Apache Tomcat CVE-2016-8745 Information Disclosure Vulnerability

Apache Tomcat is prone to an information-disclosure vulnerability.

Attackers can exploit this issue to obtain sensitive information that may aid in further attacks.

The following versions are affected:

Apache Tomcat 9.0.0.M1 to 9.0.0.M13
Apache Tomcat 8.5.0 to 8.5.8

Information

Bugtraq ID: 94828
Class: Design Error
CVE: CVE-2016-8745

Remote: Yes
Local: No
Published: Dec 12 2016 12:00AM
Updated: Apr 14 2017 10:08AM
Credit: The vendor reported the issues.
Vulnerable: Redhat Enterprise Linux Workstation Optional 7
Redhat Enterprise Linux Workstation Optional 6
Redhat Enterprise Linux Workstation 7
Redhat Enterprise Linux Workstation 6
Redhat Enterprise Linux Server Optional 7
Redhat Enterprise Linux Server Optional 6
Redhat Enterprise Linux Server 7
Redhat Enterprise Linux Server 6
Redhat Enterprise Linux HPC Node Optional 6
Redhat Enterprise Linux Desktop Optional 6
Redhat Enterprise Linux ComputeNode Optional 7
Redhat Enterprise Linux ComputeNode 7
Redhat Enterprise Linux Client Optional 7
Redhat Enterprise Linux 7 Client
Oracle Solaris 11.3
Oracle Solaris 10
Apache Tomcat 8.5.8
Apache Tomcat 8.5.6
Apache Tomcat 8.5.5
Apache Tomcat 8.5.4
Apache Tomcat 9.0.0M8
Apache Tomcat 9.0.0M6
Apache Tomcat 9.0.0.M9
Apache Tomcat 9.0.0.M7
Apache Tomcat 9.0.0.M5
Apache Tomcat 9.0.0.M4
Apache Tomcat 9.0.0.M3
Apache Tomcat 9.0.0.M2
Apache Tomcat 9.0.0.M13
Apache Tomcat 9.0.0.M12
Apache Tomcat 9.0.0.M11
Apache Tomcat 9.0.0.M10
Apache Tomcat 9.0.0.M1
Apache Tomcat 8.5.3
Apache Tomcat 8.5.2
Apache Tomcat 8.5.0

Not Vulnerable: Apache Tomcat 8.5.9
Apache Tomcat 9.0.0.M15

References:

• Apache Homepage (Apache)
  
• Apache Tomcat 8.x vulnerabilities (Apache)
  
• Apache Tomcat 9.x vulnerabilities (Apache)
  
• IllegalArgumentException at java.nio.Buffer.position at SocketWrapperBase.transf (Apache)
  
• Oracle Solaris Third Party Bulletin - January 2017 (Oracle)
  

Source: www.securityfocus.com