CVE-2014-7810

NameCVE-2014-7810
DescriptionThe Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-232-1, DSA-3428-1, DSA-3447-1, DSA-3530-1
NVD severitymedium
Debian Bugs787010

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat6 (PTS)jessie, jessie (security)6.0.45+dfsg-1~deb8u1fixed
tomcat7 (PTS)jessie7.0.56-3+deb8u11fixed
jessie (security)7.0.56-3+really7.0.94-1fixed
stretch7.0.75-1fixed
tomcat8 (PTS)jessie8.0.14-1+deb8u11fixed
jessie (security)8.0.14-1+deb8u15fixed
stretch, stretch (security)8.5.14-1+deb9u3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat6source(unstable)6.0.41-3787010
tomcat6sourcesqueeze6.0.41-2+squeeze7DLA-232-1
tomcat6sourcewheezy6.0.45+dfsg-1~deb7u1DSA-3530-1
tomcat7source(unstable)7.0.61-1
tomcat7sourcejessie7.0.56-3+deb8u1DSA-3447-1
tomcat7sourcewheezy7.0.28-4+deb7u3DSA-3447-1
tomcat8source(unstable)8.0.21-2
tomcat8sourcejessie8.0.14-1+deb8u1DSA-3428-1

Notes

Marked as fixed in 6.0.41-3 which only builds the libservlet2.5-java and libservlet2.5-java-doc packages
http://svn.apache.org/viewvc?view=revision&revision=1645366 (6.x)
http://svn.apache.org/viewvc?view=revision&revision=1659538 (6.x)
http://svn.apache.org/viewvc?view=revision&revision=1644019 (7.x)
http://svn.apache.org/viewvc?view=revision&revision=1645644 (7.x)

Search for package or bug name: Reporting problems