The following flaw was reported in Tomcat: The ResourceLinkFactory did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not. Upstream patches: 6.0.47: https://svn.apache.org/viewvc?view=revision&revision=1757285 7.0.72: https://svn.apache.org/viewvc?view=revision&revision=1757275 8.5.5: https://svn.apache.org/viewvc?view=revision&revision=1757272 8.0.37: https://svn.apache.org/viewvc?view=revision&revision=1757273
External References: https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1390532] Affects: epel-6 [bug 1390533]
This issue has been addressed in the following products: Red Hat JBoss Web Server 3.1.0 Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2247 https://access.redhat.com/errata/RHSA-2017:2247
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Operations Network 3 * Red Hat JBoss Data Grid 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.