CVE-2016-6794

When a SecurityManager is configured, a web applications ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.

Affected Software

Name	Vendor	Start Version	End Version
Tomcat	Apache	6.0.0 (including)	6.0.45 (including)
Tomcat	Apache	7.0.0 (including)	7.0.70 (including)
Tomcat	Apache	8.0 (including)	8.0.36 (including)
Tomcat	Apache	8.5.0 (including)	8.5.4 (including)
Tomcat	Apache	9.0.0-milestone1 (including)	9.0.0-milestone1 (including)
Tomcat	Apache	9.0.0-milestone2 (including)	9.0.0-milestone2 (including)
Tomcat	Apache	9.0.0-milestone3 (including)	9.0.0-milestone3 (including)
Tomcat	Apache	9.0.0-milestone4 (including)	9.0.0-milestone4 (including)
Tomcat	Apache	9.0.0-milestone5 (including)	9.0.0-milestone5 (including)
Tomcat	Apache	9.0.0-milestone6 (including)	9.0.0-milestone6 (including)
Tomcat	Apache	9.0.0-milestone7 (including)	9.0.0-milestone7 (including)
Tomcat	Apache	9.0.0-milestone8 (including)	9.0.0-milestone8 (including)
Tomcat	Apache	9.0.0-milestone9 (including)	9.0.0-milestone9 (including)
Red Hat Enterprise Linux 7	RedHat	tomcat-0:7.0.76-2.el7	*
Red Hat JBoss Web Server 3.1	RedHat		*
Red Hat JBoss Web Server 3 for RHEL 6	RedHat	hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6	*
Red Hat JBoss Web Server 3 for RHEL 6	RedHat	jbcs-httpd24-0:1-3.jbcs.el6	*
Red Hat JBoss Web Server 3 for RHEL 6	RedHat	jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6	*
Red Hat JBoss Web Server 3 for RHEL 6	RedHat	jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6	*
Red Hat JBoss Web Server 3 for RHEL 6	RedHat	mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6	*
Red Hat JBoss Web Server 3 for RHEL 6	RedHat	tomcat7-0:7.0.70-16.ep7.el6	*
Red Hat JBoss Web Server 3 for RHEL 6	RedHat	tomcat8-0:8.0.36-17.ep7.el6	*
Red Hat JBoss Web Server 3 for RHEL 6	RedHat	tomcat-native-0:1.2.8-9.redhat_9.ep7.el6	*
Red Hat JBoss Web Server 3 for RHEL 6	RedHat	tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6	*
Red Hat JBoss Web Server 3 for RHEL 7	RedHat	hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7	*
Red Hat JBoss Web Server 3 for RHEL 7	RedHat	jbcs-httpd24-0:1-3.jbcs.el7	*
Red Hat JBoss Web Server 3 for RHEL 7	RedHat	jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7	*
Red Hat JBoss Web Server 3 for RHEL 7	RedHat	jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7	*
Red Hat JBoss Web Server 3 for RHEL 7	RedHat	mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7	*
Red Hat JBoss Web Server 3 for RHEL 7	RedHat	tomcat7-0:7.0.70-16.ep7.el7	*
Red Hat JBoss Web Server 3 for RHEL 7	RedHat	tomcat8-0:8.0.36-17.ep7.el7	*
Red Hat JBoss Web Server 3 for RHEL 7	RedHat	tomcat-native-0:1.2.8-9.redhat_9.ep7.el7	*
Red Hat JBoss Web Server 3 for RHEL 7	RedHat	tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7	*
Tomcat6	Ubuntu	esm-apps/xenial	*
Tomcat6	Ubuntu	esm-infra-legacy/trusty	*
Tomcat6	Ubuntu	precise	*
Tomcat6	Ubuntu	trusty	*
Tomcat6	Ubuntu	trusty/esm	*
Tomcat6	Ubuntu	upstream	*
Tomcat6	Ubuntu	xenial	*
Tomcat7	Ubuntu	artful	*
Tomcat7	Ubuntu	esm-apps/xenial	*
Tomcat7	Ubuntu	esm-infra-legacy/trusty	*
Tomcat7	Ubuntu	precise	*
Tomcat7	Ubuntu	trusty	*
Tomcat7	Ubuntu	trusty/esm	*
Tomcat7	Ubuntu	upstream	*
Tomcat7	Ubuntu	xenial	*
Tomcat7	Ubuntu	yakkety	*
Tomcat7	Ubuntu	zesty	*
Tomcat8	Ubuntu	esm-infra/xenial	*
Tomcat8	Ubuntu	upstream	*
Tomcat8	Ubuntu	xenial	*

NVD	https://nvd.nist.gov/vuln/detail/CVE-2016-6794
CWE	https://cwe.mitre.org/data/definitions/.html

Affected Software

References