CVE-2016-6797

NameCVE-2016-6797
DescriptionThe ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub code/issues, web search, more)
ReferencesDLA-728-1, DLA-729-1, DSA-3720-1, DSA-3721-1
NVD severitymedium
Debian Bugs842666

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat7 (PTS)stretch7.0.75-1fixed
tomcat8 (PTS)stretch8.5.54-0+deb9u1fixed
stretch (security)8.5.54-0+deb9u3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat6sourcewheezy6.0.45+dfsg-1~deb7u3DLA-728-1
tomcat6source(unstable)6.0.41-3low
tomcat7sourcewheezy7.0.28-4+deb7u7DLA-729-1
tomcat7sourcejessie7.0.56-3+deb8u5DSA-3721-1
tomcat7source(unstable)7.0.72-1low842666
tomcat8sourcejessie8.0.14-1+deb8u4DSA-3720-1
tomcat8source(unstable)8.0.37-1low

Notes

Since 6.0.41-3, src:tomcat6 only builds a servlet and docs in Jessie
http://markmail.org/message/wrku5orwxfpt5mzl?q=list:org.apache.tomcat.announce/
Fixed by: http://svn.apache.org/r1757273 (8.0.x)
Fixed by: http://svn.apache.org/r1757275 (7.0.x)
Fixed by: https://svn.apache.org/viewvc?view=revision&revision=1757285 (6.0.x)

Search for package or bug name: Reporting problems