Uploaded image for project: 'OFBiz'
  1. OFBiz
  2. OFBIZ-1525 Issue to group security concerns
  3. OFBIZ-9313

Update Tomcat to 8.0.42 because of CVE-2017-5648

Agile BoardAttach filesAttach ScreenshotVotersWatch issueWatchersLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Sub-task
    • Status: Closed
    • Trivial
    • Resolution: Fixed
    • Release Branch 16.11, Trunk
    • 16.11.02, 17.12.01
    • framework
    • Bug Crush Event - 21/2/2015

    Description

      Quoting a message from announce@apache.org

      VE-2017-5648 Apache Tomcat Information Disclosure

      Severity: Low

      Vendor: The Apache Software Foundation

      Versions Affected:
      Apache Tomcat 9.0.0.M1 to 9.0.0.M17
      Apache Tomcat 8.5.0 to 8.5.11
      Apache Tomcat 8.0.0.RC1 to 8.0.41
      Apache Tomcat 7.0.0 to 7.0.75
      Apache Tomcat 6.0.x is not affected

      Description
      While investigating bug 60718, it was noticed that some calls to
      application listeners did not use the appropriate facade object. When
      running an untrusted application under a SecurityManager, it was
      therefore possible for that untrusted application to retain a reference
      to the request or response object and thereby access and/or modify
      information associated with another web application.

      Mitigation:
      Users of the affected versions should apply one of the following
      mitigations:

      • Upgrade to Apache Tomcat 9.0.0.M18 or later
      • Upgrade to Apache Tomcat 8.5.12 or later
      • Upgrade to Apache Tomcat 8.0.42 or later
      • Upgrade to Apache Tomcat 7.0.76 or later

      Credit:
      This issue was identified by the Tomcat security team.

      History:
      2017-04-10 Original advisory

      References:
      [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60718
      [2] http://tomcat.apache.org/security-9.html
      [3] http://tomcat.apache.org/security-8.html
      [4] http://tomcat.apache.org/security-7.html

      It's a low security issue so I'll not backport on no longer or not released branches

      All tests pass and UI seems OK.

      Attachments

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            jleroux Jacques Le Roux
            jleroux Jacques Le Roux
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Agile

                Completed Sprint:
                Bug Crush Event - 21/2/2015 ended 26/Feb/15
                View on Board

                Slack

                  Issue deployment