Apache Tomcat Patches Important Security Vulnerabilities

Posted by & filed under Security Alerts.

The Apache Software Foundation (ASF) has released security updates to address several vulnerabilities in its Tomcat application server, one of which could allow a remote attacker to obtain sensitive information.

Apache Tomcat is an open source web server and servlet system, which uses several Java EE specifications like Java Servlet, JavaServer Pages (JSP), Expression Language, and WebSocket, and provides a “pure Java” HTTP web server environment for Java concept to run in.

Unlike Apache Struts2 vulnerabilities exploited to breach the systems of America credit reporting agency Equifax late last year, new Apache Tomcat vulnerabilities are less likely to be exploited in the wild.

Information Disclosure Vulnerability

The more critical flaw (CVE-2018-8037) of all in Apache Tomcat is an information disclosure vulnerability caused due to a bug in the tracking of connection closures which can lead to reuse of user sessions in a new connection.

The vulnerability, marked as important, was reported to the Apache Tomcat Security Team by Dmitry Treskunov on 16 June 2018 and made public on 22 July 2018.

The flaw affects Tomcat versions 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31, and it has been fixed in Tomcat 9.0.10 and 8.5.32.

Denial of Service (DoS) Vulnerability

Another important vulnerability, tracked as CVE-2018-1336, in Apache Tomcat resides in the UTF-8 decoder that can lead to a denial-of-service (DoS) condition.

“An improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service,” the Apache Software Foundation says in its advisory.


Apache Tomcat Server Software Updates (Patches)

The vulnerability affects Tomcat versions 7.0.x, 8.0.x, 8.5.x and 9.0.x, and has been addressed in Tomcat versions 9.0.7, 8.5.32, 8.0.52 and 7.0.90.

The Apache Software Foundation also included a security patch in the latest Tomcat versions to address a low severity security constraints bypass bug (CVE-2018-8034), which occurs due to missing of the hostname verification when using TLS with the WebSocket client.

Administrators are strongly recommended to apply the software updates as soon as possible and are advised to allow only trusted users to have network access as well as monitor affected systems.

The Apache Software Foundation says it has not detected any incident of the exploitation of one of these Apache Tomcat vulnerabilities in the wild.

A remote attacker could exploit one of these vulnerabilities to obtain sensitive information.


The information contained in this website is for general information purposes only. The information is gathered from The Hacker News while we endeavour to keep the information up to date and correct, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability or availability with respect to the website or the information, products, services, or related graphics contained on the website for any purpose. Any reliance you place on such information is therefore strictly at your own risk.
Through this website, you are able to link to other websites which are not under the control of CSIRT-CY. We have no control over the nature, content and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.
Every effort is made to keep the website up and running smoothly. However, CSIRT-CY takes no responsibility for, and will not be liable for, the website being temporarily unavailable due to technical issues beyond our control.