While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. Affected versions: 7.0.0 to 7.0.75, 8.0.0.RC1 to 8.0.41, 8.5.0 to 8.5.11 Upstream fixes: Tomcat 7.x: https://svn.apache.org/viewvc?view=revision&revision=1785777 Tomcat 8.0.x: https://svn.apache.org/viewvc?view=revision&revision=1785776 Tomcat 8.5.x: https://svn.apache.org/viewvc?view=revision&revision=1785775 References: https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.76 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.42 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.12
Created jbossweb tracking bugs for this issue: Affects: openshift-1 [bug 1441243] Created tomcat tracking bugs for this issue: Affects: epel-6 [bug 1441241] Affects: fedora-all [bug 1441242]
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2017:1801 https://access.redhat.com/errata/RHSA-2017:1801
This issue has been addressed in the following products: Red Hat JBoss Web Server 3.1.1 Via RHSA-2017:1802 https://access.redhat.com/errata/RHSA-2017:1802
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:1809 https://access.redhat.com/errata/RHSA-2017:1809