Bug 1311087 (CVE-2016-0706)

Summary: CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: csutherl, dknox, jclere, jdoyle, lgao, mbabacek, myarboro, pslavice, rsvoboda, twalsh, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 6.0.45, tomcat 7.0.68, tomcat 8.0.32 Doc Type: Bug Fix
Doc Text:
It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 02:48:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1311095, 1311102, 1316031, 1316032, 1322806, 1322807, 1347143, 1347144, 1352009, 1367056, 1367057, 1381943    
Bug Blocks: 1311109, 1318206, 1382592    

Description Andrej Nemec 2016-02-23 11:05:34 UTC 
The StatusManagerServlet could be loaded by a web application when a
security manager was configured. This servlet would then provide the web
application with a list of all deployed applications and a list of the
HTTP request lines for all requests currently being processed. This
could have exposed sensitive information from other web applications
such as session IDs to the web application.

External references:

http://seclists.org/bugtraq/2016/Feb/144
Comment 1 Andrej Nemec 2016-02-23 11:58:27 UTC 
Upstream patches:

Tomcat6:

http://svn.apache.org/viewvc?view=revision&revision=1722802

Tomcat7:

http://svn.apache.org/viewvc?view=revision&revision=1722801

Tomcat8:

http://svn.apache.org/viewvc?view=revision&revision=1722800
Comment 5 errata-xmlrpc 2016-05-17 16:15:53 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.0.3

Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html
Comment 6 errata-xmlrpc 2016-05-17 16:32:41 UTC 
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 7

Via RHSA-2016:1088 https://access.redhat.com/errata/RHSA-2016:1088
Comment 7 errata-xmlrpc 2016-05-17 16:33:52 UTC 
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 6

Via RHSA-2016:1087 https://access.redhat.com/errata/RHSA-2016:1087
Comment 13 Fedora Update System 2016-09-01 16:19:00 UTC 
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2016-09-02 09:20:56 UTC 
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 17 errata-xmlrpc 2016-10-10 20:42:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html
Comment 18 errata-xmlrpc 2016-11-03 21:10:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html
Comment 20 errata-xmlrpc 2016-11-17 20:34:26 UTC 
This issue has been addressed in the following products:



Via RHSA-2016:2808 https://rhn.redhat.com/errata/RHSA-2016-2808.html
Comment 21 errata-xmlrpc 2016-11-17 20:38:15 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2016:2807 https://rhn.redhat.com/errata/RHSA-2016-2807.html