Summary: | <www-servers/tomcat-{7.0.68-r1, 8.0.32-r1}: Multiple Vulnerabilities | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Ken Johnson <x40a0e> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | fordfrog |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B2 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 317667, 577626, 577628, 584114, 586966 | ||
Bug Blocks: |
Description
Ken Johnson
2016-02-27 03:25:24 UTC
6 has now been removed from the tree. CVE-2016-0763 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0763): The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context. CVE-2016-0714 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0714): The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. CVE-2016-0706 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0706): Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application. 9.x is unstable. This issue was resolved and addressed in GLSA 201705-09 at https://security.gentoo.org/glsa/201705-09 by GLSA coordinator Yury German (BlueKnight). |