You are viewing a plain text version of this content. The canonical link for it is here.

Posted to announce@tomcat.apache.org by Mark Thomas <ma...@apache.org> on 2016/02/22 12:22:18 UTC

[SECURITY] CVE-2016-0706 Apache Tomcat Security Manager bypass

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2016-0706 Apache Tomcat Security Manager bypass

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 6.0.0 to 6.0.44
- - Apache Tomcat 7.0.0 to 7.0.67
- - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - Apache Tomcat 9.0.0.M1
- - Earlier, unsupported Tomcat versions may be affected

Description:
The StatusManagerServlet could be loaded by a web application when a
security manager was configured. This servlet would then provide the web
application with a list of all deployed applications and a list of the
HTTP request lines for all requests currently being processed. This
could have exposed sensitive information from other web applications
such as session IDs to the web application.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 9.0.0.M3 or later
  (9.0.0.M2 has the fix but was not released)
- - Upgrade to Apache Tomcat 8.0.32 or later
  (8.0.31 has the fix but was not released)
- - Upgrade to Apache Tomcat 7.0.68 or later
- - Upgrade to Apache Tomcat 6.0.45 or later


Credit:
This issue was discovered by The Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWyu9qAAoJEBDAHFovYFnny/0P/0VtkiCt56FeS3I42BlvjAne
w/oqurmk/XoF/gof+VYxYuNOXMIwvgyGMjj21kZf+n2DjINXLHp9VFZ/APeSJ8kL
XcnTL1EBK1JBdxsieIhGAfLMeDO04wO3uuorJHwJIBbl4ymh7N4A2fgciKgCmNyB
y22TPT5Hz7iFCU8Ij6xsYJERpveUrenenAqbgjdcpILydbBoTqmZtZtWmPOFki90
cZo/2D0Av4H4SKh1PuCkzjk2DFXfyXcq+tDaX8dizPinQMQsbAX63BoYy5LrfWrJ
epgY9Q0QziOyp7b5Z72AjQ3RJR7yZS/iT3wb37jceI3Dq/mpkWFggqEGkSpFdGX7
AhoqVXjFw9eakjst0k5LZ29+dD8Fqz+2umXlRwelsxInLNgDk67Z2XehqkWWb85b
64PFh3ZYj/8CxxV6ErGq0bBhpCsNHZffEzOT/Ebldjn/afHajne3Yd9SZEbbZO3U
ejCSG2UziJ4t4mygnGyWaRCgKtjCrejzDZYicOICJEDE8enaPbNs0Ka8lR8fh21y
U3avzYIu7MosqvqoEAleMkjXySWSufqGF0ugbtsZx1lisl9Zax0LfXbq5sLmdNMS
fXhxu/1RfHfPS7NUP9YYs5OdWxCxecD/kiaxc3ArVVPdgAMSwlEyI59gSD/y7XPd
fitNMHbOMz6qG/uxVfH0
=6KO+
-----END PGP SIGNATURE-----