ActiveMQ 5.15.4 tomcat-servlet-api-8.0.24.jar which has four high severity CVEs against it.

ActiveMQ 5.15.4 tomcat-servlet-api-8.0.24.jar  which has four high severity CVEs against it.
Discovered by adding OWASP Dependency check into ActiveMQ pom.xml and running the OWASP report.

Referenced In Projects/Scopes:
ActiveMQ :: Assembly:compile
ActiveMQ :: Web:provided
ActiveMQ :: Web Console:provided

CVE-2016-3092 Severity:High CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-20 Improper Input Validation
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before
9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
BID - 91453
CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743480
CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743722
CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743738
CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1743742
CONFIRM - http://tomcat.apache.org/security-7.html
CONFIRM - http://tomcat.apache.org/security-8.html
CONFIRM - http://tomcat.apache.org/security-9.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1349468
CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371
CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840
CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759
DEBIAN - DSA-3609
DEBIAN - DSA-3611
DEBIAN - DSA-3614
GENTOO - GLSA-201705-09
JVN - JVN#89379547
JVNDB - JVNDB-2016-000121
MLIST - [dev] 20160621 CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability
REDHAT - RHSA-2016:2068
REDHAT - RHSA-2016:2069
REDHAT - RHSA-2016:2070
REDHAT - RHSA-2016:2071
REDHAT - RHSA-2016:2072
REDHAT - RHSA-2016:2599
REDHAT - RHSA-2016:2807
REDHAT - RHSA-2016:2808
REDHAT - RHSA-2017:0455
REDHAT - RHSA-2017:0456
REDHAT - RHSA-2017:0457
SECTRACK - 1036427
SECTRACK - 1036900
SECTRACK - 1037029
SECTRACK - 1039606
SUSE - openSUSE-SU-2016:2252
UBUNTU - USN-3024-1
UBUNTU - USN-3027-1
Vulnerable Software & Versions: (show all)
cpe:/a:apache:tomcat:8.0.24

CVE-2016-5425  Severity:High CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib
/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
BID - 93472
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
EXPLOIT-DB - 40488
MISC - http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
MISC - http://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-Escalation.html
MLIST - [oss-security] 20161010 CVE-2016-5425 - Apache Tomcat packaging on RedHat-based distros - Root Privilege Escalation (affecting CentOS, Fedora,
OracleLinux, RedHat etc.)
REDHAT - RHSA-2016:2046
SECTRACK - 1036979
Vulnerable Software & Versions:
cpe:/a:apache:tomcat

CVE-2016-6325   Severity:High  CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and
(2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
BID - 93478
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1367447
REDHAT - RHSA-2016:2045
REDHAT - RHSA-2016:2046
REDHAT - RHSA-2017:0455
REDHAT - RHSA-2017:0456
REDHAT - RHSA-2017:0457
Vulnerable Software & Versions:
cpe:/a:apache:tomcat:-

CVE-2016-8735 Severity:High CVSS Score: 7.5 (AV:N/AC:L/Au:N/C/I/A)
CWE: CWE-284 Improper Access Control
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if
JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427
Oracle patch that affected credential types.
BID - 94463
CONFIRM - http://seclists.org/oss-sec/2016/q4/502
CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1767644
CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1767656
CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1767676
CONFIRM - http://svn.apache.org/viewvc?view=revision&revision=1767684
CONFIRM - http://tomcat.apache.org/security-6.html
CONFIRM - http://tomcat.apache.org/security-7.html
CONFIRM - http://tomcat.apache.org/security-8.html
CONFIRM - http://tomcat.apache.org/security-9.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
CONFIRM - https://security.netapp.com/advisory/ntap-20180607-0001/
DEBIAN - DSA-3738
REDHAT - RHSA-2017:0455
REDHAT - RHSA-2017:0456
REDHAT - RHSA-2017:0457
SECTRACK - 1037331
Vulnerable Software & Versions: (show all)