Apache Tomcat disclosed CVE-2016–0706 on 02/24/2016 with below overview :
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
Disclaimer: “CVE Probe” posts are merely security research based on publicly disclosed and already fixed vulnerabilities. All information provided on this site are for educational purposes only. As a security researcher, security engineer and an ethical hacker, I am not responsible of misuse of this information. You shall not misuse the information to gain unauthorized access and/or write malicious programs. You may try all of these techniques on your own computer at your own risk. Performing any hacking attempts or tests without written permission from the owner of the computer system is illegal.
It is clear that below Tomcat version ranges are affected with this vulnerability :
- Tomcat 6.0.0 – 6.0.44
- Tomcat 7.0.0 – 7.0.67
- Tomcat 8.0.0 – 8.0.30
- Tomcat 9.0.0.M1
There are 98 Tomcat versions among these ranges and relevant versions are separately mentioned as CPE(s) for CVE-2016–0706.
In a production Tomcat setup, security guidelines recommend disabling public access to the “Manager” application or limiting access to certain IP addresses. However, since “StatusManagerServlet” resides in “catalina”, this vulnerability could expose internal details, even if “Manager” application was totally taken out.
In order to further examine the vulnerability, we’ll create a simple web application with only one JSP file and JSP file’s contents is following :
org.apache.catalina.manager.StatusManagerServlet obj = new org.apache.catalina.manager.StatusManagerServlet();
Relevant full maven project is available at : https://github.com/ayomawdb/cve-probe/tree/master/CVE-2016%E2%80%930706
Deploy and access the web application in Tomcat server (within mentioned version ranges). You will notice that sensitive information such as version details for Tomcat, JVM and operating system are exposed along with memory details and information about requests that are currently being processed.
Fixs and Mitigation
Best way to protect against the vulnerability is to upgrade the Tomcat version. However, it is also possible to include the Servlet in “org/apache/catalina/core/RestrictedServlets.properties” list to protect external applications from using the Servlet maliciously.
Once above change is done, and if Tomcat was started with proper SecurityManager configuration, malicious JSP will get below error response :