CVE-2016-0763

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 7.0.0 through 7.0.67 Apache Tomcat versions 8.0.0 through 8.0.30 Apache Tomcat versions 9.0.0.M1 through 9.0.0.M2

Description The issue is related to the setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java, which does not consider whether callers are authorized. This allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service via a web application that sets a crafted global context. The issue only affects users running untrusted web applications under a security manager.

Recommendations For Apache Tomcat versions 7.0.0 through 7.0.67, update to version 7.0.68 or later. For Apache Tomcat versions 8.0.0 through 8.0.30, update to version 8.0.31 or later. For Apache Tomcat versions 9.0.0.M1 through 9.0.0.M2, update to version 9.0.0.M3 or later. As a temporary workaround, consider restricting access to the setGlobalContext method to minimize the risk of exploitation.