CVE-2016-6794

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.0.M1 through 9.0.0.M9 Apache Tomcat versions 8.5.0 through 8.5.4 Apache Tomcat versions 8.0.0.RC1 through 8.0.36 Apache Tomcat versions 7.0.0 through 7.0.70 Apache Tomcat versions 6.0.0 through 6.0.45

Description When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. However, the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

Recommendations For Apache Tomcat versions 9.0.0.M1 through 9.0.0.M9, update to a version that includes a fix for this issue. For Apache Tomcat versions 8.5.0 through 8.5.4, update to a version that includes a fix for this issue. For Apache Tomcat versions 8.0.0.RC1 through 8.0.36, update to a version that includes a fix for this issue. For Apache Tomcat versions 7.0.0 through 7.0.70, update to a version that includes a fix for this issue. For Apache Tomcat versions 6.0.0 through 6.0.45, update to a version that includes a fix for this issue. As a temporary workaround, consider disabling the system property replacement feature for configuration files until a patch is available.