The Apache Software Foundation (ASF) has released security updates to address several vulnerabilities in its Tomcat application server. One of the vulnerability could even permit a remote attacker to gain access and obtain sensitive information.
Apache Tomcat is the most widely used open source web application server and servlet system making use of numerous Java EE specifications like Java Servlet, JavaServer Pages (JSP), Java Expression Language technologies and Java WebSocket.
The ASF have informed their users of the several security vulnerabilities in the Tomcat application server which are less likely to be exploited in the wild unlike the Apache Struts vulnerabilities of the previous year.
Apache Tomcat — Information Disclosure Vulnerability
One of the flaws dubbed as CVE-2018-8037 is more critical of all and it is an information disclosure vulnerability caused due to a bug in the tracking of connection closures which can lead to reuse of user sessions in a new connection.
This vulnerability which is considered as important was reported to the Apache Tomcat Security Team by Dmitry Treskunov on 16 June 2018 and was made public on 22 July 2018.
The flaw affects Tomcat versions 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31, and it has been fixed in Tomcat 9.0.10 and 8.5.32.
Apache Tomcat — Denial of Service (DoS) Vulnerability
The vulnerability which is dubbed as CVE-2018-1336 in Apache Tomcat is also marked as important and it stays in the UTF-8 decoder that can lead to a denial-of-service (DoS) condition.
The ASF has reported in their advisory that any improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service.
Apache Tomcat Server Software Updates
The vulnerability affects Tomcat versions 7.0.x, 8.0.x, 8.5.x and 9.0.x, and has been addressed in Tomcat versions 9.0.7, 8.5.32, 8.0.52 and 7.0.90.
The Apache Software Foundation also included a security patch in the latest Tomcat versions to address a low severity security constraints bypass bug (CVE-2018-8034), which occurs due to missing of the hostname verification when using TLS with the WebSocket client.
All the users are highly recommended to apply the software updates at the earliest and are must allow only trusted users to have network access as well as monitor affected systems. ASF says that they have not detected any incident of the exploitation of any of these vulnerabilities in the wild. However a remote attacker could exploit one of these to obtain sensitive information.