Bugzilla – Bug 967815
VUL-0: CVE-2016-0706: tomcat6, tomcat: security manager bypass via StatusManagerServlet
Last modified: 2018-08-23 16:08:00 UTC
http://seclists.org/bugtraq/2016/Feb/144 CVE-2016-0706 Apache Tomcat Security Manager bypass Severity: Low Vendor: The Apache Software Foundation Versions Affected: - - Apache Tomcat 6.0.0 to 6.0.44 - - Apache Tomcat 7.0.0 to 7.0.67 - - Apache Tomcat 8.0.0.RC1 to 8.0.30 - - Apache Tomcat 9.0.0.M1 - - Earlier, unsupported Tomcat versions may be affected Description: The StatusManagerServlet could be loaded by a web application when a security manager was configured. This servlet would then provide the web application with a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. This could have exposed sensitive information from other web applications such as session IDs to the web application. Mitigation: Users of affected versions should apply one of the following mitigations - - Upgrade to Apache Tomcat 9.0.0.M3 or later (9.0.0.M2 has the fix but was not released) - - Upgrade to Apache Tomcat 8.0.32 or later (8.0.31 has the fix but was not released) - - Upgrade to Apache Tomcat 7.0.68 or later - - Upgrade to Apache Tomcat 6.0.45 or later Credit: This issue was discovered by The Apache Tomcat Security Team. References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html [3] http://tomcat.apache.org/security-7.html [4] http://tomcat.apache.org/security-6.html References: https://bugzilla.redhat.com/show_bug.cgi?id=1311087 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0706
bugbot adjusting priority
SUSE-SU-2016:0769-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 967812,967814,967815,967964,967965,967966,967967 CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2015-5346,CVE-2015-5351,CVE-2016-0706,CVE-2016-0714,CVE-2016-0763 Sources used: SUSE Linux Enterprise Server 12-SP1 (src): tomcat-8.0.32-3.1
SUSE-SU-2016:0822-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 967812,967814,967815,967964,967965,967966,967967 CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2015-5346,CVE-2015-5351,CVE-2016-0706,CVE-2016-0714,CVE-2016-0763 Sources used: SUSE Linux Enterprise Server 12 (src): tomcat-7.0.68-7.6.1
SUSE-SU-2016:0839-1: An update that solves four vulnerabilities and has one errata is now available. Category: security (important) Bug References: 934219,967815,967964,967965,967967 CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2016-0706,CVE-2016-0714 Sources used: SUSE Linux Enterprise Server 11-SP4 (src): tomcat6-6.0.45-0.50.1
openSUSE-SU-2016:0865-1: An update that fixes 7 vulnerabilities is now available. Category: security (important) Bug References: 967812,967814,967815,967964,967965,967966,967967 CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2015-5346,CVE-2015-5351,CVE-2016-0706,CVE-2016-0714,CVE-2016-0763 Sources used: openSUSE Leap 42.1 (src): tomcat-8.0.32-5.1
erleased