component of SUSE Linux Enterprise Server 12 tomcat-docs-webapp-7.0.55-8.2 as a component of SUSE Linux Enterprise Server 12 tomcat-el-2_2-api-7.0.55-8.2 as a component of SUSE Linux Enterprise Server 12 tomcat-javadoc-7.0.55-8.2 as a component of SUSE Linux Enterprise Server 12 tomcat-jsp-2_2-api-7.0.55-8.2 as a component of SUSE Linux Enterprise Server 12 tomcat-lib-7.0.55-8.2 as a component of SUSE Linux Enterprise Server 12 tomcat-servlet-3_0-api-7.0.55-8.2 as a component of SUSE Linux Enterprise Server 12 tomcat-webapps-7.0.55-8.2 as a component of SUSE Linux Enterprise Server 12 tomcat-7.0.55-8.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 tomcat-admin-webapps-7.0.55-8.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 tomcat-docs-webapp-7.0.55-8.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 tomcat-el-2_2-api-7.0.55-8.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 tomcat-javadoc-7.0.55-8.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 tomcat-jsp-2_2-api-7.0.55-8.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 tomcat-lib-7.0.55-8.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 tomcat-servlet-3_0-api-7.0.55-8.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 tomcat-webapps-7.0.55-8.2 as a component of SUSE Linux Enterprise Server for SAP Applications 12 The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation. CVE-2014-7810 SUSE Linux Enterprise Server 12:tomcat-7.0.55-8.2 SUSE Linux Enterprise Server 12:tomcat-admin-webapps-7.0.55-8.2 SUSE Linux Enterprise Server 12:tomcat-docs-webapp-7.0.55-8.2 SUSE Linux Enterprise Server 12:tomcat-el-2_2-api-7.0.55-8.2 SUSE Linux Enterprise Server 12:tomcat-javadoc-7.0.55-8.2 SUSE Linux Enterprise Server 12:tomcat-jsp-2_2-api-7.0.55-8.2 SUSE Linux Enterprise Server 12:tomcat-lib-7.0.55-8.2 SUSE Linux Enterprise Server 12:tomcat-servlet-3_0-api-7.0.55-8.2 SUSE Linux Enterprise Server 12:tomcat-webapps-7.0.55-8.2 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-7.0.55-8.2 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-admin-webapps-7.0.55-8.2 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-docs-webapp-7.0.55-8.2 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-el-2_2-api-7.0.55-8.2 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-javadoc-7.0.55-8.2 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-jsp-2_2-api-7.0.55-8.2 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-lib-7.0.55-8.2 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-servlet-3_0-api-7.0.55-8.2 SUSE Linux Enterprise Server for SAP Applications 12:tomcat-webapps-7.0.55-8.2 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2015/suse-su-20151281-1/ https://www.suse.com/security/cve/CVE-2014-7810.html CVE-2014-7810 https://bugzilla.suse.com/931442 SUSE Bug 931442