Vulnerability CVE-2016-8745


Published: 2017-08-10

Description:
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.

Type:

CWE-388

(Error Handling)

Vendor: Apache
Product: Tomcat 
Version:
9.0.0
8.5.8
8.5.7
8.5.6
8.5.5
8.5.4
8.5.3
8.5.2
8.5.1
8.5.0
8.0.9
8.0.8
8.0.7
8.0.6
8.0.5
8.0.4
8.0.39
8.0.38
8.0.37
8.0.36
8.0.35
8.0.34
8.0.33
8.0.32
8.0.31
8.0.30
8.0.3
8.0.29
8.0.28
8.0.27
8.0.26
8.0.25
8.0.24
8.0.23
8.0.22
8.0.21
8.0.20
8.0.2
8.0.19
8.0.18
8.0.17
8.0.16
8.0.15
8.0.14
8.0.13
8.0.12
8.0.11
8.0.10
8.0.1
8.0.0
8.0
7.0.9
7.0.8
7.0.73
7.0.72
7.0.71
7.0.70
7.0.7
7.0.69
7.0.68
7.0.67
7.0.66
7.0.65
7.0.64
7.0.63
7.0.62
7.0.61
7.0.60
7.0.6
7.0.59
7.0.58
7.0.57
7.0.56
7.0.55
7.0.54
7.0.53
7.0.52
7.0.50
7.0.5
7.0.49
7.0.48
7.0.47
7.0.46
7.0.45
7.0.44
7.0.43
7.0.42
7.0.41
7.0.40
7.0.4
7.0.39
7.0.38
7.0.37
7.0.36
7.0.35
7.0.34
7.0.33
7.0.32
7.0.31
7.0.30
See more versions on NVD

CVSS2 => (AV:N/AC:L/Au:N/C:P/I:N/A:N)

CVSS Base Score
Impact Subscore
Exploitability Subscore
5/10
2.9/10
10/10
Exploit range
Attack complexity
Authentication
Remote
Low
No required
Confidentiality impact
Integrity impact
Availability impact
Partial
None
None

 References:
http://rhn.redhat.com/errata/RHSA-2017-0457.html
http://rhn.redhat.com/errata/RHSA-2017-0527.html
http://www.debian.org/security/2017/dsa-3754
http://www.debian.org/security/2017/dsa-3755
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
http://www.securityfocus.com/bid/94828
http://www.securitytracker.com/id/1037432
https://access.redhat.com/errata/RHSA-2017:0455
https://access.redhat.com/errata/RHSA-2017:0456
https://access.redhat.com/errata/RHSA-2017:0935
https://lists.apache.org/thread.html/4113c05d37f37c12b8033205684f04033c5f7a9bae117d4af23b32b4@%3Cannounce.tomcat.apache.org%3E
https://security.gentoo.org/glsa/201705-09
https://security.netapp.com/advisory/ntap-20180607-0002/

Related CVE
CVE-2018-8022
A carefully crafted invalid TLS handshake can cause Apache Traffic Server (ATS) to segfault. This affects version 6.2.2. To resolve this issue users running 6.2.2 should upgrade to 6.2.3 or later versions.
CVE-2018-11769
CouchDB administrative users before 2.2.0 can configure the database server via HTTP(S). Due to insufficient validation of administrator-supplied configuration settings via the HTTP API, it is possible for a CouchDB administrator user to escalate the...
CVE-2018-8037
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present ...
CVE-2018-1336
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and ...
CVE-2018-8032
Apache Axis 1.x up to and including 1.4 is vulnerable to a cross-site scripting (XSS) attack in the default servlet/services.
CVE-2018-8034
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
CVE-2018-8027
Apache Camel 2.20.0 to 2.20.3 and 2.21.0 Core is vulnerable to XXE in XSD validation processor.
CVE-2018-8020
Apache Tomcat Native 1.2.0 to 1.2.16 and 1.1.23 to 1.1.34 has a flaw that does not properly check OCSP pre-produced responses, which are lists (multiple entries) of certificate statuses. Subsequently, revoked client certificates may not be properly i...

Copyright 2018, cxsecurity.com

 

Back to Top