|
Message-ID: <5c4ad2ea-c39f-776a-aa54-cf4a7b4a82e9@apache.org> Date: Mon, 10 Apr 2017 20:14:41 +0100 From: Mark Thomas <markt@...che.org> To: oss-security@...ts.openwall.com Subject: [SECURITY] CVE-2017-5648 Apache Tomcat Information Disclosure CVE-2017-5648 Apache Tomcat Information Disclosure Severity: Low Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M17 Apache Tomcat 8.5.0 to 8.5.11 Apache Tomcat 8.0.0.RC1 to 8.0.41 Apache Tomcat 7.0.0 to 7.0.75 Apache Tomcat 6.0.x is not affected Description While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 9.0.0.M18 or later - Upgrade to Apache Tomcat 8.5.12 or later - Upgrade to Apache Tomcat 8.0.42 or later - Upgrade to Apache Tomcat 7.0.76 or later Credit: This issue was identified by the Tomcat security team. History: 2017-04-10 Original advisory References: [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60718 [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html [4] http://tomcat.apache.org/security-7.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.