The following flaw was found in Tomcat: The Realm implementations did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder. Upstream patches: 6.0.47: https://svn.apache.org/viewvc?view=revision&revision=1758506 7.0.72: https://svn.apache.org/viewvc?view=revision&revision=1758502 8.5.5: https://svn.apache.org/viewvc?view=revision&revision=1758500 8.0.37: https://svn.apache.org/viewvc?view=revision&revision=1758501 External References: https://tomcat.apache.org/security-6.html#Fixed_in_Apache_Tomcat_6.0.47 https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.72 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.5_and_8.0.37
Created tomcat tracking bugs for this issue: Affects: fedora-all [bug 1390532] Affects: epel-6 [bug 1390533]
This issue has been addressed in the following products: Red Hat JBoss Web Server 3.1.0 Via RHSA-2017:0457 https://rhn.redhat.com/errata/RHSA-2017-0457.html
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Via RHSA-2017:0456 https://access.redhat.com/errata/RHSA-2017:0456
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2017:0455 https://access.redhat.com/errata/RHSA-2017:0455
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2247 https://access.redhat.com/errata/RHSA-2017:2247
This vulnerability is out of security support scope for the following product: * Red Hat JBoss Operations Network 3 * Red Hat JBoss Data Grid 6 * Red Hat JBoss BRMS 5 * Red Hat JBoss Data Virtualization & Services 6 * Red Hat JBoss Fuse Service Works 6 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.