Description
The setGlobalContext method in
org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x
before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider
whether ResourceLinkFactory.setGlobalContext callers are authorized, which
allows remote authenticated users to bypass intended SecurityManager
restrictions and read or write to arbitrary application data, or cause a
denial of service (application disruption), via a web application that sets
a crafted global context.
Ubuntu-Description
It was discovered that the Tomcat setGlobalContext method incorrectly
checked if callers were authorized. A remote attacker could possibly use
this issue to read or wite to arbitrary application data, or cause a denial
of service.
Package
| Upstream: | released
(6.0.45)
|
| Ubuntu 18.04 LTS: | DNE
|
| Ubuntu 14.04 ESM: | released
(6.0.39-1ubuntu0.1)
|
| Ubuntu 20.04 FIPS Compliant: | DNE
|
Patches:
Package
| Upstream: | released
(7.0.68-1)
|
| Ubuntu 18.04 LTS: | not-affected
(7.0.68-1)
|
| Ubuntu 14.04 ESM: | released
(7.0.52-1ubuntu0.6)
|
| Ubuntu 20.04 FIPS Compliant: | not-affected
(7.0.68-1)
|
Patches:
Package
| Upstream: | released
(8.0.32-1)
|
| Ubuntu 18.04 LTS: | not-affected
(8.0.32-1ubuntu1)
|
| Ubuntu 16.04 ESM: | not-affected
(8.0.32-1ubuntu1)
|
| Ubuntu 14.04 ESM: | DNE
|
| Ubuntu 20.04 FIPS Compliant: | not-affected
(8.0.32-1ubuntu1)
|
Patches:
Updated: 2022-04-13 12:09:12 UTC (commit f411bd370d482ef4385c4e751d121a4055fbc009)