CVE-2016-6797

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.0.M1 through 9.0.0.M9 Apache Tomcat versions 8.5.0 through 8.5.4 Apache Tomcat versions 8.0.0.RC1 through 8.0.36 Apache Tomcat versions 7.0.0 through 7.0.70 Apache Tomcat versions 6.0.0 through 6.0.45

Description The issue concerns the ResourceLinkFactory implementation, which did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. This allowed a web application to access any global JNDI resource, regardless of whether an explicit ResourceLink had been configured or not.

Recommendations For Apache Tomcat versions 9.0.0.M1 through 9.0.0.M9, update to a version that includes a fix for this issue. For Apache Tomcat versions 8.5.0 through 8.5.4, update to a version that includes a fix for this issue. For Apache Tomcat versions 8.0.0.RC1 through 8.0.36, update to a version that includes a fix for this issue. For Apache Tomcat versions 7.0.0 through 7.0.70, update to a version that includes a fix for this issue. For Apache Tomcat versions 6.0.0 through 6.0.45, update to a version that includes a fix for this issue. As a temporary workaround, consider restricting access to global JNDI resources to minimize the risk of exploitation.