==========================================================================
Ubuntu Security Notice USN-4557-1
September 30, 2020

tomcat6 vulnerabilities
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

– Ubuntu 16.04 LTS

Summary:

Several security issues were fixed in Tomcat.

Software Description:
– tomcat6: Servlet and JSP engine

Details:

It was discovered that the Tomcat realm implementations incorrectly handled
passwords when a username didn’t exist. A remote attacker could possibly
use this issue to enumerate usernames. (CVE-2016-0762)

Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly
limited use of a certain utility method. A malicious application could
possibly use this to bypass Security Manager restrictions. (CVE-2016-5018)

It was discovered that Tomcat incorrectly controlled reading system
properties. A malicious application could possibly use this to bypass
Security Manager restrictions. (CVE-2016-6794)

It was discovered that Tomcat incorrectly controlled certain configuration
parameters. A malicious application could possibly use this to bypass
Security Manager restrictions. (CVE-2016-6796)

It was discovered that Tomcat incorrectly limited access to global JNDI
resources. A malicious application could use this to access any global JNDI
resource without an explicit ResourceLink. (CVE-2016-6797)

Regis Leroy discovered that Tomcat incorrectly filtered certain invalid
characters from the HTTP request line. A remote attacker could possibly
use this issue to inject data into HTTP responses. (CVE-2016-6816)

Pierre Ernst discovered that the Tomcat JmxRemoteLifecycleListener did not
implement a recommended fix. A remote attacker could possibly use this
issue to execute arbitrary code. (CVE-2016-8735)

Update instructions:

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 16.04 LTS:
libservlet2.5-java 6.0.45+dfsg-1ubuntu0.1

In general, a standard system update will make all the necessary changes.

References:
https://usn.ubuntu.com/4557-1
CVE-2016-0762, CVE-2016-5018, CVE-2016-6794, CVE-2016-6796,
CVE-2016-6797, CVE-2016-6816, CVE-2016-8735

Package Information:
https://launchpad.net/ubuntu/+source/tomcat6/6.0.45+dfsg-1ubuntu0.1
—–BEGIN PGP SIGNATURE—–

iQIzBAEBCgAdFiEECtyyz6azUy6AZBzSkGeI6zGnN/8FAl90lSoACgkQkGeI6zGn
N/9WkxAAknx2xUYEn8MQ1UmU/vtJCiTcbwESjz3t54FwBgNZuLsyZ8rdmpouL9Q+
jjk/D+uy2airW+pyMZYqW2ctJb01q8CCd+467fCHUoCSAyVms2yzpPbm61MnaMkL
dRBfAqPvrM/4H3+49tRKS8z7Yyoh7SgUhrU4quO8Pt1g1UWBa0nnrQLmHWRg4QGK
CtmCNzvGr0D7gI+5qPE7GTGoc9RzxOovp5zl308/+F42iLu0tRHZ5s6CHPom5ug6
ASKb78Fdbb1pZ9+/BOMghcD06wB+QYXTUXejnQ09X3n0gFh/nQBDG1ImFge+kqjM
YNl2lulhtB5GVf+fr26Xn3Viife/fmAYpBNaL13QOebBv+HZ/S38Zm1fOC+RMUBL
AJjLqB7SaUoZXJMZ+oKynjA+q5cyYE8mM5XzrcEDajeObgmveDMBum0QIOSfkm2a
F3r86U62yUrFfEVHiRpHQdbi/DMfaHwSO4frcw4fWzoCqbgl3b868qOGqRWxKm3u
I0rvFG3QLufX35VTIfegqVdwqoJZkN6YgtasSk1MGlLLdBvV+VjR53/yZ4IE9IqJ
bFM+IXwcBI1j7LW7+Krf8GgaOZwqkvx4Urf2zSZSlOwY2qweIQiLHrmgVhVH3lMZ
1f8OmIJ6QSC9JrugTILLBGedJu9mC2dJ4pXOwyWP5tie4VLbIr8=
=V52z
—–END PGP SIGNATURE—–
—