ID CVE-2018-8037
Summary If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.
References
Vulnerable Configurations
  • Apache Software Foundation Tomcat 8.5.5
    cpe:2.3:a:apache:tomcat:8.5.5
  • Apache Software Foundation Tomcat 8.5.6
    cpe:2.3:a:apache:tomcat:8.5.6
  • Apache Software Foundation Tomcat 8.5.7
    cpe:2.3:a:apache:tomcat:8.5.7
  • Apache Software Foundation Tomcat 8.5.8
    cpe:2.3:a:apache:tomcat:8.5.8
  • Apache Software Foundation Tomcat 8.5.9
    cpe:2.3:a:apache:tomcat:8.5.9
  • Apache Software Foundation Tomcat 8.5.10
    cpe:2.3:a:apache:tomcat:8.5.10
  • Apache Software Foundation Tomcat 8.5.11
    cpe:2.3:a:apache:tomcat:8.5.11
  • Apache Software Foundation Tomcat 8.5.12
    cpe:2.3:a:apache:tomcat:8.5.12
  • Apache Software Foundation Tomcat 8.5.13
    cpe:2.3:a:apache:tomcat:8.5.13
  • Apache Software Foundation Tomcat 8.5.14
    cpe:2.3:a:apache:tomcat:8.5.14
  • Apache Software Foundation Tomcat 8.5.15
    cpe:2.3:a:apache:tomcat:8.5.15
  • Apache Software Foundation Tomcat 8.5.23
    cpe:2.3:a:apache:tomcat:8.5.23
  • Apache Software Foundation Tomcat 8.5.24
    cpe:2.3:a:apache:tomcat:8.5.24
  • Apache Software Foundation Tomcat 8.5.27
    cpe:2.3:a:apache:tomcat:8.5.27
  • Apache Software Foundation Tomcat 8.5.28
    cpe:2.3:a:apache:tomcat:8.5.28
  • Apache Software Foundation Tomcat 8.5.29
    cpe:2.3:a:apache:tomcat:8.5.29
  • cpe:2.3:a:apache:tomcat:9.0.0
    cpe:2.3:a:apache:tomcat:9.0.0
  • Apache Software Foundation Tomcat 9.0.0 M10
    cpe:2.3:a:apache:tomcat:9.0.0:m10
  • Apache Software Foundation Tomcat 9.0.0 M11
    cpe:2.3:a:apache:tomcat:9.0.0:m11
  • Apache Software Foundation Tomcat 9.0.0 M12
    cpe:2.3:a:apache:tomcat:9.0.0:m12
  • Apache Software Foundation Tomcat 9.0.0 M13
    cpe:2.3:a:apache:tomcat:9.0.0:m13
  • Apache Software Foundation Tomcat 9.0.0 M14
    cpe:2.3:a:apache:tomcat:9.0.0:m14
  • Apache Software Foundation Tomcat 9.0.0 M15
    cpe:2.3:a:apache:tomcat:9.0.0:m15
  • Apache Software Foundation Tomcat 9.0.0 M16
    cpe:2.3:a:apache:tomcat:9.0.0:m16
  • Apache Software Foundation Tomcat 9.0.0 M17
    cpe:2.3:a:apache:tomcat:9.0.0:m17
  • Apache Software Foundation Tomcat 9.0.0 M18
    cpe:2.3:a:apache:tomcat:9.0.0:m18
  • Apache Software Foundation Tomcat 9.0.0 M19
    cpe:2.3:a:apache:tomcat:9.0.0:m19
  • Apache Software Foundation Tomcat 9.0.0 M20
    cpe:2.3:a:apache:tomcat:9.0.0:m20
  • Apache Software Foundation Tomcat 9.0.0 M21
    cpe:2.3:a:apache:tomcat:9.0.0:m21
  • cpe:2.3:a:apache:tomcat:9.0.0:m22
    cpe:2.3:a:apache:tomcat:9.0.0:m22
  • cpe:2.3:a:apache:tomcat:9.0.0:m23
    cpe:2.3:a:apache:tomcat:9.0.0:m23
  • cpe:2.3:a:apache:tomcat:9.0.0:m24
    cpe:2.3:a:apache:tomcat:9.0.0:m24
  • cpe:2.3:a:apache:tomcat:9.0.0:m25
    cpe:2.3:a:apache:tomcat:9.0.0:m25
  • cpe:2.3:a:apache:tomcat:9.0.0:m26
    cpe:2.3:a:apache:tomcat:9.0.0:m26
  • cpe:2.3:a:apache:tomcat:9.0.0:m27
    cpe:2.3:a:apache:tomcat:9.0.0:m27
  • Apache Software Foundation Tomcat 9.0.0 M9
    cpe:2.3:a:apache:tomcat:9.0.0:m9
  • Apache Software Foundation Tomcat 9.0.1
    cpe:2.3:a:apache:tomcat:9.0.1
  • Apache Software Foundation Tomcat 9.0.2
    cpe:2.3:a:apache:tomcat:9.0.2
  • Apache Software Foundation Tomcat 9.0.3
    cpe:2.3:a:apache:tomcat:9.0.3
  • Apache Software Foundation Tomcat 9.0.4
    cpe:2.3:a:apache:tomcat:9.0.4
  • Apache Software Foundation Tomcat 9.0.5
    cpe:2.3:a:apache:tomcat:9.0.5
  • Apache Software Foundation Tomcat 9.0.6
    cpe:2.3:a:apache:tomcat:9.0.6
  • Apache Software Foundation Tomcat 9.0.7
    cpe:2.3:a:apache:tomcat:9.0.7
  • Debian Linux 9.0
    cpe:2.3:o:debian:debian_linux:9.0
CVSS
Base: 4.3
Impact:
Exploitability:
CWE CWE-362
CAPEC
  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
nessus via4
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-1019.NASL
    description This update for tomcat to 8.0.53 fixes the following issues : Security issue fixed : - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters could have lead to an infinite loop in the decoder causing a Denial of Service (bsc#1102400). - CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (bsc#1102379). - CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could have resulted in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also have resulted in a user seeing a response intended for another user (bsc#1102410). - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697). Bug fixes : - bsc#1067720: Avoid overwriting of customer's configuration during update. - bsc#1095472: Add Obsoletes for tomcat6 packages. This update was imported from the SUSE:SLE-12-SP2:Update update project.
    last seen 2019-01-16
    modified 2018-09-17
    plugin id 117526
    published 2018-09-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117526
    title openSUSE Security Update : tomcat (openSUSE-2018-1019)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2018-1129.NASL
    description This update for tomcat to version 9.0.10 fixes the following issues : Security issues fixed : - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters could have lead to an infinite loop in the decoder causing a Denial of Service (bsc#1102400). - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697). - CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (bsc#1102379). - CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could have resulted in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also have resulted in a user seeing a response intended for another user (bsc#1102410). Bug fixes : - Avoid overwriting of customer's configuration during update (bsc#1067720) - Disable adding OSGi metadata to JAR files - See changelog at http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#T omcat_9.0.10_(markt) This update was imported from the SUSE:SLE-15:Update update project.
    last seen 2019-01-16
    modified 2018-10-09
    plugin id 117983
    published 2018-10-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117983
    title openSUSE Security Update : tomcat (openSUSE-2018-1129)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-4281.NASL
    description Several issues were discovered in the Tomcat servlet and JSP engine. They could lead to unauthorized access to protected resources, denial-of-service, or information leak.
    last seen 2019-01-16
    modified 2018-11-13
    plugin id 112185
    published 2018-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=112185
    title Debian DSA-4281-1 : tomcat8 - security update
  • NASL family Web Servers
    NASL id TOMCAT_8_5_32.NASL
    description The version of Apache Tomcat installed on the remote host is 8.5.x prior to 8.5.32. It is, therefore, affected by multiple vulnerabilities.
    last seen 2019-01-16
    modified 2018-10-11
    plugin id 111068
    published 2018-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111068
    title Apache Tomcat 8.5.0 < 8.5.32 Multiple Vulnerabilities
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2018-2868.NASL
    description An update is now available for Red Hat JBoss Web Server 5.0 for RHEL 6 and Red Hat JBoss Web Server 5.0 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.0 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 5.0, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * tomcat: Information Disclosure (CVE-2018-8037) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen 2019-01-16
    modified 2019-01-09
    plugin id 117912
    published 2018-10-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=117912
    title RHEL 6 / 7 : Red Hat JBoss Web Server 5.0 Service Pack 1 (RHSA-2018:2868)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2018-1056.NASL
    description The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.(CVE-2018-8014) An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 8.5.0 to 8.5.30. (CVE-2018-1336) The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 8.5.0 to 8.5.31.(CVE-2018-8034) A bug in the tracking of connection closures can lead to reuse of user sessions in a new connection. Versions Affected: Apache Tomcat 8.5.5 to 8.5.31.(CVE-2018-8037)
    last seen 2019-01-16
    modified 2018-08-31
    plugin id 111611
    published 2018-08-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111611
    title Amazon Linux AMI : tomcat8 (ALAS-2018-1056)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2018-B1832101B8.NASL
    description This update includes a rebase from 8.5.30 up to 8.5.32 which resolves two CVEs along with various other bugs/features : - rhbz#1579612 CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins - rhbz#1607586 CVE-2018-8034 tomcat: host name verification missing in WebSocket client - rhbz#1607584 CVE-2018-8037 tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2019-01-03
    plugin id 120717
    published 2019-01-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=120717
    title Fedora 28 : 1:tomcat (2018-b1832101b8)
redhat via4
advisories
  • rhsa
    id RHSA-2018:2867
  • rhsa
    id RHSA-2018:2868
refmap via4
bid 104894
confirm
debian DSA-4281
mlist
  • [www-announce] 20180722 [SECURITY] CVE-2018-8037 Apache Tomcat - Information Disclosure
  • [www-announce] 20180809 [UPDATE][SECURITY] CVE-2018-8037 Apache Tomcat - Information Disclosure
sectrack 1041376
the hacker news via4
id THN:D761F7EF41472ED13C52BD3AF1E1F9BA
last seen 2018-07-24
modified 2018-07-24
published 2018-07-24
reporter The Hacker News
source https://thehackernews.com/2018/07/apache-tomcat-server.html
title Apache Tomcat Patches Important Security Vulnerabilities
Last major update 02-08-2018 - 10:29
Published 02-08-2018 - 10:29
Last modified 16-10-2018 - 21:31
Back to Top