CVE-2017-12616

Impact:
Moderate
Public Date:
2017-09-19
CWE:
CWE-200
Bugzilla:
1493222: CVE-2017-12616 tomcat: Information Disclosure when using VirtualDirContext

The MITRE CVE dictionary describes this issue as:

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.

Find out more about CVE-2017-12616 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

VirtualDirContext is not designed to be used in production, but only to ease development with IDEs without needing to fully republish jars in WEB-INF/lib.

Red Hat Enterprise Linux 6:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat Enterprise Linux 7:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss EAP 6:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss EWS 2:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss Operations Network 3:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

Red Hat JBoss Portal Platform 6:
This vulnerability has been rated as having a security impact of Moderate. After evaluation and in accordance with the criteria noted in the product support life cycle, there are no plans to address this issue in an upcoming release. Please contact Red Hat Support for further information.

CVSS v3 metrics

CVSS3 Base Score 5.3
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality Low
Integrity Impact None
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Web Server 3.1 for RHEL 7 RHSA-2018:0466 2018-03-07
Red Hat JBoss Web Server 3.1 for RHEL 6 RHSA-2018:0466 2018-03-07
Red Hat JBoss Web Server 3.1 RHSA-2018:0465 2018-03-07

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-java-common-tomcat Not affected
Red Hat JBoss Portal Platform 6 jbossweb Will not fix
Red Hat JBoss Operations Network 3 jbossweb Will not fix
Red Hat JBoss Fuse 6 jbossweb Not affected
Red Hat JBoss EWS 2 tomcat7 Will not fix
Red Hat JBoss EAP 6 jbossweb Will not fix
Red Hat JBoss Data Virtualization 6 jbossweb Not affected
Red Hat JBoss Data Grid 6 jbossweb Not affected
Red Hat Enterprise Linux 7 tomcat Will not fix
Red Hat Enterprise Linux 6 tomcat6 Will not fix
Red Hat Enterprise Linux 5 tomcat5 Not affected
Unless explicitly stated as not affected, all previous versions of packages in any minor update stream of a product listed here should be assumed vulnerable, although may not have been subject to full analysis.

External References

Last Modified

CVE description copyright © 2017, The MITRE Corporation