CVE-2016-0762

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.0.M1 through 9.0.0.M9 Apache Tomcat versions 8.5.0 through 8.5.4 Apache Tomcat versions 8.0.0.RC1 through 8.0.36 Apache Tomcat versions 7.0.0 through 7.0.70 Apache Tomcat versions 6.0.0 through 6.0.45

Description The issue is related to the Realm implementations in Apache Tomcat, which did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. The default configuration includes the LockOutRealm, which makes exploitation of this issue harder. The vulnerability can be exploited by a remote attacker to determine all existing user names.

Recommendations For Apache Tomcat versions 9.0.0.M1 through 9.0.0.M9, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 8.5.0 through 8.5.4, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 8.0.0.RC1 through 8.0.36, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 7.0.0 through 7.0.70, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 6.0.0 through 6.0.45, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the Realm implementations until a patch is available.