CVE-2016-5018

NameCVE-2016-5018
DescriptionIn Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-728-1, DLA-729-1, DSA-3720-1, DSA-3721-1
NVD severitymedium (attack range: remote)
Debian Bugs842663

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat6 (PTS)wheezy6.0.45+dfsg-1~deb7u1vulnerable
wheezy (security)6.0.45+dfsg-1~deb7u5fixed
jessie (security), jessie6.0.45+dfsg-1~deb8u1fixed
tomcat7 (PTS)wheezy7.0.28-4+deb7u4vulnerable
wheezy (security)7.0.28-4+deb7u15fixed
jessie (security), jessie7.0.56-3+deb8u11fixed
stretch7.0.75-1fixed
buster, sid7.0.78-1fixed
tomcat8 (PTS)jessie8.0.14-1+deb8u10fixed
jessie (security)8.0.14-1+deb8u11fixed
stretch (security), stretch8.5.14-1+deb9u2fixed
buster, sid8.5.23-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat6source(unstable)6.0.41-3low
tomcat6sourcewheezy6.0.45+dfsg-1~deb7u3mediumDLA-728-1
tomcat7source(unstable)7.0.72-1low842663
tomcat7sourcejessie7.0.56-3+deb8u5mediumDSA-3721-1
tomcat7sourcewheezy7.0.28-4+deb7u7mediumDLA-729-1
tomcat8source(unstable)8.0.37-1low
tomcat8sourcejessie8.0.14-1+deb8u4mediumDSA-3720-1

Notes

Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie
http://markmail.org/message/lixw6iyojoxwfizv?q=list:org.apache.tomcat.announce/
Fixed by: http://svn.apache.org/r1754901 (8.0.x)
Fixed by: http://svn.apache.org/r1754902 (7.0.x)
Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1754904

Search for package or bug name: Reporting problems