tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From R Paul <rmp.prog...@gmail.com>
Subject Re: [SECURITY] CVE-2016-6797 Apache Tomcat Unrestricted Access to Global Resources
Date Tue, 01 Nov 2016 19:56:07 GMT
Hi Mark
met you at pivotal...in toronto..
i have been watching these forums for some time..and just seeing the
quantity of emails
are these people experiencing a normal number of issues with gettting
tomacat to work with their software? Can you catergorize some of those
issues to me..as student studying security i am curious...
richard


On Thu, Oct 27, 2016 at 8:17 AM, Mark Thomas <markt@apache.org> wrote:

> CVE-2016-6797 Apache Tomcat Unrestricted Access to Global Resources
>
> Severity: Low
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0.M1 to 9.0.0.M9
> Apache Tomcat 8.5.0 to 8.5.4
> Apache Tomcat 8.0.0.RC1 to 8.0.36
> Apache Tomcat 7.0.0 to 7.0.70
> Apache Tomcat 6.0.0 to 6.0.45
> Earlier, unsupported versions may also be affected.
>
> Description
> The ResourceLinkFactory did not limit web application access to global
> JNDI resources to those resources explicitly linked to the web
> application. Therefore, it was possible for a web application to access
> any global JNDI resource whether an explicit ResourceLink had been
> configured or not.
>
> Mitigation
> Users of affected versions should apply one of the following mitigations
> - Upgrade to Apache Tomcat 9.0.0.M10 or later
> - Upgrade to Apache Tomcat 8.5.5 or later
> - Upgrade to Apache Tomcat 8.0.37 or later
> - Upgrade to Apache Tomcat 7.0.72 or later
>   (Apache Tomcat 7.0.71 has the fix but was not released)
> - Upgrade to Apache Tomcat 6.0.47 or later
>   (Apache Tomcat 6.0.46 has the fix but was not released)
>
> Credit:
> This issue was discovered by the Apache Tomcat Security Team.
>
> References:
> [1] http://tomcat.apache.org/security-9.html
> [2] http://tomcat.apache.org/security-8.html
> [3] http://tomcat.apache.org/security-7.html
> [4] http://tomcat.apache.org/security-6.html
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message