Bug 1441223 (CVE-2017-5648)

Summary: CVE-2017-5648 tomcat: Calls to application listeners did not use the appropriate facade object
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aileenc, alazarot, alee, bbaranow, bmaxwell, ccoleman, cdewolf, chazlett, coolsvap, csutherl, dandread, darran.lofthouse, dedgar, dmcphers, dosoudil, etirelli, gvarsami, gzaronik, hhorak, huwang, ivan.afonichev, java-sig-commits, jawilson, jclere, jcoleman, jdoyle, jgoulding, jolee, jorton, jshepherd, kconner, krzysztof.daniel, kverlaen, ldimaggi, lgao, loleary, lpetrovi, mbabacek, mbaluch, mizdebsk, mwinkler, myarboro, nwallace, pgier, psakar, pslavice, psotirop, rnetuka, rrajasek, rsvoboda, rwagner, rzhang, spinder, tcunning, theute, tkirby, twalsh, vhalbert, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 7.0.76, tomcat 8.0.42, tomcat 8.5.12 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:10:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1441241, 1441242, 1441243, 1441487, 1441488    
Bug Blocks: 1441210, 1446025, 1482229    

Description Adam Mariš 2017-04-11 12:57:10 UTC 
While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Affected versions: 7.0.0 to 7.0.75, 8.0.0.RC1 to 8.0.41, 8.5.0 to 8.5.11

Upstream fixes:

Tomcat 7.x:

https://svn.apache.org/viewvc?view=revision&revision=1785777

Tomcat 8.0.x:

https://svn.apache.org/viewvc?view=revision&revision=1785776

Tomcat 8.5.x:

https://svn.apache.org/viewvc?view=revision&revision=1785775

References:

https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.76
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.42
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.12
Comment 1 Adam Mariš 2017-04-11 13:32:17 UTC 
Created jbossweb tracking bugs for this issue:

Affects: openshift-1 [bug 1441243]


Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1441241]
Affects: fedora-all [bug 1441242]
Comment 5 errata-xmlrpc 2017-07-25 16:45:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7
  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:1801 https://access.redhat.com/errata/RHSA-2017:1801
Comment 6 errata-xmlrpc 2017-07-25 17:46:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.1

Via RHSA-2017:1802 https://access.redhat.com/errata/RHSA-2017:1802
Comment 7 errata-xmlrpc 2017-07-27 06:11:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1809 https://access.redhat.com/errata/RHSA-2017:1809