Fixes have been released by the Apache Software Foundation

May 15, 2015 13:10 GMT  ·  By

The security team in charge of Apache Tomcat identified a security risk in the open-source web server and servlet container that would allow a threat actor to bypass the protections for the Security Manager component.

Tomcat implements Java EE specifications such as Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket, offering an HTTP server for Java code to be executed on.

The vulnerability, which is tracked as CVE-2014-7810, was discovered on November 2, 2014, and it was made public on Thursday, May 14, 2015. A severity score has not been calculated, but the damage potential is considered to be moderate.

Expression validation takes place in a privileged code section

Apache Tomcat versions impacted by the glitch are 8.0.0-RC1 through 8.0.15, 7.0.0 through 7.0.57, and 6.0.0 through 6.0.43.

According to the security advisory from Apache Software Foundation, an attacker could use Expression Language to circumvent the protections available for Security Manager, a component that permits a web browser to run Java applets in an environment isolated from the local system.

Security Manager’s purpose is basically to protect against potential malicious activity an untrusted applet may carry out against the server.

“Malicious web applications could use expression language to bypass the protections of a Security Manager as expressions were evaluated within a privileged code section,” reads the description of the glitch.

“This issue only affects installations that run web applications from untrusted sources,” it is further explained.

Patches have been delivered for all affected versions

Fixes have been included in the latest versions of Apache Tomcat, 8.0.17 and 7.0.59, released earlier this year.

Revision 6.0.44, which rolled out this week, on Tuesday, also includes the patch for CVE-2014-7810. It also integrates a fix for another issue, which could have been exploited to create a denial of service (DoS) condition, reported by a member of the Baidu security team.