{"id":38783,"date":"2020-09-30T21:55:19","date_gmt":"2020-09-30T12:55:19","guid":{"rendered":"https:\/\/jirak.net\/wp\/usn-4557-1-tomcat-vulnerabilities\/"},"modified":"2020-09-30T23:34:38","modified_gmt":"2020-09-30T14:34:38","slug":"usn-4557-1-tomcat-vulnerabilities","status":"publish","type":"post","link":"https:\/\/jirak.net\/wp\/usn-4557-1-tomcat-vulnerabilities\/","title":{"rendered":"USN-4557-1: Tomcat vulnerabilities"},"content":{"rendered":"<p>USN-4557-1: Tomcat vulnerabilities<\/p>\n<p>It was discovered that the Tomcat realm implementations incorrectly handled<br \/>\npasswords when a username didn&#8217;t exist. A remote attacker could possibly<br \/>\nuse this issue to enumerate usernames. (CVE-2016-0762)<\/p>\n<p>Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly<br \/>\nlimited use of a certain utility method. A malicious application could<br \/>\npossibly use this to bypass Security Manager restrictions. (CVE-2016-5018)<\/p>\n<p>It was discovered that Tomcat incorrectly controlled reading system<br \/>\nproperties. A malicious application could possibly use this to bypass<br \/>\nSecurity Manager restrictions. (CVE-2016-6794)<\/p>\n<p>It was discovered that Tomcat incorrectly controlled certain configuration<br \/>\nparameters. A malicious application could possibly use this to bypass<br \/>\nSecurity Manager restrictions. (CVE-2016-6796)<\/p>\n<p>It was discovered that Tomcat incorrectly limited access to global JNDI<br \/>\nresources. A malicious application could use this to access any global JNDI<br \/>\nresource without an explicit ResourceLink. (CVE-2016-6797)<\/p>\n<p>Regis Leroy discovered that Tomcat incorrectly filtered certain invalid<br \/>\ncharacters from the HTTP request line. A remote attacker could possibly<br \/>\nuse this issue to inject data into HTTP responses. (CVE-2016-6816)<\/p>\n<p>Pierre Ernst discovered that the Tomcat JmxRemoteLifecycleListener did not<br \/>\nimplement a recommended fix. A remote attacker could possibly use this<br \/>\nissue to execute arbitrary code. (CVE-2016-8735)<br \/>\nSource: <a href=\"https:\/\/ubuntu.com\/security\/notices\/USN-4557-1\" target=\"_blank\" rel=\"noopener noreferrer\">USN-4557-1: Tomcat vulnerabilities<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<div class=\"mh-excerpt\"><p>USN-4557-1: Tomcat vulnerabilities It was discovered that the Tomcat realm implementations incorrectly handled passwords when a username didn&#8217;t exist. A remote attacker could possibly use this issue to enumerate usernames. (CVE-2016-0762) Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly limited use of a certain utility method. A malicious application could possibly use this to bypass Security Manager restrictions. (CVE-2016-5018) It was discovered that Tomcat incorrectly controlled reading system properties. A malicious application could possibly use this to bypass Security Manager restrictions. (CVE-2016-6794) It was discovered that Tomcat incorrectly controlled certain configuration parameters. A malicious application could possibly use this to bypass Security Manager restrictions. (CVE-2016-6796) It was discovered that Tomcat incorrectly limited access to global JNDI resources. A malicious application could use this to access any global JNDI resource without an explicit ResourceLink. (CVE-2016-6797) Regis Leroy discovered that Tomcat <a class=\"mh-excerpt-more\" href=\"https:\/\/jirak.net\/wp\/usn-4557-1-tomcat-vulnerabilities\/\" title=\"USN-4557-1: Tomcat vulnerabilities\">[ more&#8230; ]<\/a><\/p>\n<\/div>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[586],"tags":[587],"class_list":["post-38783","post","type-post","status-publish","format-standard","hentry","category-ubuntu-usn","tag-ubuntu-usn"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/38783","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/comments?post=38783"}],"version-history":[{"count":1,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/38783\/revisions"}],"predecessor-version":[{"id":38784,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/posts\/38783\/revisions\/38784"}],"wp:attachment":[{"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/media?parent=38783"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/categories?post=38783"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jirak.net\/wp\/wp-json\/wp\/v2\/tags?post=38783"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}