CVE-2014-7810

The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.

From the Ubuntu Security Team

It was discovered that the Tomcat Expression Language (EL) implementation incorrectly handled accessible interfaces implemented by inaccessible classes. An attacker could possibly use this issue to bypass a SecurityManager protection mechanism.

• How can I get the fixes?
• What do statuses mean?
• Patch details

References

• MITRE
• NVD
• Launchpad
• Debian

Related Ubuntu Security Notices (USN)

• USN-2655-1
• Tomcat vulnerabilities
• 25 June 2015
• USN-2654-1
• Tomcat vulnerabilities
• 25 June 2015

Other references

• http://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.44
• http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.59
• http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.17
• https://www.cve.org/CVERecord?id=CVE-2014-7810