CVE-2016-0762 (retired)

Priority
Description
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9,
8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45
did not process the supplied password if the supplied user name did not
exist. This made a timing attack possible to determine valid user names.
Note that the default configuration includes the LockOutRealm which makes
exploitation of this vulnerability harder.
Notes
 mdeslaur> tomcat7 in trusty doesn't look vulnerable
Assigned-to
mdeslaur
Package
Upstream:released (6.0.41-3)
Ubuntu 12.04 ESM (Precise Pangolin):released (6.0.35-1ubuntu3.9)
Ubuntu 14.04 LTS (Trusty Tahr):released (6.0.39-1ubuntu0.1)
Ubuntu 16.04 LTS (Xenial Xerus):not-affected (6.0.45+dfsg-1)
Ubuntu 18.04 LTS (Bionic Beaver):DNE
Ubuntu 18.10 (Cosmic Cuttlefish):DNE
Ubuntu 19.04 (Disco Dingo):DNE
Patches:
Upstream:https://svn.apache.org/viewvc?view=revision&revision=1758506
Package
Upstream:released (7.0.72)
Ubuntu 12.04 ESM (Precise Pangolin):DNE (precise was needed)
Ubuntu 14.04 LTS (Trusty Tahr):not-affected (7.0.52-1ubuntu0.7)
Ubuntu 16.04 LTS (Xenial Xerus):released (7.0.68-1ubuntu0.3)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected
Ubuntu 19.04 (Disco Dingo):not-affected
Patches:
Upstream:https://svn.apache.org/viewvc?view=revision&revision=1758502
Package
Upstream:released (8.0.37)
Ubuntu 12.04 ESM (Precise Pangolin):DNE
Ubuntu 14.04 LTS (Trusty Tahr):DNE
Ubuntu 16.04 LTS (Xenial Xerus):released (8.0.32-1ubuntu1.3)
Ubuntu 18.04 LTS (Bionic Beaver):not-affected (8.0.38-2)
Ubuntu 18.10 (Cosmic Cuttlefish):not-affected (8.0.38-2)
Ubuntu 19.04 (Disco Dingo):not-affected (8.0.38-2)
Patches:
Upstream:https://svn.apache.org/viewvc?view=revision&revision=1758501
More Information

Updated: 2019-03-26 12:18:05 UTC (commit ccdecfcf0fead22bd291e5f4ea745a46872dcb15)