Oozie uses tomcat version 6.0.44. This and a couple of other security issues were raised with this tomcat version. We should upgrade tomcat, even in 4.3 release
Regards, Shwetha On 27/10/16, 5:47 PM, "Mark Thomas" <[email protected]> wrote: >CVE-2016-6796 Apache Tomcat Security Manager Bypass > >Severity: Low > >Vendor: The Apache Software Foundation > >Versions Affected: >Apache Tomcat 9.0.0.M1 to 9.0.0.M9 >Apache Tomcat 8.5.0 to 8.5.4 >Apache Tomcat 8.0.0.RC1 to 8.0.36 >Apache Tomcat 7.0.0 to 7.0.70 >Apache Tomcat 6.0.0 to 6.0.45 >Earlier, unsupported versions may also be affected. > >Description >A malicious web application was able to bypass a configured >SecurityManager via manipulation of the configuration parameters for the >JSP Servlet. > >Mitigation >Users of affected versions should apply one of the following mitigations >- Upgrade to Apache Tomcat 9.0.0.M10 or later >- Upgrade to Apache Tomcat 8.5.5 or later >- Upgrade to Apache Tomcat 8.0.37 or later >- Upgrade to Apache Tomcat 7.0.72 or later > (Apache Tomcat 7.0.71 has the fix but was not released) >- Upgrade to Apache Tomcat 6.0.47 or later > (Apache Tomcat 6.0.46 has the fix but was not released) > >Credit: >This issue was discovered by the Apache Tomcat Security Team. > >References: >[1] http://tomcat.apache.org/security-9.html >[2] http://tomcat.apache.org/security-8.html >[3] http://tomcat.apache.org/security-7.html >[4] http://tomcat.apache.org/security-6.html >
