CVE-2016-0714

Published: 24 February 2016

The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.

From the Ubuntu security team

It was discovered that the Tomcat session-persistence implementation incorrectly handled session attributes. A remote attacker could possibly use this issue to execute arbitrary code in a privileged context.

Priority

Medium

CVSS 3 base score: 8.8

Status

Package Release Status
tomcat6
Launchpad, Ubuntu, Debian
Upstream
Released (6.0.45)
Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus)
Released (6.0.45+dfsg-1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (6.0.39-1ubuntu0.1)
Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1727166
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1727182
tomcat7
Launchpad, Ubuntu, Debian
Upstream
Released (7.0.68-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(7.0.68-1)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(7.0.68-1)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (7.0.52-1ubuntu0.6)
Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1726813 (bp)
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1726817 (bp)
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1726818 (bp)
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1726819 (bp)
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1726917 (bp)
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1726922 (bp)
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1726923
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1727031 (bp)
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1727034
tomcat8
Launchpad, Ubuntu, Debian
Upstream
Released (8.0.32-1)
Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(8.0.32-1ubuntu1)
Ubuntu 16.04 LTS (Xenial Xerus) Not vulnerable
(8.0.32-1ubuntu1)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1726196
Upstream: http://svn.apache.org/viewvc?view=revision&revision=1726203