==================================================================== CERT-Renater Note d'Information No. 2015/VULN084 _____________________________________________________________________ DATE : 15/05/2015 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tomcat versions 8, 7, 6, prior to 8.0.17, 7.0.59, 6.0.44. ====================================================================== http://mail-archives.us.apache.org/mod_mbox/www-announce/201505.mbox/%3C5554AB1C.7050606@apache.org%3E ______________________________________________________________________ CVE-2014-7810 Security Manager Bypass Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: - - - Apache Tomcat 8.0.0-RC1 to 8.0.15 - - - Apache Tomcat 7.0.0 to 7.0.57 - - - Apache Tomcat 6.0.0 to 6.0.43 Description: Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section. This issue only affects installations that run web applications from untrusted sources. Mitigation: Users of affected versions should apply one of the following mitigations - - - Upgrade to Apache Tomcat 8.0.17 or later (8.0.16 has the fix but was not released) - - - Upgrade to Apache Tomcat 7.0.59 or later (7.0.58 has the fix but was not released) - - - Upgrade to Apache Tomcat 6.0.44 or later Credit: This issue was discovered by the Apache Tomcat security team. References: [1] http://tomcat.apache.org/security-8.html [2] http://tomcat.apache.org/security-7.html [3] http://tomcat.apache.org/security-6.html ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================