CVE-2016-0714
Published: 24 February 2016
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
From the Ubuntu Security Team
It was discovered that the Tomcat session-persistence implementation incorrectly handled session attributes. A remote attacker could possibly use this issue to execute arbitrary code in a privileged context.
Notes
| Author | Note |
|---|---|
| mdeslaur | list of backports is incomplete. Fix is intrusive. |
Priority
Status
| Package | Release | Status |
|---|---|---|
|
tomcat6 Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
| bionic |
Does not exist
|
|
| precise |
Released
(6.0.35-1ubuntu3.7)
|
|
| trusty |
Released
(6.0.39-1ubuntu0.1)
|
|
| upstream |
Released
(6.0.45)
|
|
| wily |
Ignored
(reached end-of-life)
|
|
| xenial |
Released
(6.0.45+dfsg-1)
|
|
| yakkety |
Does not exist
|
|
| zesty |
Does not exist
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1727166 upstream: http://svn.apache.org/viewvc?view=revision&revision=1727182 |
||
|
tomcat7 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(7.0.68-1)
|
| bionic |
Not vulnerable
(7.0.68-1)
|
|
| precise |
Does not exist
(precise was needed)
|
|
| trusty |
Released
(7.0.52-1ubuntu0.6)
|
|
| upstream |
Released
(7.0.68-1)
|
|
| wily |
Released
(7.0.64-1ubuntu0.3)
|
|
| xenial |
Not vulnerable
(7.0.68-1)
|
|
| yakkety |
Not vulnerable
(7.0.68-1)
|
|
| zesty |
Not vulnerable
(7.0.68-1)
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1726813 (bp) upstream: http://svn.apache.org/viewvc?view=revision&revision=1726817 (bp) upstream: http://svn.apache.org/viewvc?view=revision&revision=1726818 (bp) upstream: http://svn.apache.org/viewvc?view=revision&revision=1726819 (bp) upstream: http://svn.apache.org/viewvc?view=revision&revision=1726917 (bp) upstream: http://svn.apache.org/viewvc?view=revision&revision=1726922 (bp) upstream: http://svn.apache.org/viewvc?view=revision&revision=1726923 upstream: http://svn.apache.org/viewvc?view=revision&revision=1727031 (bp) upstream: http://svn.apache.org/viewvc?view=revision&revision=1727034 |
||
|
tomcat8 Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(8.0.32-1ubuntu1)
|
| bionic |
Not vulnerable
(8.0.32-1ubuntu1)
|
|
| precise |
Does not exist
|
|
| trusty |
Does not exist
|
|
| upstream |
Released
(8.0.32-1)
|
|
| wily |
Ignored
(reached end-of-life)
|
|
| xenial |
Not vulnerable
(8.0.32-1ubuntu1)
|
|
| yakkety |
Not vulnerable
(8.0.32-1ubuntu1)
|
|
| zesty |
Not vulnerable
(8.0.32-1ubuntu1)
|
|
|
Patches: upstream: http://svn.apache.org/viewvc?view=revision&revision=1726196 upstream: http://svn.apache.org/viewvc?view=revision&revision=1726203 |
||
Severity score breakdown
| Parameter | Value |
|---|---|
| Base score | 8.8 |
| Attack vector | Network |
| Attack complexity | Low |
| Privileges required | Low |
| User interaction | None |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity impact | High |
| Availability impact | High |
| Vector | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |