Bug 967966 (CVE-2016-0763) - VUL-0: CVE-2016-0763: tomcat6, tomcat: security manager bypass via setGlobalContext()
Summary: VUL-0: CVE-2016-0763: tomcat6, tomcat: security manager bypass via setGlobalC...
Status: RESOLVED FIXED
Alias: CVE-2016-0763
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/162144/
Whiteboard: CVSSv2:RedHat:CVE-2016-0763:4.3:(AV:A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-24 08:13 UTC by Alexander Bergmann
Modified: 2018-08-23 16:08 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2016-02-24 08:13:22 UTC 
http://seclists.org/bugtraq/2016/Feb/147

CVE-2016-0763 Apache Tomcat Security Manager Bypass

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 7.0.0 to 7.0.67
- - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - Apache Tomcat 9.0.0.M1 to 9.0.0.M2

Description:
ResourceLinkFactory.setGlobalContext() is a public method and was
accessible by web applications running under a security manager
without any checks. This allowed a malicious web application to inject
a malicious global context that could in turn be used to disrupt other
web applications and/or read and write data owned by other web
applications.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 9.0.0.M3 or later
- - Upgrade to Apache Tomcat 8.0.32 or later
  (8.0.31 has the fix but was not released)
- - Upgrade to Apache Tomcat 7.0.68 or later
- - Upgrade to Apache Tomcat 6.0.45 or later


Credit:
This issue was discovered by The Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1311093
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0763
http://people.canonical.com/~ubuntu-security/cve/2016/CVE-2016-0763.html
Comment 1 Swamp Workflow Management 2016-02-24 23:00:34 UTC 
bugbot adjusting priority
Comment 2 Swamp Workflow Management 2016-03-15 14:13:45 UTC 
SUSE-SU-2016:0769-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 967812,967814,967815,967964,967965,967966,967967
CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2015-5346,CVE-2015-5351,CVE-2016-0706,CVE-2016-0714,CVE-2016-0763
Sources used:
SUSE Linux Enterprise Server 12-SP1 (src):    tomcat-8.0.32-3.1
Comment 3 Swamp Workflow Management 2016-03-18 18:14:39 UTC 
SUSE-SU-2016:0822-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 967812,967814,967815,967964,967965,967966,967967
CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2015-5346,CVE-2015-5351,CVE-2016-0706,CVE-2016-0714,CVE-2016-0763
Sources used:
SUSE Linux Enterprise Server 12 (src):    tomcat-7.0.68-7.6.1
Comment 4 Swamp Workflow Management 2016-03-23 17:11:01 UTC 
openSUSE-SU-2016:0865-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 967812,967814,967815,967964,967965,967966,967967
CVE References: CVE-2015-5174,CVE-2015-5345,CVE-2015-5346,CVE-2015-5351,CVE-2016-0706,CVE-2016-0714,CVE-2016-0763
Sources used:
openSUSE Leap 42.1 (src):    tomcat-8.0.32-5.1
Comment 5 Matei Albu 2016-11-02 12:46:43 UTC 
Tomcat was patched. This can be closed.
Comment 6 Marcus Meissner 2017-07-03 13:20:53 UTC 
released