ResourceLinkFactory.setGlobalContext() is a public method and was accessible by web applications running under a security manager without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applications and/or read and write data owned by other web applications. External references: http://seclists.org/bugtraq/2016/Feb/147
Created tomcat tracking bugs for this issue: Affects: epel-6 [bug 1311095]
Upstream patches: Tomcat7: http://svn.apache.org/viewvc?view=revision&revision=1725931 Tomcat8: http://svn.apache.org/viewvc?view=revision&revision=1725929
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1311102]
tomcat-7.0.68-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat JBoss Web Server 3.0.3 Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html
This issue has been addressed in the following products: JWS 3.0 for RHEL 7 Via RHSA-2016:1088 https://access.redhat.com/errata/RHSA-2016:1088
This issue has been addressed in the following products: JWS 3.0 for RHEL 6 Via RHSA-2016:1087 https://access.redhat.com/errata/RHSA-2016:1087
Dear, The latest tomcat on a standard RHEL 7.2 installation doesn't seem to contain this fix as the latest build date is from last year. [root@localhost ~]# rpm -qi tomcat Name : tomcat Epoch : 0 Version : 7.0.54 Release : 2.el7_1 Architecture: noarch Install Date: Sun 19 Jun 2016 03:10:42 PM EDT Group : System Environment/Daemons Size : 305912 License : ASL 2.0 Signature : RSA/SHA256, Mon 27 Apr 2015 05:00:28 AM EDT, Key ID 199e2f91fd431d51 Source RPM : tomcat-7.0.54-2.el7_1.src.rpm Build Date : Tue 24 Mar 2015 07:51:30 PM EDT Build Host : ppc-015.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://tomcat.apache.org/ Summary : Apache Servlet/JSP Engine, RI for Servlet 3.0/JSP 2.2 API Description : Tomcat is the servlet container that is used in the official Reference Implementation for the Java Servlet and JavaServer Pages technologies. The Java Servlet and JavaServer Pages specifications are developed by Sun under the Java Community Process. Tomcat is developed in an open and participatory environment and released under the Apache Software License version 2.0. Tomcat is intended to be a collaboration of the best-of-breed developers from around the world. Can someone confirm this cve is or will be fixed in the standard tomcat package in RHEL7? Thanks
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html
This issue has been addressed in the following products: Via RHSA-2016:2808 https://rhn.redhat.com/errata/RHSA-2016-2808.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Web Server 2 for RHEL 6 Red Hat JBoss Enterprise Web Server 2 for RHEL 7 Via RHSA-2016:2807 https://rhn.redhat.com/errata/RHSA-2016-2807.html