You are here

Apache Tomcat Vulnerabilities Related to Tomcat 7.x before 7.0.66

CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763, CVE-2015-5345, CVE-2016-0729
Tomcat, Host Manager

Several vulnerabilities affecting Apache Tomcat before 6.0.45, 7.0.68, 8.0.32 and 9.0.0M3 has been released, see [1, 2, 3, 4].

Airlock WAF is not affected. 


Some vulnerabilities affect the Tomcat Manager and Host Manager which is either not accessible at all or only accessible for trusted users (upstream authentication is necessary). The other vulnerabilities do not affect Airlock WAF because all add-on modules are trusted and supposed not to have malicious code.


We recommend to update back-ends running a vulnerable Apache Tomcat to the newest version in particular if any application inside Tomcat meets one of the following criteria:

  • The web application in Tomcat is not completely trusted (CVE-2016-0763, CVE-2016-0714, CVE-2016-0706)
  • The tomcat Manager and Host Manager is used and CSRF protection is needed (CVE-2015-5351). Note that Airlock WAF can provide CSRF protection as well by enabling session-based URL encryption or CSRF Tokens (available with Airlock WAF 6.0).
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution