Tomcat provides several session persistence mechanisms. The StandardManager persists session over a restart. The PersistentManager is able to persist sessions to files, a database or a custom Store. The Cluster implementation persists sessions to one or more additional nodes in the cluster. All of these mechanisms could be exploited to bypass a security manager. Session persistence is performed by Tomcat code with the permissions assigned to Tomcat internal code. By placing a carefully crafted object into a session, a malicious web application could trigger the execution of arbitrary code. External references: http://seclists.org/bugtraq/2016/Feb/145
Upstream patches: Tomcat6: http://svn.apache.org/viewvc?view=revision&revision=1727166 http://svn.apache.org/viewvc?view=revision&revision=1727182 Tomcat7: http://svn.apache.org/viewvc?view=revision&revision=1726923 http://svn.apache.org/viewvc?view=revision&revision=1727034 Tomcat8: http://svn.apache.org/viewvc?view=revision&revision=1726196 http://svn.apache.org/viewvc?view=revision&revision=1726203
This issue has been addressed in the following products: Red Hat JBoss Web Server 3.0.3 Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html
This issue has been addressed in the following products: JWS 3.0 for RHEL 7 Via RHSA-2016:1088 https://access.redhat.com/errata/RHSA-2016:1088
This issue has been addressed in the following products: JWS 3.0 for RHEL 6 Via RHSA-2016:1087 https://access.redhat.com/errata/RHSA-2016:1087
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html
This issue has been addressed in the following products: Via RHSA-2016:2808 https://rhn.redhat.com/errata/RHSA-2016-2808.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2016:2807 https://rhn.redhat.com/errata/RHSA-2016-2807.html