Description

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

Remediation

References

http://svn.apache.org/viewvc?view=revision&revision=1725931

http://svn.apache.org/viewvc?view=revision&revision=1725929

http://tomcat.apache.org/security-8.html

http://tomcat.apache.org/security-9.html

http://tomcat.apache.org/security-7.html

http://seclists.org/bugtraq/2016/Feb/147

http://svn.apache.org/viewvc?view=revision&revision=1725926

http://www.debian.org/security/2016/dsa-3530

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05158626

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05150442

http://www.debian.org/security/2016/dsa-3609

http://www.ubuntu.com/usn/USN-3024-1

http://www.debian.org/security/2016/dsa-3552

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html

https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755

http://www.securityfocus.com/bid/83326

https://access.redhat.com/errata/RHSA-2016:1087

http://rhn.redhat.com/errata/RHSA-2016-1089.html

https://access.redhat.com/errata/RHSA-2016:1088

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00069.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00047.html

http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00085.html

http://lists.fedoraproject.org/pipermail/package-announce/2016-March/179356.html

https://bto.bluecoat.com/security-advisory/sa118

http://www.securitytracker.com/id/1035069

https://security.gentoo.org/glsa/201705-09

http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

http://rhn.redhat.com/errata/RHSA-2016-2808.html

http://rhn.redhat.com/errata/RHSA-2016-2807.html

http://rhn.redhat.com/errata/RHSA-2016-2599.html

https://security.netapp.com/advisory/ntap-20180531-0001/

https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E

https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3E

Related Vulnerabilities

CVE-2019-10080 Vulnerability in maven package org.apache.nifi:nifi-lookup-services

CVE-2011-0013 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2021-36162 Vulnerability in maven package org.apache.dubbo:dubbo-cluster

CVE-2017-2601 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2017-2600 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

High

Classification

CWE-264 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Tags

Vendor Advisory