{ "threat_severity" : "Moderate", "public_date" : "2016-02-22T00:00:00Z", "bugzilla" : { "description" : "tomcat: Security Manager bypass via persistence mechanisms", "id" : "1311082", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1311082" }, "cvss" : { "cvss_base_score" : "6.8", "cvss_scoring_vector" : "AV:N/AC:M/Au:N/C:P/I:P/A:P", "status" : "verified" }, "cvss3" : { "cvss3_base_score" : "8.8", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "status" : "verified" }, "cwe" : "CWE-290", "details" : [ "The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.", "It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 6", "release_date" : "2016-10-10T00:00:00Z", "advisory" : "RHSA-2016:2045", "cpe" : "cpe:/o:redhat:enterprise_linux:6", "package" : "tomcat6-0:6.0.24-98.el6_8" }, { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2016-11-03T00:00:00Z", "advisory" : "RHSA-2016:2599", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "tomcat-0:7.0.69-10.el7" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 6", "release_date" : "2016-11-17T00:00:00Z", "advisory" : "RHSA-2016:2807", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el6", "package" : "tomcat7-0:7.0.54-23_patch_05.ep6.el6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2 for RHEL 7", "release_date" : "2016-11-17T00:00:00Z", "advisory" : "RHSA-2016:2807", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2::el7", "package" : "tomcat7-0:7.0.54-23_patch_05.ep6.el7" }, { "product_name" : "Red Hat JBoss Web Server 2.1", "release_date" : "2016-11-17T00:00:00Z", "advisory" : "RHSA-2016:2808", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2.1", "package" : "tomcat7" }, { "product_name" : "Red Hat JBoss Web Server 3.0", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1089", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1087", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el6", "package" : "httpd24-0:2.4.6-61.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1087", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el6", "package" : "mod_security-jws3-0:2.8.0-7.GA.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1087", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el6", "package" : "tomcat7-0:7.0.59-50_patch_01.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1087", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el6", "package" : "tomcat8-0:8.0.18-61_patch_01.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1088", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el7", "package" : "httpd24-0:2.4.6-61.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1088", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el7", "package" : "mod_security-jws3-0:2.8.0-7.GA.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1088", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el7", "package" : "tomcat7-0:7.0.59-50_patch_01.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2016-05-17T00:00:00Z", "advisory" : "RHSA-2016:1088", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.0::el7", "package" : "tomcat8-0:8.0.18-61_patch_01.ep7.el7" } ], "package_state" : [ { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Will not fix", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss Data Grid 6", "fix_state" : "Affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_grid:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 4", "fix_state" : "Will not fix", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:4" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Will not fix", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Will not fix", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Will not fix", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat JBoss Portal 6", "fix_state" : "Affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_portal_platform:6" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-0714\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-0714\nhttp://seclists.org/bugtraq/2016/Feb/145" ], "name" : "CVE-2016-0714", "csaw" : false }