CVE-2016-6797
Published: 28 October 2016
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.
Notes
Author | Note |
---|---|
mdeslaur |
debian released a regression fix, second commit listed |
Priority
Status
Package | Release | Status |
---|---|---|
tomcat6
Launchpad, Ubuntu, Debian |
artful |
Does not exist
|
bionic |
Does not exist
|
|
cosmic |
Does not exist
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
precise |
Released
(6.0.35-1ubuntu3.9)
|
|
trusty |
Needed
|
|
upstream |
Released
(6.0.47)
|
|
xenial |
Released
(6.0.45+dfsg-1ubuntu0.1)
|
|
yakkety |
Does not exist
|
|
zesty |
Does not exist
|
|
Patches:
upstream: https://svn.apache.org/viewvc?view=revision&revision=1757285 upstream: https://svn.apache.org/viewvc?view=revision&revision=1763237 |
||
tomcat7
Launchpad, Ubuntu, Debian |
artful |
Ignored
(end of life)
|
bionic |
Not vulnerable
|
|
cosmic |
Not vulnerable
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
precise |
Ignored
(end of life)
|
|
trusty |
Released
(7.0.52-1ubuntu0.8)
|
|
upstream |
Released
(7.0.72)
|
|
xenial |
Released
(7.0.68-1ubuntu0.3)
|
|
yakkety |
Ignored
(end of life)
|
|
zesty |
Ignored
(end of life)
|
|
Patches:
upstream: https://svn.apache.org/viewvc?view=revision&revision=1757275 upstream: https://svn.apache.org/viewvc?view=revision&revision=1763236 |
||
tomcat8
Launchpad, Ubuntu, Debian |
artful |
Not vulnerable
(8.0.38-2)
|
bionic |
Not vulnerable
(8.0.38-2)
|
|
cosmic |
Not vulnerable
(8.0.38-2)
|
|
disco |
Does not exist
|
|
eoan |
Does not exist
|
|
focal |
Does not exist
|
|
groovy |
Does not exist
|
|
hirsute |
Does not exist
|
|
impish |
Does not exist
|
|
jammy |
Does not exist
|
|
kinetic |
Does not exist
|
|
lunar |
Does not exist
|
|
mantic |
Does not exist
|
|
noble |
Does not exist
|
|
precise |
Does not exist
|
|
trusty |
Does not exist
|
|
upstream |
Released
(8.0.37)
|
|
xenial |
Released
(8.0.32-1ubuntu1.3)
|
|
yakkety |
Not vulnerable
(8.0.37-1)
|
|
zesty |
Not vulnerable
(8.0.38-2)
|
|
Patches:
upstream: https://svn.apache.org/viewvc?view=revision&revision=1757273 upstream: https://svn.apache.org/viewvc?view=revision&revision=1763234 |
Severity score breakdown
Parameter | Value |
---|---|
Base score | 7.5 |
Attack vector | Network |
Attack complexity | Low |
Privileges required | None |
User interaction | None |
Scope | Unchanged |
Confidentiality | High |
Integrity impact | None |
Availability impact | None |
Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N |