Hide Forgot
It was found that the expression language resolver evaluated expressions within a privileged code section. A malicious web application could use this flaw to bypass security manager protections. Upstream patches: http://svn.apache.org/viewvc?view=revision&revision=1644019 http://svn.apache.org/viewvc?view=revision&revision=1645644 External References: http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.17
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1222576] Affects: epel-6 [bug 1222577]
Currently builds are in progress for EAP 6.3 and JBoss Web Server 2.1. QE Testing is in progress.
This issue has been addressed in the following products: JBEWS 2 for RHEL 7 JBEWS 2 for RHEL 6 JBEWS 2 for RHEL 5 Via RHSA-2015:1622 https://rhn.redhat.com/errata/RHSA-2015-1622.html
This issue has been addressed in the following products: Red Hat JBoss Web Server 2.1.0 Via RHSA-2015:1621 https://rhn.redhat.com/errata/RHSA-2015-1621.html
Reopened as we're waiting on RHEL patches for Tomcat
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0492 https://rhn.redhat.com/errata/RHSA-2016-0492.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:2046 https://rhn.redhat.com/errata/RHSA-2016-2046.html