The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Apache Tomcat: open redirect via Directory Redirect

Synthesis of the vulnerability 

An attacker can deceive the user via Directory Redirect of Apache Tomcat, in order to redirect him to a malicious site.
Vulnerable products: Tomcat, Blue Coat CAS, Broadcom Content Analysis, Business Objects, Debian, Fedora, QRadar SIEM, ePO, McAfee Web Gateway, Snap Creator Framework, SnapManager, openSUSE Leap, Oracle Communications, Oracle DB, Solaris, RHEL, SAP ERP, NetWeaver, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity of this weakness: 1/4.
Creation date: 04/10/2018.
Références of this bulletin: bulletinoct2018, CERTFR-2020-AVI-278, cpuapr2019, cpuapr2020, cpujan2020, cpuoct2019, CVE-2018-11784, DLA-1544-1, DLA-1545-1, DSA-4596-1, FEDORA-2018-b18f9dd65b, FEDORA-2018-b89746cb9b, ibm10874888, NTAP-20181014-0002, openSUSE-SU-2018:3453-1, openSUSE-SU-2018:4042-1, openSUSE-SU-2019:0084-1, openSUSE-SU-2019:1547-1, openSUSE-SU-2019:1814-1, RHSA-2019:0130-01, RHSA-2019:0131-01, RHSA-2019:0485-01, RHSA-2019:1529-01, SB10257, SB10264, SUSE-SU-2018:3261-1, SUSE-SU-2018:3388-1, SUSE-SU-2018:3393-1, SUSE-SU-2018:3935-1, SUSE-SU-2018:3968-1, SYMSA1765, USN-3787-1, VIGILANCE-VUL-27396.

Description of the vulnerability 

An attacker can deceive the user via Directory Redirect of Apache Tomcat, in order to redirect him to a malicious site.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This weakness alert impacts software or systems such as Tomcat, Blue Coat CAS, Broadcom Content Analysis, Business Objects, Debian, Fedora, QRadar SIEM, ePO, McAfee Web Gateway, Snap Creator Framework, SnapManager, openSUSE Leap, Oracle Communications, Oracle DB, Solaris, RHEL, SAP ERP, NetWeaver, SUSE Linux Enterprise Desktop, SLES, Ubuntu.

Our Vigil@nce team determined that the severity of this computer vulnerability note is low.

The trust level is of type confirmed by the editor, with an origin of internet client.

An attacker with a expert ability can exploit this security bulletin.

Solutions for this threat 

Apache Tomcat: version 9.0.12.
The version 9.0.12 is fixed:
  http://tomcat.apache.org/

Apache Tomcat: version 8.5.34.
The version 8.5.34 is fixed:
  http://tomcat.apache.org/

Apache Tomcat: version 7.0.91.
The version 7.0.91 is fixed:
  http://tomcat.apache.org/

Broadcom Content and Malware Analysis: version 2.4.1.1.
The version 2.4.1.1 is fixed.

Debian 8: new tomcat7 packages.
New packages are available:
  Debian 8: tomcat7 7.0.56-3+really7.0.91-1

Debian 8: new tomcat8 packages.
New packages are available:
  Debian 8: tomcat8 8.0.14-1+deb8u14

Debian 9: new tomcat8 packages.
New packages are available:
  Debian 9: tomcat8 8.5.50-0+deb9u1, tomcat-native 1.2.21-1~deb9u1

Fedora: new tomcat packages.
New packages are available:
  Fedora 28: tomcat 8.5.35-1.fc28
  Fedora 29: tomcat 9.0.13-1.fc29

IBM QRadar SIEM: solution for Tomcat.
The solution is indicated in information sources.

McAfee ePolicy Orchestrator: patch for Tomcat.
A patch is indicated in information sources.

McAfee Web Gateway: patch.
A patch is indicated in information sources.

McAfee Web Gateway: version 7.8.2.16.
The version 7.8.2.16 is fixed:
  https://www.mcafee.com/enterprise/en-us/downloads/my-products.html

McAfee Web Gateway: version 8.2.2.
The version 8.2.2 is fixed:
  https://www.mcafee.com/enterprise/en-us/downloads/my-products.html

McAfee Web Gateway: version 9.0.
The version 9.0 is fixed:
  https://www.mcafee.com/enterprise/en-us/downloads/my-products.html

openSUSE Leap 15.0: new tomcat packages.
New packages are available:
  openSUSE Leap 15.0: tomcat 9.0.12-lp150.2.6.1

openSUSE Leap 15.0: new virtualbox packages.
New packages are available:
  openSUSE Leap 15.0: virtualbox 5.2.24-lp150.4.33.1

openSUSE Leap 42.3: new tomcat packages.
New packages are available:
  openSUSE Leap 42.3: tomcat 8.0.53-18.1

openSUSE Leap 42.3: new virtualbox packages.
New packages are available:
  openSUSE Leap 42.3: virtualbox 5.2.24-66.1

openSUSE Leap: new virtualbox packages.
New packages are available:
  openSUSE Leap 15.0: virtualbox 6.0.10-lp150.4.36.1
  openSUSE Leap 15.1: virtualbox 6.0.10-lp151.2.6.1

Oracle Communications: CPU of April 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2518758.1
  https://support.oracle.com/rs?type=doc&id=2518763.1
  https://support.oracle.com/rs?type=doc&id=2522151.1
  https://support.oracle.com/rs?type=doc&id=2519787.1
  https://support.oracle.com/rs?type=doc&id=2522126.1
  https://support.oracle.com/rs?type=doc&id=2522123.1
  https://support.oracle.com/rs?type=doc&id=2518753.1
  https://support.oracle.com/rs?type=doc&id=2522121.1
  https://support.oracle.com/rs?type=doc&id=2528862.1
  https://support.oracle.com/rs?type=doc&id=2518754.1

Oracle Communications: CPU of April 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2647690.1
  https://support.oracle.com/rs?type=doc&id=2654603.1
  https://support.oracle.com/rs?type=doc&id=2652618.1
  https://support.oracle.com/rs?type=doc&id=2653087.1
  https://support.oracle.com/rs?type=doc&id=2653688.1
  https://support.oracle.com/rs?type=doc&id=2652610.1
  https://support.oracle.com/rs?type=doc&id=2653279.1
  https://support.oracle.com/rs?type=doc&id=2652619.1
  https://support.oracle.com/rs?type=doc&id=2652621.1
  https://support.oracle.com/rs?type=doc&id=2652606.1
  https://support.oracle.com/rs?type=doc&id=2653691.1
  https://support.oracle.com/rs?type=doc&id=2653692.1
  https://support.oracle.com/rs?type=doc&id=2647687.1
  https://support.oracle.com/rs?type=doc&id=2652622.1

Oracle Communications: CPU of January 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2625594.1
  https://support.oracle.com/rs?type=doc&id=2626101.1
  https://support.oracle.com/rs?type=doc&id=2628576.1
  https://support.oracle.com/rs?type=doc&id=2626102.1
  https://support.oracle.com/rs?type=doc&id=2622427.1
  https://support.oracle.com/rs?type=doc&id=2595443.1
  https://support.oracle.com/rs?type=doc&id=2595442.1
  https://support.oracle.com/rs?type=doc&id=2617852.1
  https://support.oracle.com/rs?type=doc&id=2626103.1

Oracle Database: CPU of January 2020.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2602410.1

Oracle Database: CPU of October 2019.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=2568292.1

Oracle Solaris: patch for third party software of October 2018 v2.
A patch is available:
  https://support.oracle.com/rs?type=doc&id=1448883.1

Red Hat JBoss Web Server: version 3.1.0 Service Pack 6.
The version 3.1.0 Service Pack 6 is fixed:
  https://access.redhat.com/articles/11258

RHEL 7.6: new tomcat packages.
New packages are available:
  RHEL 7: tomcat 7.0.76-9.el7_6

RHEL 8: new pki-deps modules.
New modules are available, as indicated in information sources.

SAP: solution of September 2019.
The solution is available on the SAP site:
  https://support.sap.com/securitynotes

SUSE LE 11 SP4: new tomcat6 packages.
New packages are available:
  SUSE LE 11 SP4: tomcat6 6.0.53-0.57.10.1

SUSE LE 12 RTM: new tomcat packages.
New packages are available:
  SUSE LE 12 RTM: tomcat 7.0.90-7.23.1

SUSE LE 12 SP1: new tomcat packages.
New packages are available:
  SUSE LE 12 SP1: tomcat 8.0.53-10.35.1

SUSE LE 12 SP3: new tomcat packages.
New packages are available:
  SUSE LE 12 SP3: tomcat 8.0.53-29.16.2

SUSE LE 15: new tomcat packages.
New packages are available:
  SUSE LE 15 RTM: tomcat 9.0.12-3.8.3

Ubuntu: new tomcat packages.
New packages are available:
  Ubuntu 16.04 LTS: tomcat8 8.0.32-1ubuntu1.8
  Ubuntu 14.04 LTS: tomcat7 7.0.52-1ubuntu0.16
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides software vulnerability announces. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system.