Security Manager bypass in Oracle Server applications

#VU263 Security Manager bypass in Oracle Server applications

Published: 2016-08-05 | Updated: 2017-01-11

Vulnerability identifier: #VU263

Vulnerability risk: Low

CVSSv3.1: 3.3 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2016-0706

CWE-ID: CWE-200

Exploitation vector: Local

Exploit availability: No

Vulnerable software:
Apache Tomcat
Server applications / Web servers
Oracle Solaris
Operating systems & Components / Operating system
Oracle Linux
Operating systems & Components / Operating system
Oracle Transportation Management
Other software / Other software solutions
Virtual Desktop Infrastructure
Server applications / Virtualization software

Vendor: Apache Foundation
Oracle

Description

The vulnerability allows a local attacker to obtain potentially sensitive information.

A local attacker, who controls web application, can use StatusManagerServlet, when a security manager was configured, to obtain potentially sensitive information, which belongs to other users. The attacker will be able to obtain a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. This could have exposed sensitive information from other web applications, such as session IDs, to the web application.

Successful exploitation of the vulnerability may allow a local attacker to gain access to potentially sensitive information.

Mitigation
Install the latest version Apache Tomcat 6.0.45, 7.0.68, 8.0.32 or 9.0.0.M3

Vulnerable software versions

Apache Tomcat: 6.0.0 - 6.0.44, 7.0.0 - 7.0.67, 8.0.0 - 8.0.32, 9.0.0-M1 - 9.0.0-M2

Oracle Solaris: 11.3

Oracle Transportation Management: 6.1 - 6.3.7

Virtual Desktop Infrastructure: 3.5.3

Oracle Linux: 7

External links
http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.45
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html
http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html

Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Amazon Linux AMI update for tomcat6

SUSE Linux update for tomcat6

Multiple vulnerabilities in Apache Tomcat