Description
The (1) Manager and (2) Host Manager applications in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 establish sessions and send CSRF tokens for arbitrary new requests, which allows remote attackers to bypass a CSRF protection mechanism by using a token.
Remediation
References
http://svn.apache.org/viewvc?view=revision&revision=1720663
http://svn.apache.org/viewvc?view=revision&revision=1720652
http://svn.apache.org/viewvc?view=revision&revision=1720655
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html
http://svn.apache.org/viewvc?view=revision&revision=1720658
http://tomcat.apache.org/security-7.html
http://svn.apache.org/viewvc?view=revision&revision=1720660
http://seclists.org/bugtraq/2016/Feb/148
http://svn.apache.org/viewvc?view=revision&revision=1720661
http://www.debian.org/security/2016/dsa-3530
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626
https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442
http://www.debian.org/security/2016/dsa-3609
http://www.ubuntu.com/usn/USN-3024-1
http://www.debian.org/security/2016/dsa-3552
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
http://www.securityfocus.com/bid/83330
https://access.redhat.com/errata/RHSA-2016:1087
http://rhn.redhat.com/errata/RHSA-2016-1089.html
https://access.redhat.com/errata/RHSA-2016:1088
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html
https://bto.bluecoat.com/security-advisory/sa118
http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html
http://www.securitytracker.com/id/1035069
http://packetstormsecurity.com/files/135882/Apache-Tomcat-CSRF-Token-Leak.html
https://security.gentoo.org/glsa/201705-09
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
https://softwaresupport.hpe.com/document/-/facetsearch/document/KM02978021
http://rhn.redhat.com/errata/RHSA-2016-2808.html
http://rhn.redhat.com/errata/RHSA-2016-2807.html
http://rhn.redhat.com/errata/RHSA-2016-2599.html
https://security.netapp.com/advisory/ntap-20180531-0001/
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E