Bug 1390493 (CVE-2016-6797)
Summary: | CVE-2016-6797 tomcat: unrestricted access to global resources | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Martin Prpič <mprpic> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | low | ||
Version: | unspecified | CC: | aileenc, alazarot, alee, bbaranow, bmaxwell, ccoleman, cdewolf, chazlett, coolsvap, csutherl, dandread, darran.lofthouse, dedgar, dmcphers, dosoudil, etirelli, gvarsami, gzaronik, huwang, ivan.afonichev, java-sig-commits, jawilson, jclere, jcoleman, jdoyle, jgoulding, joelsmith, jolee, jshepherd, krzysztof.daniel, kverlaen, ldimaggi, lgao, mbabacek, mbaluch, mwinkler, myarboro, nwallace, pslavice, psotirop, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, tcunning, theute, tkirby, twalsh, vtunka, weli, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | tomcat 6.0.47, tomcat 7.0.72, tomcat 8.5.5, tomcat 8.0.37 | Doc Type: | If docs needed, set a value |
Doc Text: |
It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-27 10:52:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1390531, 1390532, 1390533, 1393216, 1393217 | ||
Bug Blocks: | 1376651, 1390534, 1415638, 1428325 |
Description
Martin Prpič
2016-11-01 08:58:29 UTC
External References: https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37 Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1390532] Affects: epel-6 [bug 1390533] This issue has been addressed in the following products: Red Hat JBoss Web Server 3.1.0 Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456 This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455 This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2247 https://access.redhat.com/errata/RHSA-2017:2247 This vulnerability is out of security support scope for the following product: * Red Hat JBoss Operations Network 3 * Red Hat JBoss Data Grid 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. |