USN-4557-1

It was discovered that the Tomcat realm implementations incorrectly handled passwords when a username didn't exist. A remote attacker could possibly use this issue to enumerate usernames. (CVE-2016-0762)

Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly limited use of a certain utility method. A malicious application could possibly use this to bypass Security Manager restrictions. (CVE-2016-5018)

It was discovered that Tomcat incorrectly controlled reading system properties. A malicious application could possibly use this to bypass Security Manager restrictions. (CVE-2016-6794)

It was discovered that Tomcat incorrectly controlled certain configuration parameters. A malicious application could possibly use this to bypass Security Manager restrictions. (CVE-2016-6796)

It was discovered that Tomcat incorrectly limited access to global JNDI resources. A malicious application could use this to access any global JNDI resource without an explicit ResourceLink. (CVE-2016-6797)

Regis Leroy discovered that Tomcat incorrectly filtered certain invalid characters from the HTTP request line. A remote attacker could possibly use this issue to inject data into HTTP responses. (CVE-2016-6816)

Pierre Ernst discovered that the Tomcat JmxRemoteLifecycleListener did not implement a recommended fix. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2016-8735)