Environment
NetIQ iManager 3.0
NetIQ iManager 2.7.7
NetIQ iManager 2.7.7
Situation
The following security vulnerabilities in Tomcat are applicable to the current versions of iManager:
CVE-2016-0706
This issue only affects users running untrusted web applications under a security manager. The internal StatusManagerServlet could be loaded by a malicious web application when a security manager was configured. This servlet could then provide the malicious web application with a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. This could have exposed sensitive information from other web applications, such as session IDs, to the web application.
CVE-2016-0714
This issue only affects users running untrusted web applications under a security manager. Tomcat provides several session persistence mechanisms. The StandardManager persists session over a restart. The PersistentManager is able to persist sessions to files, a database or a custom Store. The cluster implementation persists sessions to one or more additional nodes in the cluster. All of these mechanisms could be exploited to bypass a security manager. Session persistence is performed by Tomcat code with the permissions assigned to Tomcat internal code. By placing a carefully crafted object into a session, a malicious web application could trigger the execution of arbitrary code.
CVE-2016-0763
ResourceLinkFactory.setGlobalContext() is a public method and was accessible by web applications running under a security manager
without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applications and/or read and write data owned by other web applications.
CVE-2016-0706
This issue only affects users running untrusted web applications under a security manager. The internal StatusManagerServlet could be loaded by a malicious web application when a security manager was configured. This servlet could then provide the malicious web application with a list of all deployed applications and a list of the HTTP request lines for all requests currently being processed. This could have exposed sensitive information from other web applications, such as session IDs, to the web application.
CVE-2016-0714
This issue only affects users running untrusted web applications under a security manager. Tomcat provides several session persistence mechanisms. The StandardManager persists session over a restart. The PersistentManager is able to persist sessions to files, a database or a custom Store. The cluster implementation persists sessions to one or more additional nodes in the cluster. All of these mechanisms could be exploited to bypass a security manager. Session persistence is performed by Tomcat code with the permissions assigned to Tomcat internal code. By placing a carefully crafted object into a session, a malicious web application could trigger the execution of arbitrary code.
CVE-2016-0763
ResourceLinkFactory.setGlobalContext() is a public method and was accessible by web applications running under a security manager
without any checks. This allowed a malicious web application to inject a malicious global context that could in turn be used to disrupt other web applications and/or read and write data owned by other web applications.
Resolution
This has been reported to Engineering. This will require an update to Tomcat via a new iManager patch.