CVE-2016-0714

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 6.x before 6.0.45 Apache Tomcat versions 7.x before 7.0.68 Apache Tomcat versions 8.x before 8.0.31 Apache Tomcat versions 9.x before 9.0.0.M2

Description The issue is related to the session-persistence implementation in Apache Tomcat, which mishandles session attributes. This allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session. The problem affects users running untrusted web applications under a security manager. All session persistence mechanisms, including StandardManager, PersistentManager, and cluster implementation, could be exploited to bypass a security manager.

Recommendations For Apache Tomcat versions 6.x before 6.0.45, update to version 6.0.45 or later. For Apache Tomcat versions 7.x before 7.0.68, update to version 7.0.68 or later. For Apache Tomcat versions 8.x before 8.0.31, update to version 8.0.31 or later. For Apache Tomcat versions 9.x before 9.0.0.M2, update to version 9.0.0.M2 or later. As a temporary workaround, consider restricting access to untrusted web applications under a security manager until the issue is resolved.