Bug 1390515 (CVE-2016-6796)

Summary: CVE-2016-6796 tomcat: security manager bypass via JSP Servlet config parameters
Product: [Other] Security Response Reporter: Martin Prpič <mprpic>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, alazarot, alee, aszczucz, bbaranow, bmaxwell, ccoleman, cdewolf, chazlett, coolsvap, csutherl, dandread, darran.lofthouse, dedgar, dmcphers, dosoudil, etirelli, fnasser, gvarsami, gzaronik, huwang, ivan.afonichev, jason.greene, java-sig-commits, jawilson, jboss-set, jclere, jcoleman, jdg-bugs, jdoyle, jgoulding, jialiu, joelsmith, jokerman, jolee, jshepherd, krzysztof.daniel, kverlaen, ldimaggi, lgao, lmeyer, mbabacek, mbaluch, mmccomas, mwinkler, myarboro, nwallace, pslavice, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, soa-p-jira, tcunning, theute, tkirby, ttarrant, twalsh, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 6.0.47, tomcat 7.0.72, tomcat 8.5.5, tomcat 8.0.37 Doc Type: If docs needed, set a value
Doc Text:
It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 10:52:34 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1390531, 1390532, 1390533, 1393220, 1393221    
Bug Blocks: 1390534, 1415638, 1428325, 1461888    

Description Martin Prpič 2016-11-01 09:45:43 UTC 
The following flaw was found in Tomcat:

A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.

Upstream patches:

6.0.47: https://svn.apache.org/viewvc?view=rev&rev=1758496
        https://svn.apache.org/viewvc?view=rev&rev=1763237

7.0.72: https://svn.apache.org/viewvc?view=rev&rev=1758495
        https://svn.apache.org/viewvc?view=rev&rev=1763236

8.5.5: https://svn.apache.org/viewvc?view=rev&rev=1758493

8.0.37: https://svn.apache.org/viewvc?view=rev&rev=1758494
        https://svn.apache.org/viewvc?view=rev&rev=1763234

External References:

https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37
Comment 2 Martin Prpič 2016-11-01 10:22:49 UTC 
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1390532]
Affects: epel-6 [bug 1390533]
Comment 6 errata-xmlrpc 2017-03-07 19:08:39 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.0

Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html
Comment 7 errata-xmlrpc 2017-03-07 19:13:12 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456
Comment 8 errata-xmlrpc 2017-03-07 19:17:45 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455
Comment 9 errata-xmlrpc 2017-06-20 15:46:45 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4

Via RHSA-2017:1551 https://rhn.redhat.com/errata/RHSA-2017-1551.html
Comment 10 errata-xmlrpc 2017-06-20 16:07:31 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2017:1550 https://access.redhat.com/errata/RHSA-2017:1550
Comment 11 errata-xmlrpc 2017-06-20 16:09:00 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:1549 https://access.redhat.com/errata/RHSA-2017:1549
Comment 12 errata-xmlrpc 2017-06-20 16:10:17 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2017:1548 https://access.redhat.com/errata/RHSA-2017:1548
Comment 13 errata-xmlrpc 2017-06-20 16:28:56 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2017:1552 https://access.redhat.com/errata/RHSA-2017:1552
Comment 14 errata-xmlrpc 2017-08-01 23:18:56 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:2247 https://access.redhat.com/errata/RHSA-2017:2247
Comment 15 Joshua Padman 2019-05-16 03:13:31 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat Enterprise Application Platform 5
 * Red Hat JBoss BRMS 5
 * Red Hat JBoss Data Virtualization & Services 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 16 Joshua Padman 2019-05-16 03:15:27 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Data Grid 7
 * Red Hat JBoss Operations Network 3

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.