Bug 1222573 (CVE-2014-7810)

Summary: CVE-2014-7810 Tomcat/JbossWeb: security manager bypass via EL expressions
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, alee, asantos, aszczucz, bdawidow, ccoleman, cdewolf, chazlett, coolsvap, dandread, darran.lofthouse, dknox, dmcphers, epp-bugs, etirelli, felias, gnaik, gvarsami, gwen.buttrum, hfnukal, ivan.afonichev, jason.greene, java-sig-commits, jawilson, jboss-set, jbpapp-maint, jclere, jcoleman, jdg-bugs, jdoyle, jialiu, joelsmith, jokerman, jolee, jpallich, jshepherd, kanderso, kconner, krzysztof.daniel, kseifried, ldimaggi, lgao, lkocman, lmeyer, lpetrovi, mbaluch, mdshaikh, mmccomas, mweiler, mwinkler, myarboro, nobody+bgollahe, nwallace, ohudlick, pavelp, pgier, pslavice, rhq-maint, rrajasek, rsvoboda, rwagner, rzhang, soa-p-jira, spinder, tcunning, theute, tkirby, tmlcoch, ttarrant, twalsh, vhalbert, vtunka, weli
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20150514,reported=20150514,source=internet,cvss2=5.8/AV:N/AC:M/Au:N/C:P/I:P/A:N,rhel-5/tomcat5=new,rhel-6/tomcat6=affected,rhel-7/tomcat=affected,dts-2.1/devtoolset-2-tomcat=notaffected,dts-3/devtoolset-3-tomcat=notaffected,fedora-all/tomcat=affected,epel-6/tomcat=affected,jbews-1/tomcat6=affected,jbews-2/tomcat6=affected,jbews-2/tomcat7=affected,jdg-6/jbossweb=new,jdv-6/jbossweb=notaffected,eap-6/jbossweb=affected,brms-6/jbossweb=notaffected,bpms-6/jbossweb=notaffected,jpp-6/jbossweb=wontfix,soap-4/jbossweb=wontfix,soap-5/jbossweb=wontfix,fsw-6/jbossweb=notaffected,jon-3/jbossweb=new,openshift-1/tomcat7=new
Fixed In Version: tomcat 8.0.17, tomcat 7.0.59, tomcat 6.0.44 Doc Type: Bug Fix
Doc Text:
It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections.
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-24 23:04:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1222576, 1222577, 1227586, 1227587, 1228262, 1228263, 1293289, 1293290, 1293291, 1293292    
Bug Blocks: 1222578, 1253310    

Description Martin Prpič 2015-05-18 14:36:28 UTC
It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections.

Upstream patches:

http://svn.apache.org/viewvc?view=revision&revision=1644019
http://svn.apache.org/viewvc?view=revision&revision=1645644

External References:

http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.17

Comment 1 Martin Prpič 2015-05-18 14:40:16 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1222576]
Affects: epel-6 [bug 1222577]

Comment 6 Timothy Walsh 2015-07-09 05:05:47 UTC
Currently builds are in progress for EAP 6.3 and JBoss Web Server 2.1.

QE Testing is in progress.

Comment 10 errata-xmlrpc 2015-08-13 15:29:53 UTC
This issue has been addressed in the following products:

  JBEWS 2 for RHEL 7
  JBEWS 2 for RHEL 6
  JBEWS 2 for RHEL 5

Via RHSA-2015:1622 https://rhn.redhat.com/errata/RHSA-2015-1622.html

Comment 11 errata-xmlrpc 2015-08-13 15:31:17 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 2.1.0

Via RHSA-2015:1621 https://rhn.redhat.com/errata/RHSA-2015-1621.html

Comment 15 Jason Shepherd 2015-12-22 02:43:33 UTC
Reopened as we're waiting on RHEL patches for Tomcat

Comment 16 errata-xmlrpc 2016-03-22 21:03:06 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0492 https://rhn.redhat.com/errata/RHSA-2016-0492.html

Comment 18 errata-xmlrpc 2016-10-10 20:39:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2046 https://rhn.redhat.com/errata/RHSA-2016-2046.html