Security Alert
Apache Tomcat Vulnerabilities
Original date: 26.07.2018
Overall risk classification: HIGH
Overview
Apache has published updates fixing two severe security issues in all active branches of Tomcat.
One of these vulnerabilities may lead to user sessions being reused in a new connection, therefore disclosing information [1].
The second vulnerability can be exploited if an overflow in the UTF-8 decoder happens. This will possibly result in an infinity loop and therefor in a Denial of Service [2].
Systems Affected
All Tomcat systems prior to 9.0.9, 8.5.31, 8.0.51 or 7.0.86 [1, 2].
Threat
Risk: HIGH
If your project operates a Tomcat web server in a vulnerable version, unauthorised users may be able to gather information or endanger the availability of the project.
Exploitability: MEDIUM
Prerequisite for both attacks is improper handling of untrusted user input. An attacker has to send a request with malicious data
Priority (for affected, internet-exposed systems): HIGH
Priority (for internal systems): MEDIUM
Mitigation
If you deploy Apache Tomcat servers directly, update your systems to the latest version (9.0.10, 8.5.32, 8.0.52 or 7.0.90 [3, 4, 5]. If you rely on software which bundles a Tomcat server internally (Hybris, for instance), look out for updates of this software.
Author
Maximiliane Zirm
References
[1] https://markmail.org/message/oykagp23gljirbnq
[2] https://markmail.org/message/tzkmjuwhngvw3ygq
[3] http://tomcat.apache.org/security-7.html
[4] http://tomcat.apache.org/security-8.html
[5] http://tomcat.apache.org/security-9.html
