Chapter 4. Verified CVEs

JWS-431 CVE-2016-3092 Tomcat: Usage of vulnerable FileUpload package can result in denial of service

A denial of service vulnerability was identified in Commons FileUpload that occurred when the length of the multipart boundary was just below the size of the buffer (4096 bytes) used to read the uploaded file if the boundary was the typical tens of bytes long.

JWS-498 CVE-2016-6794 Provide a mechanism that enables the container to check if a component has been granted a given permission

It was discovered that when a SecurityManager is configured, Tomcat’s system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

JWS-500 CVE-2016-6797 Tomcat: unrestricted access to global resources

It was discovered that it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.

JWS-567 CVE-2016-0762 Tomcat: timing attack in Realm implementation

The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm, which makes exploitation of this vulnerability harder.

JWS-568 CVE-2016-6796 Tomcat: security manager bypass via JSP Servlet config parameters

It was discovered that a malicious web application could bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.

JWS-569 CVE-2016-5018 Tomcat: security manager bypass via IntrospectHelper utility function

It was discovered that a malicious web application could bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

JWS-577 CVE-2016-6816 Tomcat: HTTP Request smuggling vulnerability due to permitting invalid character in HTTP requests

It was discovered that the code that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other than their own.

JWS-578 CVE-2016-8735 Tomcat: Remote code execution vulnerability in JmxRemoteLifecycleListener

The JmxRemoteLifecycleListener was not updated to take account of Oracle’s fix for CVE-2016-3427. JMXRemoteLifecycleListener is only included in EWS 2.x and JWS 3.x source distributions. If you deploy a Tomcat instance built from source, using the EWS 2.x, or JWS 3.x distributions, an attacker could use this flaw to launch a remote code execution attack on your deployed instance.

JWS-619 CVE-2016-8745 Tomcat: information disclosure due to incorrect Processor sharing

A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This lead to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body.

JWS-538 CVE-2016-1240 Tomcat: unsafe chown of catalina.log in tomcat init script allows privilege escalation

It was reported that the Tomcat init script performed unsafe file handling, which could result in local privilege escalation.

JWS-490 CVE-2016-6325 Tomcat: tomcat writable config files allow privilege escalation

It was discovered that the Tomcat packages installed certain configuration files read by the Tomcat initialization script as writeable to the tomcat group. A member of the group or a malicious web application deployed on Tomcat could use this flaw to escalate their privileges.

JWS-701 CVE-2017-5647 Tomcat: Incorrect handling of pipelined requests when send file was used

A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.

JWS-668 CVE-2017-5648 Tomcat: Calls to application listeners did not use the appropriate facade object

While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 9.0.0.M1 to 9.0.0.M17, 8.5.0 to 8.5.11, 8.0.0.RC1 to 8.0.41, and 7.0.0 to 7.0.75 did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.