What is the severity of USN-3177-1?

The severity of USN-3177-1 is considered to be moderate due to its potential for username enumeration by remote attackers.

How do I fix USN-3177-1?

To fix USN-3177-1, upgrade to the specified patched versions of Tomcat and libtomcat that correspond to your Ubuntu version.

Which versions of Ubuntu are affected by USN-3177-1?

USN-3177-1 affects Ubuntu 12.04 LTS, 14.04 LTS, and 16.04 LTS.

What type of vulnerability is described in USN-3177-1?

USN-3177-1 describes a vulnerability that incorrectly handles passwords in Tomcat realm implementations.

Can USN-3177-1 be exploited over the internet?

Yes, USN-3177-1 can potentially be exploited by remote attackers over the internet to enumerate usernames.

Vulnerability/
USN-3177-1

23/1/2017

USN-3177-1: Tomcat vulnerabilities

First published: Mon Jan 23 2017(Updated: )

It was discovered that the Tomcat realm implementations incorrectly handled passwords when a username didn't exist. A remote attacker could possibly use this issue to enumerate usernames. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-0762) Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly limited use of a certain utility method. A malicious application could possibly use this to bypass Security Manager restrictions. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5018) It was discovered that Tomcat did not protect applications from untrusted data in the HTTP_PROXY environment variable. A remote attacker could possibly use this issue to redirect outbound traffic to an arbitrary proxy server. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-5388) It was discovered that Tomcat incorrectly controlled reading system properties. A malicious application could possibly use this to bypass Security Manager restrictions. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6794) It was discovered that Tomcat incorrectly controlled certain configuration parameters. A malicious application could possibly use this to bypass Security Manager restrictions. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6796) It was discovered that Tomcat incorrectly limited access to global JNDI resources. A malicious application could use this to access any global JNDI resource without an explicit ResourceLink. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. (CVE-2016-6797) Regis Leroy discovered that Tomcat incorrectly filtered certain invalid characters from the HTTP request line. A remote attacker could possibly use this issue to inject data into HTTP responses. (CVE-2016-6816) Pierre Ernst discovered that the Tomcat JmxRemoteLifecycleListener did not implement a recommended fix. A remote attacker could possibly use this issue to execute arbitrary code. (CVE-2016-8735) It was discovered that Tomcat incorrectly handled error handling in the send file code. A remote attacker could possibly use this issue to access information from other requests. (CVE-2016-8745) Paul Szabo discovered that the Tomcat package incorrectly handled upgrades and removals. A local attacker could possibly use this issue to obtain root privileges. (CVE-2016-9774, CVE-2016-9775)

Affected Software	Affected Version	How to fix
All of
ubuntu/libtomcat8-java	<8.0.37-1ubuntu0.1	8.0.37-1ubuntu0.1
Ubuntu gir1.2-packagekitglib-1.0	=16.10
All of
ubuntu/tomcat8	<8.0.37-1ubuntu0.1	8.0.37-1ubuntu0.1
Ubuntu gir1.2-packagekitglib-1.0	=16.10
All of
ubuntu/libtomcat8-java	<8.0.32-1ubuntu1.3	8.0.32-1ubuntu1.3
Ubuntu gir1.2-packagekitglib-1.0	=16.04
All of
ubuntu/tomcat8	<8.0.32-1ubuntu1.3	8.0.32-1ubuntu1.3
Ubuntu gir1.2-packagekitglib-1.0	=16.04
All of
ubuntu/libtomcat7-java	<7.0.52-1ubuntu0.8	7.0.52-1ubuntu0.8
Ubuntu gir1.2-packagekitglib-1.0	=14.04
All of
ubuntu/tomcat7	<7.0.52-1ubuntu0.8	7.0.52-1ubuntu0.8
Ubuntu gir1.2-packagekitglib-1.0	=14.04
All of
ubuntu/libtomcat6-java	<6.0.35-1ubuntu3.9	6.0.35-1ubuntu3.9
Ubuntu gir1.2-packagekitglib-1.0	=12.04
All of
ubuntu/tomcat6	<6.0.35-1ubuntu3.9	6.0.35-1ubuntu3.9
Ubuntu gir1.2-packagekitglib-1.0	=12.04

Never miss a vulnerability like this again

Reference Links

Child vulnerabilities

(Contains the following vulnerabilities)

Frequently Asked Questions

What is the severity of USN-3177-1?
The severity of USN-3177-1 is considered to be moderate due to its potential for username enumeration by remote attackers.
How do I fix USN-3177-1?
To fix USN-3177-1, upgrade to the specified patched versions of Tomcat and libtomcat that correspond to your Ubuntu version.
Which versions of Ubuntu are affected by USN-3177-1?
USN-3177-1 affects Ubuntu 12.04 LTS, 14.04 LTS, and 16.04 LTS.
What type of vulnerability is described in USN-3177-1?
USN-3177-1 describes a vulnerability that incorrectly handles passwords in Tomcat realm implementations.
Can USN-3177-1 be exploited over the internet?
Yes, USN-3177-1 can potentially be exploited by remote attackers over the internet to enumerate usernames.

agent/severity
agent/type
agent/last-modified-date
agent/first-publish-date
agent/title
agent/description
agent/event
agent/trending
agent/source
agent/references
agent/softwarecombine
agent/tags
collector/usn
source/Ubuntu
agent/software-canonical-lookup
agent/software-canonical-lookup-request
package-manager/ubuntu
vendor/ubuntu
canonical/ubuntu gir1.2-packagekitglib-1.0
version/ubuntu gir1.2-packagekitglib-1.0/16.10
version/ubuntu gir1.2-packagekitglib-1.0/16.04
version/ubuntu gir1.2-packagekitglib-1.0/14.04
version/ubuntu gir1.2-packagekitglib-1.0/12.04