When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request. Affected versions: 7.0.0 to 7.0.80 Upstream patch: https://svn.apache.org/viewvc?view=revision&revision=1804729 External References: https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.81
Created jbossweb tracking bugs for this issue: Affects: openshift-1 [bug 1493224] Created tomcat tracking bugs for this issue: Affects: epel-6 [bug 1493225]
VirtualDirContext is not designed to be used in Production. Also, because the information disclosed is only the source code for JSP setting this issue to WONTFIX.
Statement: VirtualDirContext is not designed to be used in production, but only to ease development with IDEs without needing to fully republish jars in WEB-INF/lib.
Tomcat 5, provided with Red Hat Enterprise Linux 5, is not affected by this issue.
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2018:0465 https://access.redhat.com/errata/RHSA-2018:0465
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2018:0466 https://access.redhat.com/errata/RHSA-2018:0466
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Web Server 3 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2017-12616