Bug 1311093 - (CVE-2016-0763) CVE-2016-0763 tomcat: security manager bypass via setGlobalContext()
CVE-2016-0763 tomcat: security manager bypass via setGlobalContext()
Status: NEW
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
medium Severity medium
: ---
: ---
Assigned To: Red Hat Product Security
impact=moderate,public=20160222,repor...
: Security
Depends On: 1311095 1311102 1316037 1316038 1322819 1322820 1347145 1347146 1352009 1381938
Blocks: 1311109 1318206 1382592
  Show dependency treegraph
 
Reported: 2016-02-23 06:33 EST by Andrej Nemec
Modified: 2017-03-08 02:37 EST (History)
74 users (show)

See Also:
Fixed In Version: tomcat 8.0.32, tomcat 7.0.68, tomcat 6.0.45
Doc Type: Bug Fix
Doc Text:
A security manager bypass flaw was found in Tomcat that could allow remote, authenticated users to access arbitrary application data, potentially resulting in a denial of service.
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Andrej Nemec 2016-02-23 06:33:17 EST
ResourceLinkFactory.setGlobalContext() is a public method and was
accessible by web applications running under a security manager
without any checks. This allowed a malicious web application to inject
a malicious global context that could in turn be used to disrupt other
web applications and/or read and write data owned by other web
applications.

External references:

http://seclists.org/bugtraq/2016/Feb/147
Comment 1 Andrej Nemec 2016-02-23 06:38:30 EST
Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1311095]
Comment 3 Andrej Nemec 2016-02-23 07:05:58 EST
Created tomcat tracking bugs for this issue:

Affects: fedora-all [bug 1311102]
Comment 5 Fedora Update System 2016-03-25 18:21:36 EDT
tomcat-7.0.68-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Comment 8 errata-xmlrpc 2016-05-17 12:16:10 EDT
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.0.3

Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html
Comment 9 errata-xmlrpc 2016-05-17 12:32:54 EDT
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 7

Via RHSA-2016:1088 https://access.redhat.com/errata/RHSA-2016:1088
Comment 10 errata-xmlrpc 2016-05-17 12:34:09 EDT
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 6

Via RHSA-2016:1087 https://access.redhat.com/errata/RHSA-2016:1087
Comment 12 svenvdplus 2016-06-19 15:20:20 EDT
Dear, 

The latest tomcat on a standard RHEL 7.2 installation doesn't seem to contain this fix as the latest build date is from last year.

[root@localhost ~]# rpm -qi tomcat
Name        : tomcat
Epoch       : 0
Version     : 7.0.54
Release     : 2.el7_1
Architecture: noarch
Install Date: Sun 19 Jun 2016 03:10:42 PM EDT
Group       : System Environment/Daemons
Size        : 305912
License     : ASL 2.0
Signature   : RSA/SHA256, Mon 27 Apr 2015 05:00:28 AM EDT, Key ID 199e2f91fd431d51
Source RPM  : tomcat-7.0.54-2.el7_1.src.rpm
Build Date  : Tue 24 Mar 2015 07:51:30 PM EDT
Build Host  : ppc-015.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://tomcat.apache.org/
Summary     : Apache Servlet/JSP Engine, RI for Servlet 3.0/JSP 2.2 API
Description :
Tomcat is the servlet container that is used in the official Reference
Implementation for the Java Servlet and JavaServer Pages technologies.
The Java Servlet and JavaServer Pages specifications are developed by
Sun under the Java Community Process.

Tomcat is developed in an open and participatory environment and
released under the Apache Software License version 2.0. Tomcat is intended
to be a collaboration of the best-of-breed developers from around the world.

Can someone confirm this cve is or will be fixed in the standard tomcat package in RHEL7?

Thanks
Comment 14 Fedora Update System 2016-09-01 12:18:29 EDT
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 15 Fedora Update System 2016-09-02 05:20:25 EDT
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.
Comment 18 errata-xmlrpc 2016-11-03 17:11:14 EDT
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html
Comment 20 errata-xmlrpc 2016-11-17 15:34:33 EST
This issue has been addressed in the following products:



Via RHSA-2016:2808 https://rhn.redhat.com/errata/RHSA-2016-2808.html
Comment 21 errata-xmlrpc 2016-11-17 15:38:24 EST
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2016:2807 https://rhn.redhat.com/errata/RHSA-2016-2807.html

Note You need to log in before you can comment on or make changes to this bug.