lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 22 Feb 2016 11:21:51 +0000
From: Mark Thomas <markt@...che.org>
To: "users@...cat.apache.org" <users@...cat.apache.org>
Cc: "announce@...cat.apache.org" <announce@...cat.apache.org>,
  announce@...che.org, "dev@...cat.apache.org" <dev@...cat.apache.org>,
  full-disclosure@...ts.grok.org.uk, bugtraq@...urityfocus.com
Subject: [SECURITY] CVE-2016-0714 Apache Tomcat Security Manager Bypass

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

CVE-2016-0714 Apache Tomcat Security Manager Bypass

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
- - Apache Tomcat 6.0.0 to 6.0.44
- - Apache Tomcat 7.0.0 to 7.0.67
- - Apache Tomcat 8.0.0.RC1 to 8.0.30
- - Apache Tomcat 9.0.0.M1
- - Earlier, unsupported Tomcat versions may be affected

Description:
Tomcat provides several session persistence mechanisms. The
StandardManager persists session over a restart. The PersistentManager
is able to persist sessions to files, a database or a custom Store. The
Cluster implementation persists sessions to one or more additional nodes
in the cluster. All of these mechanisms could be exploited to bypass a
security manager. Session persistence is performed by Tomcat code with
the permissions assigned to Tomcat internal code. By placing a carefully
crafted object into a session, a malicious web application could trigger
the execution of arbitrary code.

Mitigation:
Users of affected versions should apply one of the following mitigations
- - Upgrade to Apache Tomcat 9.0.0.M3 or later
  (9.0.0.M2 has the fix but was not released)
- - Upgrade to Apache Tomcat 8.0.32 or later
  (8.0.31 has the fix but was not released)
- - Upgrade to Apache Tomcat 7.0.68 or later
- - Upgrade to Apache Tomcat 6.0.45 or later


Credit:
This issue was discovered by The Apache Tomcat Security Team.

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-6.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCAAGBQJWyu9PAAoJEBDAHFovYFnnllEQAMj38sm4FeeXJ2XOK/ODpj2J
SLK0VMib2gjRmMfuH15OPyYBIHPaWVD4E3ONiLz/2F9oqVAYfvswQnLfNrJ9k8oF
K+ETBoWfyODb8QddYQOd3JpDslrOLPscve6dgnkx/R8hZSPOvsmo8IIG4Bwh5VQM
rkAct8EFGpVuQ9ou59F8xSx7fhRMHhNKt8XwsuBIj43MwFv5P8rHhNJDbgC8hSP7
w8yKwrQ7alfeuzwQPegf11YEcauPog4TnD3JAuufcuPQefvDHRAIoKNRCwyvFbRC
rVHdsV5AehWaKKHj9Yu2IJB88s+0wXWlH01hG+wYl1jSVxs3CHhhP0FS55vwItWP
Igl26iz33esPlzQaVyWf5jOUOYfF0tZel4bDFcQrIQASJKS2vxCuOBgUhr+bReMD
I8W1A78EdGXm5IGqmPqHNXn+qAQKfs352eVFiS4vM+5n6wdVThxRzTIt/Op0iz8k
rOIm05kkZQedh7utUy4iW59MKHr9xGRQRI1r4/sdKHDIRSlzsfzJVrATqqLPxukg
QhG3LL0fO+kKLb526GZOlTaAcT7hM2wdYkLytiUItpMUR8ZfozqIS/nRUPmCfDgW
8QFRZEYIgETUYELbnj9chx0NJOkSH9OICV1U7EergsKsdpXN8uCDRy609ufSPn+W
M6wXyzp1l4aE2hnn22gZ
=OQbe
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ