Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 575796 (CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763) - <www-servers/tomcat-{7.0.68-r1, 8.0.32-r1}: Multiple Vulnerabilities
Summary: <www-servers/tomcat-{7.0.68-r1, 8.0.32-r1}: Multiple Vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2015-5174, CVE-2015-5345, CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa cve]
Keywords:
Depends on: 317667 577626 577628 584114 CVE-2016-3092
Blocks:
  Show dependency tree
 
Reported: 2016-02-27 03:25 UTC by Ken Johnson
Modified: 2017-05-18 02:02 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ken Johnson 2016-02-27 03:25:24 UTC
Multiple vulnerabilities in Apache Tomcat versions < 6.0.45, 7.0.65, 8.0.27, 8.0.30, 9.0.0 M2, 7.0.66, 7.0.68, 8.0.31.

Vulnerabilities include:
Directory traversal allowing bypass of the SecurityManager
Directory enumeration through redirection handling
Session fixation
CSRF bypass in Manager and HostManager
Authorization bypass allowing authenticated users to access privileged information such as HTTP requests containing session-ids
Arbitrary remote code execution via persistent session object
Authorization bypass allowing read/write access to application data from an authenticated user

NIST CVE links:
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5174
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5345
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5346
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5351
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0706
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0714
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0763

Reproducible: Always
Comment 1 James Le Cuirot gentoo-dev 2016-03-22 21:18:01 UTC
6 has now been removed from the tree.
Comment 2 GLSAMaker/CVETool Bot gentoo-dev 2016-07-14 08:49:13 UTC
CVE-2016-0763 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0763):
  The setGlobalContext method in
  org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x
  before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider
  whether ResourceLinkFactory.setGlobalContext callers are authorized, which
  allows remote authenticated users to bypass intended SecurityManager
  restrictions and read or write to arbitrary application data, or cause a
  denial of service (application disruption), via a web application that sets
  a crafted global context.

CVE-2016-0714 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0714):
  The session-persistence implementation in Apache Tomcat 6.x before 6.0.45,
  7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles
  session attributes, which allows remote authenticated users to bypass
  intended SecurityManager restrictions and execute arbitrary code in a
  privileged context via a web application that places a crafted object in a
  session.

CVE-2016-0706 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2016-0706):
  Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and
  9.x before 9.0.0.M2 does not place
  org.apache.catalina.manager.StatusManagerServlet on the
  org/apache/catalina/core/RestrictedServlets.properties list, which allows
  remote authenticated users to bypass intended SecurityManager restrictions
  and read arbitrary HTTP requests, and consequently discover session ID
  values, via a crafted web application.
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-07-14 08:51:08 UTC
9.x is unstable.
Comment 4 GLSAMaker/CVETool Bot gentoo-dev 2017-05-18 02:02:18 UTC
This issue was resolved and addressed in
 GLSA 201705-09 at https://security.gentoo.org/glsa/201705-09
by GLSA coordinator Yury German (BlueKnight).