CVE-2016-0714

Name	CVE-2016-0714
Description	The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-435-1, DSA-3530-1, DSA-3552-1, DSA-3609-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
tomcat6 (PTS)	jessie, jessie (lts)	6.0.45+dfsg-1~deb8u1	fixed
tomcat7 (PTS)	jessie, jessie (lts)	7.0.56-3+really7.0.109-1+deb8u6	fixed
	stretch	7.0.75-1	fixed
tomcat8 (PTS)	jessie, jessie (lts)	8.0.14-1+deb8u28	fixed
	stretch (security)	8.5.54-0+deb9u8	fixed
	stretch (lts), stretch	8.5.54-0+deb9u15	fixed
tomcat9 (PTS)	buster (security), buster, buster (lts)	9.0.31-1~deb10u12	fixed
	bullseye (security), bullseye	9.0.43-2~deb11u10	fixed
	bookworm	9.0.70-2	fixed
	sid, trixie	9.0.95-1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin
tomcat6	source	squeeze	6.0.45-1~deb6u1	DLA-435-1
tomcat6	source	wheezy	6.0.45+dfsg-1~deb7u1	DSA-3530-1
tomcat6	source	(unstable)	6.0.41-3
tomcat7	source	wheezy	7.0.28-4+deb7u4	DSA-3552-1
tomcat7	source	jessie	7.0.56-3+deb8u2	DSA-3552-1
tomcat7	source	(unstable)	7.0.68-1
tomcat8	source	jessie	8.0.14-1+deb8u2	DSA-3609-1
tomcat8	source	(unstable)	8.0.32-1
tomcat9	source	(unstable)	(not affected)

Notes

- tomcat9 <not-affected> (Fixed before initial upload to Debian)
Since 6.0.41-3, src:tomcat6 only builds a servlet and docs
Fixed in 6.0.45, 7.0.68, 8.0.32, 9.0.0.M3