CVE-2016-6794

NameCVE-2016-6794
DescriptionWhen a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SuSE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-728-1, DLA-729-1, DSA-3720-1, DSA-3721-1
NVD severitymedium (attack range: remote)
Debian Bugs842664

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat6 (PTS)wheezy6.0.45+dfsg-1~deb7u1vulnerable
wheezy (security)6.0.45+dfsg-1~deb7u5fixed
jessie (security), jessie6.0.45+dfsg-1~deb8u1fixed
tomcat7 (PTS)wheezy7.0.28-4+deb7u4vulnerable
wheezy (security)7.0.28-4+deb7u17fixed
jessie (security), jessie7.0.56-3+deb8u11fixed
stretch7.0.75-1fixed
buster, sid7.0.78-1fixed
tomcat8 (PTS)jessie (security), jessie8.0.14-1+deb8u11fixed
stretch (security), stretch8.5.14-1+deb9u2fixed
buster, sid8.5.24-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat6source(unstable)6.0.41-3low
tomcat6sourcewheezy6.0.45+dfsg-1~deb7u3mediumDLA-728-1
tomcat7source(unstable)7.0.72-1low842664
tomcat7sourcejessie7.0.56-3+deb8u5mediumDSA-3721-1
tomcat7sourcewheezy7.0.28-4+deb7u7mediumDLA-729-1
tomcat8source(unstable)8.0.37-1low
tomcat8sourcejessie8.0.14-1+deb8u4mediumDSA-3720-1

Notes

Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie
http://markmail.org/message/zk7w6yly5mviocci?q=list:org.apache.tomcat.announce/
Fixed by: http://svn.apache.org/r1754727 (8.0.x)
Fixed by: http://svn.apache.org/r1754728 (7.0.x)
Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1754733 (6.0.x)

Search for package or bug name: Reporting problems