You are here
Apache Tomcat Vulnerabilities Related to Tomcat 7.x before 7.0.66
Submitted on 1. March 2016 - 13:58 by rischi.
Last update on 3. March 2016 - 17:24.
Last update on 3. March 2016 - 17:24.
IDs:
CVE-2015-5346, CVE-2015-5351, CVE-2016-0706, CVE-2016-0714, CVE-2016-0763, CVE-2015-5345, CVE-2016-0729
Keywords:
Tomcat, Host Manager
Description:
Several vulnerabilities affecting Apache Tomcat before 6.0.45, 7.0.68, 8.0.32 and 9.0.0M3 has been released, see [1, 2, 3, 4].
Airlock WAF is not affected.
Details:
Some vulnerabilities affect the Tomcat Manager and Host Manager which is either not accessible at all or only accessible for trusted users (upstream authentication is necessary). The other vulnerabilities do not affect Airlock WAF because all add-on modules are trusted and supposed not to have malicious code.
Resolution:
We recommend to update back-ends running a vulnerable Apache Tomcat to the newest version in particular if any application inside Tomcat meets one of the following criteria:
- The web application in Tomcat is not completely trusted (CVE-2016-0763, CVE-2016-0714, CVE-2016-0706)
- The tomcat Manager and Host Manager is used and CSRF protection is needed (CVE-2015-5351). Note that Airlock WAF can provide CSRF protection as well by enabling session-based URL encryption or CSRF Tokens (available with Airlock WAF 6.0).
Component:
Airlock
Airlock Vulnerability Status:
Does not affect Airlock
Back-end Vulnerability Status:
Back-ends may be vulnerable, see resolution