CVE-2017-5648: Reference Handling vulnerability in tomcat-catalina (Maven)

What is CVE-2017-5648 About?

This vulnerability is an Improper Reference Handling issue in Apache Tomcat where application listeners did not use appropriate facade objects. This allows an untrusted application to retain references to request or response objects, potentially leading to unauthorized access or modification of information in other web applications. Exploitation is made easier by running untrusted applications.

Affected Software

org.apache.tomcat:tomcat-catalina
- >8.0.0, <8.0.42
- >9.0.0.M1, <9.0.0.M18
- >8.5.0, <8.5.13
- >7.0.0, <7.0.76
org.apache.tomcat.embed:tomcat-embed-core
- >8.0.0, <8.0.42
- >9.0.0.M1, <9.0.0.M18
- >8.5.0, <8.5.13
- >7.0.0, <7.0.76

Technical Details

The vulnerability arises from incorrect facade object usage in application listeners within Apache Tomcat. When an untrusted application runs under a SecurityManager, it can bypass security controls by retaining a direct reference to the underlying request or response objects, rather than the intended facade objects. This direct access grants the untrusted application the ability to read, modify, or leak sensitive information belonging to other web applications, as the facade object, designed to restrict such access, is not properly enforced.

What is the Impact of CVE-2017-5648?

Successful exploitation may allow attackers to gain unauthorized access to, or modify, sensitive information belonging to other web applications, potentially leading to data breaches or integrity violations.

What is the Exploitability of CVE-2017-5648?

Exploitation of this vulnerability requires an untrusted application to be deployed and running within the affected Apache Tomcat instance. The complexity is moderate, requiring an understanding of Java application listener mechanisms and how to bypass SecurityManager restrictions. No specific authentication is required at the point of exploitation, as it leverages an internal reference handling flaw. This is a local exploitation scenario, contingent on the presence of an untrusted application. The primary risk factor increasing exploit likelihood is the execution of code from untrusted sources within the Tomcat environment.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2017-5648?

A Fix by Resolved Security Exists!

Learn how to fix vulnerabilities in open-source dependencies seamlessly.

About the Fix from Resolved Security

None

Available Upgrade Options

org.apache.tomcat.embed:tomcat-embed-core
- >7.0.0, <7.0.76 → Upgrade to 7.0.76
org.apache.tomcat.embed:tomcat-embed-core
- >8.0.0, <8.0.42 → Upgrade to 8.0.42
org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <8.5.13 → Upgrade to 8.5.13
org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.M1, <9.0.0.M18 → Upgrade to 9.0.0.M18
org.apache.tomcat:tomcat-catalina
- >7.0.0, <7.0.76 → Upgrade to 7.0.76
org.apache.tomcat:tomcat-catalina
- >8.0.0, <8.0.42 → Upgrade to 8.0.42
org.apache.tomcat:tomcat-catalina
- >8.5.0, <8.5.13 → Upgrade to 8.5.13
org.apache.tomcat:tomcat-catalina
- >9.0.0.M1, <9.0.0.M18 → Upgrade to 9.0.0.M18

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2017-5648?

Similar Vulnerabilities: CVE-2017-7670 , CVE-2017-12615 , CVE-2016-8743 , CVE-2016-6794 , CVE-2016-0714

CVE-2017-5648 Reference Handling vulnerability in tomcat-catalina (Maven)