CVE-2016-0762

Description

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

How to fix CVE-2016-0762

To remediate CVE-2016-0762, upgrade the affected package to a fixed version below.

• —upgrade to 6.0.45+dfsg-1~deb7u3 or later
• —upgrade to 7.0.28-4+deb7u7 or later
• —upgrade to 7.0.56-3+deb8u5 or later
• —upgrade to 8.0.14-1+deb8u4 or later
• —upgrade to 9.0.0.M10 or later

Is CVE-2016-0762 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (5)

• from 0, < 6.0.45+dfsg-1~deb7u3
• from 0, < 7.0.28-4+deb7u7
• from 0, < 7.0.56-3+deb8u5
• from 0, < 8.0.14-1+deb8u4
• >= 9.0.0M1, < 9.0.0.M10

CVSS scores

References (43)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-0762
• PATCHgithub.com/apache/tomcat
• WEBrhn.redhat.com/errata/RHSA-2017-0457.html
• WEBaccess.redhat.com/errata/RHSA-2017:0455
• WEBaccess.redhat.com/errata/RHSA-2017:0456