The following flaw was found in Tomcat: A malicious web application was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet. Upstream patches: 6.0.47: https://svn.apache.org/viewvc?view=rev&rev=1758496 https://svn.apache.org/viewvc?view=rev&rev=1763237 7.0.72: https://svn.apache.org/viewvc?view=rev&rev=1758495 https://svn.apache.org/viewvc?view=rev&rev=1763236 8.5.5: https://svn.apache.org/viewvc?view=rev&rev=1758493 8.0.37: https://svn.apache.org/viewvc?view=rev&rev=1758494 https://svn.apache.org/viewvc?view=rev&rev=1763234 External References: https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1390532] Affects: epel-6 [bug 1390533]
This issue has been addressed in the following products: Red Hat JBoss Web Server 3.1.0 Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 Via RHSA-2017:1551 https://rhn.redhat.com/errata/RHSA-2017-1551.html
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5 Via RHSA-2017:1550 https://access.redhat.com/errata/RHSA-2017:1550
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:1549 https://access.redhat.com/errata/RHSA-2017:1549
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7 Via RHSA-2017:1548 https://access.redhat.com/errata/RHSA-2017:1548
This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6 Via RHSA-2017:1552 https://access.redhat.com/errata/RHSA-2017:1552
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2247 https://access.redhat.com/errata/RHSA-2017:2247
This vulnerability is out of security support scope for the following product: * Red Hat Enterprise Application Platform 5 * Red Hat JBoss BRMS 5 * Red Hat JBoss Data Virtualization & Services 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Data Grid 7 * Red Hat JBoss Operations Network 3 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.