https://bugzilla.redhat.com/show_bug.cgi?id=1441223
Bug ID: 1441223 Summary: CVE-2017-5648 tomcat: Calls to application listeners did not use the appropriate facade object Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: alee@redhat.com, bbaranow@redhat.com, bmaxwell@redhat.com, ccoleman@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, csutherl@redhat.com, dandread@redhat.com, darran.lofthouse@redhat.com, dedgar@redhat.com, dmcphers@redhat.com, dosoudil@redhat.com, felias@redhat.com, gzaronik@redhat.com, hchiorea@redhat.com, hhorak@redhat.com, ivan.afonichev@gmail.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jclere@redhat.com, jcoleman@redhat.com, jdoyle@redhat.com, jgoulding@redhat.com, joelsmith@redhat.com, jolee@redhat.com, jorton@redhat.com, jshepherd@redhat.com, krzysztof.daniel@gmail.com, lgao@redhat.com, mbabacek@redhat.com, me@coolsvap.net, mizdebsk@redhat.com, myarboro@redhat.com, nwallace@redhat.com, pavelp@redhat.com, pgier@redhat.com, psakar@redhat.com, pslavice@redhat.com, psotirop@redhat.com, rnetuka@redhat.com, rsvoboda@redhat.com, spinder@redhat.com, theute@redhat.com, trick@vanstaveren.us, twalsh@redhat.com, vhalbert@redhat.com, vtunka@redhat.com, weli@redhat.com
While investigating bug 60718, it was noticed that some calls to application listeners did not use the appropriate facade object. When running an untrusted application under a SecurityManager, it was therefore possible for that untrusted application to retain a reference to the request or response object and thereby access and/or modify information associated with another web application.
Upstream fixes:
Tomcat 7.x:
https://svn.apache.org/viewvc?view=revision&revision=1785777
Tomcat 8.0.x:
https://svn.apache.org/viewvc?view=revision&revision=1785776
Tomcat 8.5.x:
https://svn.apache.org/viewvc?view=revision&revision=1785775
References:
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.76 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.42 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.12