8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.948 High
EPSS
Percentile
99.2%
Apache Tomcat is a servlet container for the Java Servlet and JavaServer Pages (JSP) technologies.
Security Fix(es):
It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges. (CVE-2016-6325)
It was found that several Tomcat session persistence mechanisms could allow a remote, authenticated user to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that placed a crafted object in a session. (CVE-2016-0714)
It was discovered that tomcat used the value of the Proxy header from HTTP requests to initialize the HTTP_PROXY environment variable for CGI scripts, which in turn was incorrectly used by certain HTTP client implementations to configure the proxy for outgoing HTTP requests. A remote attacker could possibly use this flaw to redirect HTTP requests performed by a CGI script to an attacker-controlled proxy via a malicious HTTP request. (CVE-2016-5388)
A directory traversal flaw was found in Tomcat’s RequestUtil.java. A remote, authenticated user could use this flaw to bypass intended SecurityManager restrictions and list a parent directory via a ‘/…’ in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory. (CVE-2015-5174)
It was found that Tomcat could reveal the presence of a directory even when that directory was protected by a security constraint. A user could make a request to a directory via a URL not ending with a slash and, depending on whether Tomcat redirected that request, could confirm whether that directory existed. (CVE-2015-5345)
It was found that Tomcat allowed the StatusManagerServlet to be loaded by a web application when a security manager was configured. This allowed a web application to list all deployed web applications and expose sensitive information such as session IDs. (CVE-2016-0706)
Red Hat would like to thank Scott Geary (VendHQ) for reporting CVE-2016-5388. The CVE-2016-6325 issue was discovered by Red Hat Product Security.
Bug Fix(es):
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
RedHat | 6 | noarch | tomcat6-docs-webapp | < 6.0.24-98.el6_8 | tomcat6-docs-webapp-6.0.24-98.el6_8.noarch.rpm |
RedHat | 6 | noarch | tomcat6-webapps | < 6.0.24-98.el6_8 | tomcat6-webapps-6.0.24-98.el6_8.noarch.rpm |
RedHat | 6 | noarch | tomcat6-javadoc | < 6.0.24-98.el6_8 | tomcat6-javadoc-6.0.24-98.el6_8.noarch.rpm |
RedHat | 6 | noarch | tomcat6 | < 6.0.24-98.el6_8 | tomcat6-6.0.24-98.el6_8.noarch.rpm |
RedHat | 6 | noarch | tomcat6-lib | < 6.0.24-98.el6_8 | tomcat6-lib-6.0.24-98.el6_8.noarch.rpm |
RedHat | 6 | noarch | tomcat6-servlet-2.5-api | < 6.0.24-98.el6_8 | tomcat6-servlet-2.5-api-6.0.24-98.el6_8.noarch.rpm |
RedHat | 6 | noarch | tomcat6-admin-webapps | < 6.0.24-98.el6_8 | tomcat6-admin-webapps-6.0.24-98.el6_8.noarch.rpm |
RedHat | 6 | noarch | tomcat6-el-2.1-api | < 6.0.24-98.el6_8 | tomcat6-el-2.1-api-6.0.24-98.el6_8.noarch.rpm |
RedHat | 6 | noarch | tomcat6-jsp-2.1-api | < 6.0.24-98.el6_8 | tomcat6-jsp-2.1-api-6.0.24-98.el6_8.noarch.rpm |
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
7.2 High
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:L/AC:L/Au:N/C:C/I:C/A:C
0.948 High
EPSS
Percentile
99.2%