CVE-2016-6797

Published: 28 October 2016

The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

Priority

Low

CVSS 3 base score: 7.5

Status

Package Release Status
tomcat6
Launchpad, Ubuntu, Debian
Upstream
Released (6.0.47)
Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 LTS (Xenial Xerus)
Released (6.0.45+dfsg-1ubuntu0.1)
Ubuntu 14.04 ESM (Trusty Tahr) Needed

Ubuntu 12.04 ESM (Precise Pangolin)
Released (6.0.35-1ubuntu3.9)
Patches:
Upstream: https://svn.apache.org/viewvc?view=revision&revision=1757285
Upstream: https://svn.apache.org/viewvc?view=revision&revision=1763237
tomcat7
Launchpad, Ubuntu, Debian
Upstream
Released (7.0.72)
Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable

Ubuntu 16.04 LTS (Xenial Xerus)
Released (7.0.68-1ubuntu0.3)
Ubuntu 14.04 ESM (Trusty Tahr)
Released (7.0.52-1ubuntu0.8)
Ubuntu 12.04 ESM (Precise Pangolin) Does not exist
(precise was needed)
Patches:
Upstream: https://svn.apache.org/viewvc?view=revision&revision=1757275
Upstream: https://svn.apache.org/viewvc?view=revision&revision=1763236
tomcat8
Launchpad, Ubuntu, Debian
Upstream
Released (8.0.37)
Ubuntu 20.10 (Groovy Gorilla) Does not exist

Ubuntu 20.04 LTS (Focal Fossa) Does not exist

Ubuntu 18.04 LTS (Bionic Beaver) Not vulnerable
(8.0.38-2)
Ubuntu 16.04 LTS (Xenial Xerus)
Released (8.0.32-1ubuntu1.3)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Ubuntu 12.04 ESM (Precise Pangolin) Does not exist

Patches:
Upstream: https://svn.apache.org/viewvc?view=revision&revision=1757273
Upstream: https://svn.apache.org/viewvc?view=revision&revision=1763234