#VU87534 Permissions, Privileges, and Access Controls in Apache Tomcat - CVE-2016-0763


Vulnerability identifier: #VU87534

Vulnerability risk: Medium

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green]

CVE-ID: CVE-2016-0763

CWE-ID: CWE-264

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Apache Tomcat
Server applications / Web servers

Vendor: Apache Foundation

Description

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to missing authorization within the setGlobalContext() method in org/apache/naming/factory/ResourceLinkFactory.java. A remote user can bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Apache Tomcat: 7.0.0 - 7.0.67, 8.0.0 RC1 - 8.0.30, 9.0.0-M1 - 9.0.0-M2

External links
https://svn.apache.org/viewvc?view=revision&revision=1725931
https://svn.apache.org/viewvc?view=revision&revision=1725929
https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-9.html
https://tomcat.apache.org/security-7.html
https://seclists.org/bugtraq/2016/Feb/147
https://svn.apache.org/viewvc?view=revision&revision=1725926
https://www.debian.org/security/2016/dsa-3530
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
https://www.debian.org/security/2016/dsa-3609
https://www.ubuntu.com/usn/USN-3024-1
https://www.debian.org/security/2016/dsa-3552
https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
https://www.securityfocus.com/bid/83326
https://access.redhat.com/errata/RHSA-2016:1087
https://rhn.redhat.com/errata/RHSA-2016-1089.html
https://access.redhat.com/errata/RHSA-2016:1088
https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
https://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
https://lists.fedoraproject.org/pipermail/package-announce/2016-March/179356.html
https://bto.bluecoat.com/security-advisory/sa118
https://www.securitytracker.com/id/1035069
https://security.gentoo.org/glsa/201705-09
https://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
https://rhn.redhat.com/errata/RHSA-2016-2808.html
https://rhn.redhat.com/errata/RHSA-2016-2807.html
https://rhn.redhat.com/errata/RHSA-2016-2599.html
https://security.netapp.com/advisory/ntap-20180531-0001/
https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Multiple vulnerabilities in IBM FlashSystem models 840 and 900
Multiple vulnerabilities in IBM SAN Volume Controller and Storwize Family
Multiple vulnerabilities in Apache Tomcat