Bug 1311087 (CVE-2016-0706) - CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet
Summary: CVE-2016-0706 tomcat: security manager bypass via StatusManagerServlet
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-0706
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1311095 1311102 1316031 1316032 1322806 1322807 1347143 1347144 1352009 1367056 1367057 1381943
Blocks: 1311109 1318206 1382592
TreeView+ depends on / blocked
 
Reported: 2016-02-23 11:05 UTC by Andrej Nemec
Modified: 2021-02-17 04:19 UTC (History)
12 users (show)

Fixed In Version: tomcat 6.0.45, tomcat 7.0.68, tomcat 8.0.32
Doc Type: Bug Fix
Doc Text:
It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs.
Clone Of:
Environment:
Last Closed: 2019-06-08 02:48:40 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:1087 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.3 update 2016-05-17 20:31:38 UTC
Red Hat Product Errata RHSA-2016:1088 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.3 update 2016-05-17 20:30:35 UTC
Red Hat Product Errata RHSA-2016:1089 0 normal SHIPPED_LIVE Moderate: Red Hat JBoss Web Server 3.0.3 security update 2016-05-17 20:12:21 UTC
Red Hat Product Errata RHSA-2016:2045 0 normal SHIPPED_LIVE Important: tomcat6 security and bug fix update 2016-10-11 00:38:52 UTC
Red Hat Product Errata RHSA-2016:2599 0 normal SHIPPED_LIVE Moderate: tomcat security, bug fix, and enhancement update 2016-11-03 12:12:12 UTC
Red Hat Product Errata RHSA-2016:2807 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7 2016-11-18 02:53:13 UTC
Red Hat Product Errata RHSA-2016:2808 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 2.1.2 security update for Tomcat 7 2016-11-18 03:03:17 UTC

Description Andrej Nemec 2016-02-23 11:05:34 UTC
The StatusManagerServlet could be loaded by a web application when a
security manager was configured. This servlet would then provide the web
application with a list of all deployed applications and a list of the
HTTP request lines for all requests currently being processed. This
could have exposed sensitive information from other web applications
such as session IDs to the web application.

External references:

http://seclists.org/bugtraq/2016/Feb/144

Comment 5 errata-xmlrpc 2016-05-17 16:15:53 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.0.3

Via RHSA-2016:1089 https://rhn.redhat.com/errata/RHSA-2016-1089.html

Comment 6 errata-xmlrpc 2016-05-17 16:32:41 UTC
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 7

Via RHSA-2016:1088 https://access.redhat.com/errata/RHSA-2016:1088

Comment 7 errata-xmlrpc 2016-05-17 16:33:52 UTC
This issue has been addressed in the following products:

  JWS 3.0 for RHEL 6

Via RHSA-2016:1087 https://access.redhat.com/errata/RHSA-2016:1087

Comment 13 Fedora Update System 2016-09-01 16:19:00 UTC
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2016-09-02 09:20:56 UTC
tomcat-7.0.70-2.el6 has been pushed to the Fedora EPEL 6 stable repository. If problems still persist, please make note of it in this bug report.

Comment 17 errata-xmlrpc 2016-10-10 20:42:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:2045 https://rhn.redhat.com/errata/RHSA-2016-2045.html

Comment 18 errata-xmlrpc 2016-11-03 21:10:56 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:2599 https://rhn.redhat.com/errata/RHSA-2016-2599.html

Comment 20 errata-xmlrpc 2016-11-17 20:34:26 UTC
This issue has been addressed in the following products:



Via RHSA-2016:2808 https://rhn.redhat.com/errata/RHSA-2016-2808.html

Comment 21 errata-xmlrpc 2016-11-17 20:38:15 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Web Server 2 for RHEL 6
  Red Hat JBoss Enterprise Web Server 2 for RHEL 7

Via RHSA-2016:2807 https://rhn.redhat.com/errata/RHSA-2016-2807.html


Note You need to log in before you can comment on or make changes to this bug.