Details

    • Type: Sub-task
    • Status: Closed
    • Priority: Trivial
    • Resolution: Fixed
    • Affects Version/s: Trunk, Release Branch 16.11
    • Fix Version/s: 17.12.01, 16.11.02
    • Component/s: framework
    • Labels:
    • Sprint:
      Bug Crush Event - 21/2/2015

      Description

      Quoting a message from announce@apache.org

      VE-2017-5648 Apache Tomcat Information Disclosure

      Severity: Low

      Vendor: The Apache Software Foundation

      Versions Affected:
      Apache Tomcat 9.0.0.M1 to 9.0.0.M17
      Apache Tomcat 8.5.0 to 8.5.11
      Apache Tomcat 8.0.0.RC1 to 8.0.41
      Apache Tomcat 7.0.0 to 7.0.75
      Apache Tomcat 6.0.x is not affected

      Description
      While investigating bug 60718, it was noticed that some calls to
      application listeners did not use the appropriate facade object. When
      running an untrusted application under a SecurityManager, it was
      therefore possible for that untrusted application to retain a reference
      to the request or response object and thereby access and/or modify
      information associated with another web application.

      Mitigation:
      Users of the affected versions should apply one of the following
      mitigations:

      • Upgrade to Apache Tomcat 9.0.0.M18 or later
      • Upgrade to Apache Tomcat 8.5.12 or later
      • Upgrade to Apache Tomcat 8.0.42 or later
      • Upgrade to Apache Tomcat 7.0.76 or later

      Credit:
      This issue was identified by the Tomcat security team.

      History:
      2017-04-10 Original advisory

      References:
      [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60718
      [2] http://tomcat.apache.org/security-9.html
      [3] http://tomcat.apache.org/security-8.html
      [4] http://tomcat.apache.org/security-7.html

      It's a low security issue so I'll not backport on no longer or not released branches

      All tests pass and UI seems OK.

        Attachments

          Activity

            People

            • Assignee:
              jacques.le.roux Jacques Le Roux
              Reporter:
              jacques.le.roux Jacques Le Roux
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: