Bug 1441223 (CVE-2017-5648) - CVE-2017-5648 tomcat: Calls to application listeners did not use the appropriate facade object
Summary: CVE-2017-5648 tomcat: Calls to application listeners did not use the appropri...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2017-5648
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1441241 1441242 1441243 1441487 1441488
Blocks: 1441210 1446025 1482229
TreeView+ depends on / blocked
 
Reported: 2017-04-11 12:57 UTC by Adam Mariš
Modified: 2020-12-15 15:24 UTC (History)
61 users (show)

Fixed In Version: tomcat 7.0.76, tomcat 8.0.42, tomcat 8.5.12
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was discovered in tomcat. When running an untrusted application under a SecurityManager it was possible, under some circumstances, for that application to retain references to the request or response objects and thereby access and/or modify information associated with another web application.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:10:16 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:1801 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server 3.1.0 Service Pack 1 security update 2017-07-25 20:44:35 UTC
Red Hat Product Errata RHSA-2017:1802 0 normal SHIPPED_LIVE Important: Red Hat JBoss Web Server Service Pack 1 security update 2017-07-25 21:46:13 UTC
Red Hat Product Errata RHSA-2017:1809 0 normal SHIPPED_LIVE Important: tomcat security update 2017-07-27 10:10:12 UTC

Description Adam Mariš 2017-04-11 12:57:10 UTC 
While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.

Affected versions: 7.0.0 to 7.0.75, 8.0.0.RC1 to 8.0.41, 8.5.0 to 8.5.11

Upstream fixes:

Tomcat 7.x:

https://svn.apache.org/viewvc?view=revision&revision=1785777

Tomcat 8.0.x:

https://svn.apache.org/viewvc?view=revision&revision=1785776

Tomcat 8.5.x:

https://svn.apache.org/viewvc?view=revision&revision=1785775

References:

https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.76
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.42
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.12
Comment 1 Adam Mariš 2017-04-11 13:32:17 UTC 
Created jbossweb tracking bugs for this issue:

Affects: openshift-1 [bug 1441243]


Created tomcat tracking bugs for this issue:

Affects: epel-6 [bug 1441241]
Affects: fedora-all [bug 1441242]
Comment 5 errata-xmlrpc 2017-07-25 16:45:52 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7
  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2017:1801 https://access.redhat.com/errata/RHSA-2017:1801
Comment 6 errata-xmlrpc 2017-07-25 17:46:55 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3.1.1

Via RHSA-2017:1802 https://access.redhat.com/errata/RHSA-2017:1802
Comment 7 errata-xmlrpc 2017-07-27 06:11:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1809 https://access.redhat.com/errata/RHSA-2017:1809
Note You need to log in before you can comment on or make changes to this bug.