The index page of the Manager and Host Manager applications included a valid CSRF token when issuing a redirect as a result of an unauthenticated request to the root of the web application. This token could then be used by an attacker to construct a CSRF attack. External references: http://seclists.org/bugtraq/2016/Feb/148
Upstream patches: Tomcat7: http://svn.apache.org/viewvc?view=revision&revision=1720661 http://svn.apache.org/viewvc?view=revision&revision=1720663 Tomcat8: http://svn.apache.org/viewvc?view=revision&revision=1720658 http://svn.apache.org/viewvc?view=revision&revision=1720660
This issue has been addressed in the following products: Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html
This issue has been addressed in the following products: JWS 3.0 for RHEL 7 Via RHSA-2016:1088 https://access.redhat.com/errata/RHSA-2016:1088
This issue has been addressed in the following products: JWS 3.0 for RHEL 6 Via RHSA-2016:1087 https://access.redhat.com/errata/RHSA-2016:1087
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html
This issue has been addressed in the following products: Via RHSA-2016:2808 https://rhn.redhat.com/errata/RHSA-2016-2808.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2016:2807 https://rhn.redhat.com/errata/RHSA-2016-2807.html