A privilege escalation flaw was found in the way Servlets, implementing the functionality of the Manager application, shipped with Apache Tomcat, restricted privileges of a Context (web application) to access the Application Manager functionality. A specially-crafted web application could use this flaw to use the functionality of the Application Manager (obtain information about existing web applications or deploy new web applications). References: [1] http://seclists.org/fulldisclosure/2011/Nov/103 [2] http://tomcat.apache.org/security.html [3] http://tomcat.apache.org/security-7.html Relevant upstream patch: [4] http://svn.apache.org/viewvc?view=revision&revision=1176588
This issue has been corrected in the following tomcat package updates: 1) tomcat-7.0.22-1.fc15 for Fedora 15, 2) tomcat-7.0.22-1.fc16 for Fedora 16.
Statement: Not affected. This flaw did not affect any version of Tomcat shipped in Red Hat products. This flaw only affected Tomcat versions 7.0.0 - 7.0.21.