{"id":"MGASA-2016-0367","summary":"Updated tomcat packages fix security vulnerability","details":"The Realm implementations did not process the supplied password if the\nsupplied user name did not exist. This made a timing attack possible to\ndetermine valid user names. Note that the default configuration includes\nthe LockOutRealm which makes exploitation of this vulnerability harder\n(CVE-2016-0762).\n\nA malicious web application was able to bypass a configured\nSecurityManager via a Tomcat utility method that was accessible to web\napplications (CVE-2016-5018).\n\nIt was discovered that the Tomcat packages installed configuration file\n/usr/lib/tmpfiles.d/tomcat.conf writeable to the tomcat group. A member\nof the group or a malicious web application deployed on Tomcat could use\nthis flaw to escalate their privileges (CVE-2016-5425).\n\nIt was discovered that the Tomcat packages installed certain\nconfiguration files read by the Tomcat initialization script as\nwriteable to the tomcat group. A member of the group or a malicious web\napplication deployed on Tomcat could use this flaw to escalate their\nprivileges (CVE-2016-6325).\n\nWhen a SecurityManager is configured, a web application's ability to\nread system properties should be controlled by the SecurityManager.\nTomcat's system property replacement feature for configuration files\ncould be used by a malicious web application to bypass the\nSecurityManager and read system properties that should not be visible\n(CVE-2016-6794).\n\nA malicious web application was able to bypass a configured\nSecurityManager via manipulation of the configuration parameters for the\nJSP Servlet (CVE-2016-6796).\n\nThe ResourceLinkFactory did not limit web application access to global\nJNDI resources to those resources explicitly linked to the web\napplication. Therefore, it was possible for a web application to access\nany global JNDI resource whether an explicit ResourceLink had been\nconfigured or not (CVE-2016-6797).\n","modified":"2026-04-16T01:48:11.665491234Z","published":"2016-11-04T22:29:35Z","upstream":["CVE-2016-0762","CVE-2016-5018","CVE-2016-5425","CVE-2016-6325","CVE-2016-6794","CVE-2016-6796","CVE-2016-6797"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2016-0367.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=19672"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2016/10/27/7"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2016/10/27/8"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2016/10/27/9"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2016/10/27/10"},{"type":"WEB","url":"http://openwall.com/lists/oss-security/2016/10/27/11"},{"type":"WEB","url":"https://rhn.redhat.com/errata/RHSA-2016-2046.html"}],"affected":[{"package":{"name":"tomcat","ecosystem":"Mageia:5","purl":"pkg:rpm/mageia/tomcat?arch=source&distro=mageia-5"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"7.0.72-1.mga5"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2016-0367.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}