Bug 1390493 (CVE-2016-6797)

Summary: CVE-2016-6797 tomcat: unrestricted access to global resources
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, alazarot, alee, bbaranow, bmaxwell, ccoleman, cdewolf, chazlett, coolsvap, csutherl, dandread, darran.lofthouse, dedgar, dmcphers, dosoudil, etirelli, gvarsami, gzaronik, huwang, ivan.afonichev, java-sig-commits, jawilson, jclere, jcoleman, jdoyle, jgoulding, joelsmith, jolee, jshepherd, krzysztof.daniel, kverlaen, ldimaggi, lgao, mbabacek, mbaluch, mwinkler, myarboro, nwallace, pslavice, psotirop, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, tcunning, theute, tkirby, twalsh, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 6.0.47, tomcat 7.0.72, tomcat 8.5.5, tomcat 8.0.37 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:52:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1390531, 1390532, 1390533, 1393216, 1393217    
Bug Blocks: 1376651, 1390534, 1415638, 1428325    

Description Martin Prpič 2016-11-01 08:58:29 UTC 
The following flaw was reported in Tomcat:

The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

Upstream patches:

6.0.47: https://svn.apache.org/viewvc?view=revision&revision=1757285
7.0.72: https://svn.apache.org/viewvc?view=revision&revision=1757275
8.5.5: https://svn.apache.org/viewvc?view=revision&revision=1757272
8.0.37: https://svn.apache.org/viewvc?view=revision&revision=1757273
Comment 1 Martin Prpič 2016-11-01 08:58:37 UTC 
External References:

https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37
Comment 3 Martin Prpič 2016-11-01 10:22:15 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1390532]
Affects: epel-6 [bug 1390533]
Comment 12 errata-xmlrpc 2017-03-07 19:08:18 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.0

Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html
Comment 13 errata-xmlrpc 2017-03-07 19:12:49 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456
Comment 14 errata-xmlrpc 2017-03-07 19:17:20 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455
Comment 15 errata-xmlrpc 2017-08-01 23:18:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2247 https://access.redhat.com/errata/RHSA-2017:2247
Comment 16 Joshua Padman 2019-05-16 03:45:52 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Operations Network 3
 * Red Hat JBoss Data Grid 6
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss Data Virtualization & Services 6
 * Red Hat JBoss Fuse Service Works 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.