Bug 1311093 (CVE-2016-0763) - CVE-2016-0763 tomcat: security manager bypass via setGlobalContext()
Summary: CVE-2016-0763 tomcat: security manager bypass via setGlobalContext()
Status: CLOSED ERRATA
Alias: CVE-2016-0763
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20160222,repor...
Keywords: Security
Depends On: 1311095 1311102 1316037 1316038 1322819 1322820 1347145 1347146 1352009 1381938
Blocks: 1311109 1318206 1382592
TreeView+ depends on / blocked
 
Reported: 2016-02-23 11:33 UTC by Andrej Nemec
Modified: 2019-06-11 11:13 UTC (History)
70 users (show)

(edit)
A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service.
Clone Of:
(edit)
Last Closed: 2019-06-08 02:48:44 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1087 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.3 update 2016-05-17 20:31:38 UTC
Red Hat Product Errata RHSA-2016:1088 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.3 update 2016-05-17 20:30:35 UTC
Red Hat Product Errata RHSA-2016:1089 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.3 security update 2016-05-17 20:12:21 UTC
Red Hat Product Errata RHSA-2016:2599 normal SHIPPED_LIVE Moderate: tomcat security, bug fix, and enhancement update 2016-11-03 12:12:12 UTC
Red Hat Product Errata RHSA-2016:2807 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7 2016-11-18 02:53:13 UTC
Red Hat Product Errata RHSA-2016:2808 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7 2016-11-18 03:03:17 UTC

Description Andrej Nemec 2016-02-23 11:33:17 UTC
ResourceLinkFactory.setGlobalContext() is a public method and was
accessible by web applications running under a security manager
without any checks. This allowed a malicious web application to inject
a malicious global context that could in turn be used to disrupt other
web applications and/or read and write data owned by other web
applications.

External references:

http://seclists.org/bugtraq/2016/Feb/147

Comment 1 Andrej Nemec 2016-02-23 11:38:30 UTC
Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1311095]

Comment 3 Andrej Nemec 2016-02-23 12:05:58 UTC
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1311102]

Comment 5 Fedora Update System 2016-03-25 22:21:36 UTC
tomcat-7.0.68-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 errata-xmlrpc 2016-05-17 16:16:10 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.0.3

Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html

Comment 9 errata-xmlrpc 2016-05-17 16:32:54 UTC
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 7

Via RHSA-2016:1088 https://access.redhat.com/errata/RHSA-2016:1088

Comment 10 errata-xmlrpc 2016-05-17 16:34:09 UTC
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 6

Via RHSA-2016:1087 https://access.redhat.com/errata/RHSA-2016:1087

Comment 12 svenvdplus 2016-06-19 19:20:20 UTC
Dear, 

The latest tomcat on a standard RHEL 7.2 installation doesn't seem to contain this fix as the latest build date is from last year.

[root@localhost ~]# rpm -qi tomcat
Name        : tomcat
Epoch       : 0
Version     : 7.0.54
Release     : 2.el7_1
Architecture: noarch
Install Date: Sun 19 Jun 2016 03:10:42 PM EDT
Group       : System Environment/Daemons
Size        : 305912
License     : ASL 2.0
Signature   : RSA/SHA256, Mon 27 Apr 2015 05:00:28 AM EDT, Key ID 199e2f91fd431d51
Source RPM  : tomcat-7.0.54-2.el7_1.src.rpm
Build Date  : Tue 24 Mar 2015 07:51:30 PM EDT
Build Host  : ppc-015.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://tomcat.apache.org/
Summary     : Apache Servlet/JSP Engine, RI for Servlet 3.0/JSP 2.2 API
Description :
Tomcat is the servlet container that is used in the official Reference
Implementation for the Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by
Sun under the Java Community Process.

Tomcat is developed in an open and participatory environment and
released under the Apache Software License version 2.0. Tomcat is intended
to be a collaboration of the best-of-breed developers from around the world.

Can someone confirm this cve is or will be fixed in the standard tomcat package in RHEL7?

Thanks

Comment 14 Fedora Update System 2016-09-01 16:18:29 UTC
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 15 Fedora Update System 2016-09-02 09:20:25 UTC
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 18 errata-xmlrpc 2016-11-03 21:11:14 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html

Comment 20 errata-xmlrpc 2016-11-17 20:34:33 UTC
This issue has been addressed in the following products:



Via RHSA-2016:2808 https://rhn.redhat.com/errata/RHSA-2016-2808.html

Comment 21 errata-xmlrpc 2016-11-17 20:38:24 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2016:2807 https://rhn.redhat.com/errata/RHSA-2016-2807.html


Note You need to log in before you can comment on or make changes to this bug.