CVE-2016-9775

Name of the Vulnerable Software and Affected Versions tomcat6 versions 6.0.45+dfsg-1deb7u2 and earlier tomcat6 versions 6.0.45+dfsg-1deb8u0 and earlier tomcat6 versions 6.0.35-1ubuntu3.8 and earlier tomcat7 versions 7.0.28-4+deb7u6 and earlier tomcat7 versions 7.0.56-3+deb8u5 and earlier tomcat7 versions 7.0.52-1ubuntu0.7 and earlier tomcat8 versions 8.0.14-1+deb8u4 and earlier tomcat8 versions 8.0.32-1ubuntu1.2 and earlier tomcat8 versions 8.0.37-1ubuntu0.0 and earlier tomcat8 versions 8.0.38-2ubuntu0 and earlier

Description The issue might allow local users with access to the tomcat account to gain root privileges via a setgid program in the Catalina directory. This can be demonstrated by a program in the /etc/tomcat8/Catalina/attack directory.

Recommendations For tomcat6 versions 6.0.45+dfsg-1deb7u2 and earlier, update to version 6.0.45+dfsg-1deb7u3 or later. For tomcat6 versions 6.0.45+dfsg-1deb8u0 and earlier, update to version 6.0.45+dfsg-1deb8u1 or later. For tomcat6 versions 6.0.35-1ubuntu3.8 and earlier, update to version 6.0.35-1ubuntu3.9 or later. For tomcat7 versions 7.0.28-4+deb7u6 and earlier, update to version 7.0.28-4+deb7u7 or later. For tomcat7 versions 7.0.56-3+deb8u5 and earlier, update to version 7.0.56-3+deb8u6 or later. For tomcat7 versions 7.0.52-1ubuntu0.7 and earlier, update to version 7.0.52-1ubuntu0.8 or later. For tomcat8 versions 8.0.14-1+deb8u4 and earlier, update to version 8.0.14-1+deb8u5 or later. For tomcat8 versions 8.0.32-1ubuntu1.2 and earlier, update to version 8.0.32-1ubuntu1.3 or later. For tomcat8 versions 8.0.37-1ubuntu0.0 and earlier, update to version 8.0.37-1ubuntu0.1 or later. For tomcat8 versions 8.0.38-2ubuntu0 and earlier, update to version 8.0.38-2ubuntu1 or later.