Apache Fixes Security Manager Hole

Tuesday, May 19, 2015 @ 04:05 PM gHale


Apache fixed a security risk in its Tomcat open-source web server and servlet container that could allow an attacker to bypass the protections for the Security Manager component.

Tomcat implements Java EE specifications such as Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket, offering an HTTP server for Java code to execute.

RELATED STORIES
Apache Fixes Message Broker Software
Cisco Video Conference Vulnerabilities
Malware Delivers Trojan to Enterprises
Cisco Fixes Critical Vulnerability

The vulnerability, which has a case number of CVE-2014-7810, ended up discovered November 2, and it became public May 14. A severity score is not available, but the damage potential is in the moderate range.

Apache Tomcat versions impacted by the glitch are 8.0.0-RC1 through 8.0.15, 7.0.0 through 7.0.57, and 6.0.0 through 6.0.43.

According to the security advisory from Apache Software Foundation, an attacker could use Expression Language to circumvent the protections available for Security Manager, a component that permits a web browser to run Java applets in an environment isolated from the local system.

Security Manager’s purpose is to protect against potential malicious activity an untrusted applet may carry out against the server.

“Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section,” an advisory said. “This issue only affects installations that run web applications from untrusted sources.”

Fixes have been included in the latest versions of Apache Tomcat, 8.0.17 and 7.0.59, released earlier this year.

Revision 6.0.44, which released Tuesday, also includes the patch for CVE-2014-7810.



Leave a Reply

You must be logged in to post a comment.