CVE-2014-7810

NameCVE-2014-7810
DescriptionThe Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-232-1, DSA-3428-1, DSA-3447-1, DSA-3530-1
Debian Bugs787010

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
tomcat6 (PTS)jessie, jessie (lts)6.0.45+dfsg-1~deb8u1fixed
tomcat7 (PTS)jessie, jessie (lts)7.0.56-3+really7.0.109-1+deb8u6fixed
stretch7.0.75-1fixed
tomcat8 (PTS)jessie, jessie (lts)8.0.14-1+deb8u28fixed
stretch (security)8.5.54-0+deb9u8fixed
stretch (lts), stretch8.5.54-0+deb9u15fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
tomcat6sourcesqueeze6.0.41-2+squeeze7DLA-232-1
tomcat6sourcewheezy6.0.45+dfsg-1~deb7u1DSA-3530-1
tomcat6source(unstable)6.0.41-3787010
tomcat7sourcewheezy7.0.28-4+deb7u3DSA-3447-1
tomcat7sourcejessie7.0.56-3+deb8u1DSA-3447-1
tomcat7source(unstable)7.0.61-1
tomcat8sourcejessie8.0.14-1+deb8u1DSA-3428-1
tomcat8source(unstable)8.0.21-2

Notes

Marked as fixed in 6.0.41-3 which only builds the libservlet2.5-java and libservlet2.5-java-doc packages
http://svn.apache.org/viewvc?view=revision&revision=1645366 (6.x)
http://svn.apache.org/viewvc?view=revision&revision=1659538 (6.x)
http://svn.apache.org/viewvc?view=revision&revision=1644019 (7.x)
http://svn.apache.org/viewvc?view=revision&revision=1645644 (7.x)

Search for package or bug name: Reporting problems