Bug 1311093 (CVE-2016-0763)
Summary: | CVE-2016-0763 tomcat: security manager bypass via setGlobalContext() | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | aileenc, alazarot, alee, asantos, bbaranow, bdawidow, bmaxwell, brms-jira, ccoleman, cdewolf, chazlett, coolsvap, csutherl, dandread, darran.lofthouse, dknox, dmcphers, epp-bugs, etirelli, fnasser, gvarsami, huwang, ivan.afonichev, jason.greene, java-sig-commits, jawilson, jboss-set, jclere, jcoleman, jdg-bugs, jdoyle, jialiu, joelsmith, jokerman, jpallich, jshepherd, kconner, krzysztof.daniel, ldimaggi, lgao, lmeyer, lpetrovi, mbabacek, mbaluch, miburman, mmccomas, mweiler, mwinkler, myarboro, nwallace, pcheung, pgier, psakar, pslavice, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, soa-p-jira, spinder, svenvdplus, tcunning, theute, tkirby, ttarrant, twalsh, vtunka, weli, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | tomcat 8.0.32, tomcat 7.0.68, tomcat 6.0.45 | Doc Type: | Bug Fix |
Doc Text: |
A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-08 02:48:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1311095, 1311102, 1316037, 1316038, 1322819, 1322820, 1347145, 1347146, 1352009, 1381938 | ||
Bug Blocks: | 1311109, 1318206, 1382592 |
Description
Andrej Nemec
2016-02-23 11:33:17 UTC
Created tomcat tracking bugs for this issue: Affects: epel-6 [bug 1311095] Upstream patches: Tomcat7: http://svn.apache.org/viewvc?view=revision&revision=1725931 Tomcat8: http://svn.apache.org/viewvc?view=revision&revision=1725929 Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1311102] tomcat-7.0.68-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat JBoss Web Server 3.0.3 Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html This issue has been addressed in the following products: JWS 3.0 for RHEL 7 Via RHSA-2016:1088 https://access.redhat.com/errata/RHSA-2016:1088 This issue has been addressed in the following products: JWS 3.0 for RHEL 6 Via RHSA-2016:1087 https://access.redhat.com/errata/RHSA-2016:1087 Dear, The latest tomcat on a standard RHEL 7.2 installation doesn't seem to contain this fix as the latest build date is from last year. [root@localhost ~]# rpm -qi tomcat Name : tomcat Epoch : 0 Version : 7.0.54 Release : 2.el7_1 Architecture: noarch Install Date: Sun 19 Jun 2016 03:10:42 PM EDT Group : System Environment/Daemons Size : 305912 License : ASL 2.0 Signature : RSA/SHA256, Mon 27 Apr 2015 05:00:28 AM EDT, Key ID 199e2f91fd431d51 Source RPM : tomcat-7.0.54-2.el7_1.src.rpm Build Date : Tue 24 Mar 2015 07:51:30 PM EDT Build Host : ppc-015.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://tomcat.apache.org/ Summary : Apache Servlet/JSP Engine, RI for Servlet 3.0/JSP 2.2 API Description : Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0. Tomcat is intended to be a collaboration of the best-of-breed developers from around the world. Can someone confirm this cve is or will be fixed in the standard tomcat package in RHEL7? Thanks tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report. This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html This issue has been addressed in the following products: Via RHSA-2016:2808 https://rhn.redhat.com/errata/RHSA-2016-2808.html This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2016:2807 https://rhn.redhat.com/errata/RHSA-2016-2807.html |