USN-4557-1

Source
https://ubuntu.com/security/notices/USN-4557-1
Import Source
https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-4557-1.json
JSON Data
https://api.osv.dev/v1/vulns/USN-4557-1
Related
Published
2020-09-30T12:55:19.962640Z
Modified
2020-09-30T12:55:19.962640Z
Summary
tomcat6 vulnerabilities
Details

It was discovered that the Tomcat realm implementations incorrectly handled passwords when a username didn't exist. A remote attacker could possibly use this issue to enumerate usernames. (CVE-2016-0762)

Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly limited use of a certain utility method. A malicious application could possibly use this to bypass Security Manager restrictions. (CVE-2016-5018)

It was discovered that Tomcat incorrectly controlled reading system properties. A malicious application could possibly use this to bypass Security Manager restrictions. (CVE-2016-6794)

It was discovered that Tomcat incorrectly controlled certain configuration parameters. A malicious application could possibly use this to bypass Security Manager restrictions. (CVE-2016-6796)

It was discovered that Tomcat incorrectly limited access to global JNDI resources. A malicious application could use this to access any global JNDI resource without an explicit ResourceLink. (CVE-2016-6797)

Regis Leroy discovered that Tomcat incorrectly filtered certain invalid characters from the HTTP request line. A remote attacker could possibly use this issue to inject data into HTTP responses. (CVE-2016-6816)

Pierre Ernst discovered that the Tomcat JmxRemoteLifecycleListener did not implement a recommended fix. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2016-8735)

References

Affected packages

Ubuntu:16.04:LTS / tomcat6

Package

Name
tomcat6
Purl
pkg:deb/ubuntu/tomcat6?arch=src?distro=xenial

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
6.0.45+dfsg-1ubuntu0.1

Affected versions

6.*

6.0.41-4
6.0.45+dfsg-1

Ecosystem specific

{
    "availability": "No subscription required",
    "binaries": [
        {
            "binary_version": "6.0.45+dfsg-1ubuntu0.1",
            "binary_name": "libservlet2.5-java"
        },
        {
            "binary_version": "6.0.45+dfsg-1ubuntu0.1",
            "binary_name": "libservlet2.5-java-doc"
        }
    ]
}