PublicDateAtUSN: 2016-10-28
Candidate: CVE-2016-0762
PublicDate: 2017-08-10 16:29:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0762
 http://markmail.org/message/pzuk6hauzljnm4r7?q=list:org.apache.tomcat.announce/
 https://ubuntu.com/security/notices/USN-3177-1
 https://ubuntu.com/security/notices/USN-4557-1
Description:
 The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9,
 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45
 did not process the supplied password if the supplied user name did not
 exist. This made a timing attack possible to determine valid user names.
 Note that the default configuration includes the LockOutRealm which makes
 exploitation of this vulnerability harder.
Ubuntu-Description:
Notes:
 mdeslaur> tomcat7 in trusty doesn't look vulnerable
Bugs:
 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=842662
Priority: low
Discovered-by:
Assigned-to: mdeslaur
CVSS:
 nvd: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]
 nvd: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N [5.9 MEDIUM]

Patches_tomcat7:
 upstream: https://svn.apache.org/viewvc?view=revision&revision=1758502
upstream_tomcat7: released (7.0.72)
precise_tomcat7: ignored (reached end-of-life)
precise/esm_tomcat7: DNE (precise was needed)
trusty_tomcat7: not-affected (7.0.52-1ubuntu0.7)
trusty/esm_tomcat7: not-affected (7.0.52-1ubuntu0.7)
vivid/stable-phone-overlay_tomcat7: DNE
vivid/ubuntu-core_tomcat7: DNE
xenial_tomcat7: released (7.0.68-1ubuntu0.3)
yakkety_tomcat7: ignored (reached end-of-life)
zesty_tomcat7: ignored (reached end-of-life)
artful_tomcat7: ignored (reached end-of-life)
bionic_tomcat7: not-affected
cosmic_tomcat7: not-affected
focal_tomcat7: DNE
devel_tomcat7: DNE

Patches_tomcat6:
 upstream: https://svn.apache.org/viewvc?view=revision&revision=1758506
upstream_tomcat6: released (6.0.41-3)
precise_tomcat6: released (6.0.35-1ubuntu3.9)
precise/esm_tomcat6: released (6.0.35-1ubuntu3.9)
trusty_tomcat6: released (6.0.39-1ubuntu0.1)
trusty/esm_tomcat6: released (6.0.39-1ubuntu0.1)
vivid/stable-phone-overlay_tomcat6: DNE
vivid/ubuntu-core_tomcat6: DNE
xenial_tomcat6: released (6.0.45+dfsg-1ubuntu0.1)
yakkety_tomcat6: DNE
zesty_tomcat6: DNE
artful_tomcat6: DNE
bionic_tomcat6: DNE
cosmic_tomcat6: DNE
focal_tomcat6: DNE
devel_tomcat6: DNE

Patches_tomcat8:
 upstream: https://svn.apache.org/viewvc?view=revision&revision=1758501
upstream_tomcat8: released (8.0.37)
precise_tomcat8: DNE
precise/esm_tomcat8: DNE
trusty_tomcat8: DNE
trusty/esm_tomcat8: DNE
vivid/stable-phone-overlay_tomcat8: DNE
vivid/ubuntu-core_tomcat8: DNE
xenial_tomcat8: released (8.0.32-1ubuntu1.3)
esm-infra/xenial_tomcat8: released (8.0.32-1ubuntu1.3)
yakkety_tomcat8: not-affected (8.0.37-1)
zesty_tomcat8: not-affected (8.0.38-2)
artful_tomcat8: not-affected (8.0.38-2)
bionic_tomcat8: not-affected (8.0.38-2)
cosmic_tomcat8: not-affected (8.0.38-2)
focal_tomcat8: DNE
devel_tomcat8: DNE