{
  "threat_severity" : "Low",
  "public_date" : "2016-10-27T00:00:00Z",
  "bugzilla" : {
    "description" : "tomcat: timing attack in Realm implementation",
    "id" : "1390526",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1390526"
  },
  "cvss" : {
    "cvss_base_score" : "2.6",
    "cvss_scoring_vector" : "AV:N/AC:H/Au:N/C:P/I:N/A:N",
    "status" : "verified"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.7",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
    "status" : "verified"
  },
  "details" : [ "The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.", "The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder." ],
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 7",
    "release_date" : "2017-08-01T00:00:00Z",
    "advisory" : "RHSA-2017:2247",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7",
    "package" : "tomcat-0:7.0.76-2.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3.1",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0457",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0455",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0455",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "jbcs-httpd24-0:1-3.jbcs.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0455",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0455",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0455",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0455",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat7-0:7.0.70-16.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0455",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat8-0:8.0.36-17.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0455",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat-native-0:1.2.8-9.redhat_9.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0455",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6",
    "package" : "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el6"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0456",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "hibernate4-eap6-0:4.2.23-1.Final_redhat_1.1.ep6.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0456",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "jbcs-httpd24-0:1-3.jbcs.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0456",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "jbcs-httpd24-apache-commons-daemon-0:1.0.15-1.redhat_2.1.jbcs.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0456",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "jbcs-httpd24-apache-commons-daemon-jsvc-1:1.0.15-17.redhat_2.jbcs.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0456",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "mod_cluster-0:1.3.5-2.Final_redhat_2.1.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0456",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat7-0:7.0.70-16.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0456",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat8-0:8.0.36-17.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0456",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat-native-0:1.2.8-9.redhat_9.ep7.el7"
  }, {
    "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7",
    "release_date" : "2017-03-07T00:00:00Z",
    "advisory" : "RHSA-2017:0456",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7",
    "package" : "tomcat-vault-0:1.0.8-9.Final_redhat_2.1.ep7.el7"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 5",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat5",
    "cpe" : "cpe:/o:redhat:enterprise_linux:5"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat6",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat JBoss BRMS 5",
    "fix_state" : "Out of support scope",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Data Grid 6",
    "fix_state" : "Out of support scope",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_data_grid:6"
  }, {
    "product_name" : "Red Hat JBoss Data Virtualization 6",
    "fix_state" : "Out of support scope",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 5",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Application Platform 6",
    "fix_state" : "Not affected",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat6",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 2",
    "fix_state" : "Will not fix",
    "package_name" : "tomcat7",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 3",
    "fix_state" : "Fix deferred",
    "package_name" : "tomcat7",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  }, {
    "product_name" : "Red Hat JBoss Enterprise Web Server 3",
    "fix_state" : "Fix deferred",
    "package_name" : "tomcat8",
    "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Will not fix",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat JBoss Fuse Service Works 6",
    "fix_state" : "Out of support scope",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6"
  }, {
    "product_name" : "Red Hat JBoss Operations Network 3",
    "fix_state" : "Out of support scope",
    "package_name" : "jbossweb",
    "cpe" : "cpe:/a:redhat:jboss_operations_network:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2016-0762\nhttps://nvd.nist.gov/vuln/detail/CVE-2016-0762\nhttps://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47\nhttps://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72\nhttps://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37" ],
  "name" : "CVE-2016-0762",
  "csaw" : false
}