Is eHealth affected by the critical vulnerabilities - CVE-2016-0762, CVE-2016-6797, CVE-2016-5018, CVE-2016-6794, CVE-2016-6796

Document ID : KB000013246
Last Modified Date : 14/02/2018
Show Technical Document Details
Introduction:

eHealth uses Apache Web Server and Tomcat to provide client side services and access. So when these have critical vulnerabilities, they may affect the eHealth installation as well, depending on their nature and scope. 

Question:

Is eHealth 6.3.2.x affected by the following Critical Vulnerabilities:

CVE-2016-0762 

• Affected Products: 6.0.0 to 6.0.45, 7.0.0 to 7.0.70, 8.0.0.RC1 to 8.0.36, 8.5.0 to 8.5.4, 9.0.0.M1 to 9.0.0.M9 

• Solution: The vendor has issued a fix (6.0.47, 7.0.72, 8.0.37, 8.5.5, 9.0.0.M10). 

 

CVE-2016-6797 

A vulnerability was reported in Apache Tomcat. An application can gain access to global resources the target system. A web application can exploit a flaw in the ResourceLinkFactory to access arbitrary global JNDI resources. 

 

• Affected Products: 6.0.0 to 6.0.45, 7.0.0 to 7.0.70, 8.0.0.RC1 to 8.0.36, 8.5.0 to 8.5.4, 9.0.0.M1 to 9.0.0.M9 

• Solution: The vendor has issued a fix (6.0.47, 7.0.72, 8.0.37, 8.5.5, 9.0.0.M10). 

 

CVE-2016-5018 

A vulnerability was reported in Apache Tomcat. An application can bypass security manager restrictions on the target system. An application can invoke a certain Tomcat utility method to bypass a configured SecurityManager. 

 

• Affected Products: 6.0.0 to 6.0.45, 7.0.0 to 7.0.70, 8.0.0.RC1 to 8.0.36, 8.5.0 to 8.5.4, 9.0.0.M1 to 9.0.0.M9 

• Solution: The vendor has issued a fix (6.0.47, 7.0.72, 8.0.37, 8.5.5, 9.0.0.M10). 

 

CVE-2016-6794 

A vulnerability was reported in Apache Tomcat. An application can obtain potentially sensitive information on the target system. An application can invoke the system property replacement feature to bypass a configured SecurityManager and read potentially sensitive system properties. 

 

• Affected Products: 6.0.0 to 6.0.45, 7.0.0 to 7.0.70, 8.0.0.RC1 to 8.0.36, 8.5.0 to 8.5.4, 9.0.0.M1 to 9.0.0.M9 

• Solution: The vendor has issued a fix (6.0.47, 7.0.72, 8.0.37, 8.5.5, 9.0.0.M10). 

 

CVE-2016-6796 

A vulnerability was reported in Apache Tomcat. An application can bypass security manager restrictions on the target system. An application can modify configuration parameters for the JSP Servlet to bypass a configured SecurityManager. 

 

• Affected Products: 6.0.0 to 6.0.45, 7.0.0 to 7.0.70, 8.0.0.RC1 to 8.0.36, 8.5.0 to 8.5.4, 9.0.0.M1 to 9.0.0.M9

• Solution: The vendor has issued a fix (6.0.47, 7.0.72, 8.0.37, 8.5.5, 9.0.0.M10). 

 

Environment:
eHealth 6.3.2.x, 6.3.3.0
Answer:

eHealth 6.3.2.13 (the last 6.3.2.x release) and eHealth 6.3.3.0 utilise Apache Tomcat 8.0.33 which is affected by the CVEs listed above.

However, this is resolved in eHealth 6.3.3.01 which utilises Apache Tomcat 8.5.6 (which in turn includes patches for all the CVEs listed here).

Additional Information: