The Apache Software Foundation has rolled out security updates for the Tomcat application server that address several flaws.
The Apache Software Foundation has released security updates for the Tomcat application server that address several vulnerabilities, including issues that trigger a denial-of-service (DoS) condition or can lead to information disclosure.
Apache Tomcat is an open-source Java Servlet Container that implements several Java EE specifications including Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket, and provides a “pure Java” HTTP web server environment in which Java code can run.
It has been estimated that Tomcat has a market share of over 60 percent.
The first flaw addressed by the Apache Software Foundation is the CVE-2018-8037, it is an important bug in the tracking of connection closures that can lead to reuse of user sessions in a new connection.
The flaw affects Tomcat versions 9.0.0.M9 through 9.0.9 and 8.5.5 through 8.5.31. Tomcat 9.0.10 and 8.5.32 releases address the vulnerabilities.
Another important issue addressed by the Foundation is the CVE-2018-1336, it is an improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder triggering a Denial of Service condition.
The vulnerability affects Tomcat versions 7.0.x, 8.0.x, 8.5.x and 9.0.x.
Versions 9.0.7, 8.5.32, 8.0.52 and 7.0.90 addresses the vulnerability.
The Apache Software Foundation also fixed a low severity security constraints bypass tracked as CVE-2018-8034.
“The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default,” reads the security advisory.
The vulnerability has been addressed with the release of the latest Tomcat 7.0.x, 8.0.x, 8.5.x and 9.0.x versions.
The US-CERT has released a security alert that urges users to apply security updates.
“The Apache Software Foundation has released security updates to address vulnerabilities in Apache Tomcat versions 9.0.0.M9 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. A remote attacker could exploit one of these vulnerabilities to obtain sensitive information.” reads the security advisory published by the US-CERT.
“NCCIC encourages users and administrators to review the Apache security advisories for CVE-2018-8037 and CVE-2018-1336 and apply the necessary updates.”
Apache Tomcat vulnerabilities are less likely to be exploited in the wild.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.