Bug 1311087 – CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1311087 - (CVE-2016-0706) CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet

Summary:	CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet

Status:	NEW

Aliases:	CVE-2016-0706

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20160222,reported=2...
Keywords:	Security

Depends On:	1311095 1311102 1316031 1316032 1322806 1322807 1347143 1347144 1352009 1367056 1367057 1381943
Blocks:	1311109 1318206 1382592
	Show dependency tree / graph

Reported:	2016-02-23 06:05 EST by Andrej Nemec
Modified:	2018-08-27 17:30 EDT (History)
CC List:	12 users (show)

See Also:
Fixed In Version:	tomcat 6.0.45, tomcat 7.0.68, tomcat 8.0.32
Doc Type:	Bug Fix
Doc Text:	It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs.
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

External Trackers
Tracker	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:1087	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Web Server 3.0.3 update	2016-05-17 16:31:38 EDT
Red Hat Product Errata	RHSA-2016:1088	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Web Server 3.0.3 update	2016-05-17 16:30:35 EDT
Red Hat Product Errata	RHSA-2016:1089	normal	SHIPPED_LIVE	Moderate: Red Hat JBoss Web Server 3.0.3 security update	2016-05-17 16:12:21 EDT
Red Hat Product Errata	RHSA-2016:2045	normal	SHIPPED_LIVE	Important: tomcat6 security and bug fix update	2016-10-10 20:38:52 EDT
Red Hat Product Errata	RHSA-2016:2599	normal	SHIPPED_LIVE	Moderate: tomcat security, bug fix, and enhancement update	2016-11-03 08:12:12 EDT
Red Hat Product Errata	RHSA-2016:2807	normal	SHIPPED_LIVE	Important: Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7	2016-11-17 21:53:13 EST
Red Hat Product Errata	RHSA-2016:2808	normal	SHIPPED_LIVE	Important: Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7	2016-11-17 22:03:17 EST

Groups: None (edit)

Description Andrej Nemec 2016-02-23 06:05:34 EST

The StatusManagerServlet could be loaded by a web application when a
security manager was configured. This servlet would then provide the web
application with a list of all deployed applications and a list of the
HTTP request lines for all requests currently being processed. This
could have exposed sensitive information from other web applications
such as session IDs to the web application.

External references:

http://seclists.org/bugtraq/2016/Feb/144

Comment 1 Andrej Nemec 2016-02-23 06:58:27 EST

Upstream patches:

Tomcat6:

http://svn.apache.org/viewvc?view=revision&revision=1722802

Tomcat7:

http://svn.apache.org/viewvc?view=revision&revision=1722801

Tomcat8:

http://svn.apache.org/viewvc?view=revision&revision=1722800

Comment 5 errata-xmlrpc 2016-05-17 12:15:53 EDT

This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.0.3

Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html

Comment 6 errata-xmlrpc 2016-05-17 12:32:41 EDT

This issue has been addressed in the following products:

  JWS 3.0 for RHEL 7

Via RHSA-2016:1088 https://access.redhat.com/errata/RHSA-2016:1088

Comment 7 errata-xmlrpc 2016-05-17 12:33:52 EDT

This issue has been addressed in the following products:

  JWS 3.0 for RHEL 6

Via RHSA-2016:1087 https://access.redhat.com/errata/RHSA-2016:1087

Comment 13 Fedora Update System 2016-09-01 12:19:00 EDT

tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2016-09-02 05:20:56 EDT

tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 errata-xmlrpc 2016-10-10 16:42:35 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html

Comment 18 errata-xmlrpc 2016-11-03 17:10:56 EDT

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html

Comment 20 errata-xmlrpc 2016-11-17 15:34:26 EST

This issue has been addressed in the following products:



Via RHSA-2016:2808 https://rhn.redhat.com/errata/RHSA-2016-2808.html

Comment 21 errata-xmlrpc 2016-11-17 15:38:15 EST

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2016:2807 https://rhn.redhat.com/errata/RHSA-2016-2807.html

Note You need to log in before you can comment on or make changes to this bug.