The following flaw was found in Tomcat: When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. Tomcat's system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible. Upstream patches: 6.0.47: https://svn.apache.org/viewvc?view=revision&revision=1754733 7.0.72: https://svn.apache.org/viewvc?view=revision&revision=1754728 8.5.5: https://svn.apache.org/viewvc?view=revision&revision=1754726 8.0.37: https://svn.apache.org/viewvc?view=revision&revision=1754727 External References: https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1390532] Affects: epel-6 [bug 1390533]
This issue has been addressed in the following products: Red Hat JBoss Web Server 3.1.0 Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2247 https://access.redhat.com/errata/RHSA-2017:2247
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Operations Network 3 * Red Hat JBoss Data Grid 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.