{ "threat_severity" : "Low", "public_date" : "2016-02-22T00:00:00Z", "bugzilla" : { "description" : "tomcat: security manager bypass via StatusManagerServlet", "id" : "1311087", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1311087" }, "cvss" : { "cvss_base_score" : "2.9", "cvss_scoring_vector" : "AV:A/AC:M/Au:N/C:P/I:N/A:N", "status" : "verified" }, "cvss3" : { "cvss3_base_score" : "4.3", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-287", "details" : [ "Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.", "It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2016-10-10T00:00:00Z", "advisory" : "RHSA-2016:2045", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "tomcat6-0:6.0.24-98.el6_8" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2016-11-03T00:00:00Z", "advisory" : "RHSA-2016:2599", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "tomcat-0:7.0.69-10.el7" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6", "release_date" : "2016-11-17T00:00:00Z", "advisory" : "RHSA-2016:2807", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6", "package" : "tomcat7-0:7.0.54-23_patch_05.ep6.el6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7", "release_date" : "2016-11-17T00:00:00Z", "advisory" : "RHSA-2016:2807", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7", "package" : "tomcat7-0:7.0.54-23_patch_05.ep6.el7" }, { "product_name" : "Red Hat JBoss Web Server 2.1", "release_date" : "2016-11-17T00:00:00Z", "advisory" : "RHSA-2016:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2.1", "package" : "tomcat7" }, { "product_name" : "Red Hat JBoss Web Server 3.0", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1089", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1087", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el6", "package" : "httpd24-0:2.4.6-61.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1087", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el6", "package" : "mod_security-jws3-0:2.8.0-7.GA.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1087", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el6", "package" : "tomcat7-0:7.0.59-50_patch_01.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1087", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el6", "package" : "tomcat8-0:8.0.18-61_patch_01.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1088", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el7", "package" : "httpd24-0:2.4.6-61.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1088", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el7", "package" : "mod_security-jws3-0:2.8.0-7.GA.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1088", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el7", "package" : "tomcat7-0:7.0.59-50_patch_01.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1088", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el7", "package" : "tomcat8-0:8.0.18-61_patch_01.ep7.el7" } ], "package_state" : [ { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Will not fix", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss Data Grid 6", "fix_state" : "Affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_grid:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 4", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:4" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Will not fix", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat JBoss Portal 6", "fix_state" : "Affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-0706\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-0706\nhttp://seclists.org/bugtraq/2016/Feb/144" ], "name" : "CVE-2016-0706", "csaw" : false }