5
CVSSv2

CVE-2016-8745

Published: 10/08/2017 Updated: 15/04/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 445
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.

Most Upvoted Vulmon Research Post

There is no Researcher post for this vulnerability
Would you like to share something about it? Sign up now to share your knowledge with the community.
Vulnerable Product Search on Vulmon Subscribe to Product

apache tomcat 7.0.33

apache tomcat 7.0.34

apache tomcat 7.0.22

apache tomcat 7.0.23

apache tomcat 7.0.30

apache tomcat 7.0.11

apache tomcat 7.0.18

apache tomcat 7.0.19

apache tomcat 7.0.7

apache tomcat 7.0.8

apache tomcat 7.0.45

apache tomcat 7.0.46

apache tomcat 7.0.54

apache tomcat 7.0.55

apache tomcat 7.0.63

apache tomcat 7.0.64

apache tomcat 7.0.71

apache tomcat 7.0.72

apache tomcat 8.0.1

apache tomcat 8.0.2

apache tomcat 8.0.3

apache tomcat 8.0.10

apache tomcat 8.0.11

apache tomcat 8.0.18

apache tomcat 8.0.19

apache tomcat 8.0.27

apache tomcat 8.0.28

apache tomcat 8.0.35

apache tomcat 8.0.36

apache tomcat 8.5.3

apache tomcat 8.5.4

apache tomcat 9.0.0

apache tomcat 7.0.35

apache tomcat 7.0.36

apache tomcat 7.0.24

apache tomcat 7.0.25

apache tomcat 7.0.12

apache tomcat 7.0.13

apache tomcat 7.0.20

apache tomcat 7.0.1

apache tomcat 7.0.9

apache tomcat 7.0.0

apache tomcat 7.0.47

apache tomcat 7.0.48

apache tomcat 7.0.56

apache tomcat 7.0.57

apache tomcat 7.0.58

apache tomcat 7.0.65

apache tomcat 7.0.66

apache tomcat 7.0.73

apache tomcat 8.0

apache tomcat 8.0.4

apache tomcat 8.0.5

apache tomcat 8.0.12

apache tomcat 8.0.13

apache tomcat 8.0.20

apache tomcat 8.0.21

apache tomcat 8.0.29

apache tomcat 8.0.30

apache tomcat 8.0.37

apache tomcat 8.0.38

apache tomcat 8.5.5

apache tomcat 8.5.6

apache tomcat 7.0.31

apache tomcat 7.0.32

apache tomcat 7.0.40

apache tomcat 7.0.21

apache tomcat 7.0.28

apache tomcat 7.0.29

apache tomcat 7.0.16

apache tomcat 7.0.17

apache tomcat 7.0.5

apache tomcat 7.0.6

apache tomcat 7.0.43

apache tomcat 7.0.44

apache tomcat 7.0.52

apache tomcat 7.0.53

apache tomcat 7.0.61

apache tomcat 7.0.62

apache tomcat 7.0.69

apache tomcat 7.0.70

apache tomcat 8.0.0

apache tomcat 8.0.8

apache tomcat 8.0.9

apache tomcat 8.0.16

apache tomcat 8.0.17

apache tomcat 8.0.24

apache tomcat 8.0.25

apache tomcat 8.0.26

apache tomcat 8.0.33

apache tomcat 8.0.34

apache tomcat 8.5.1

apache tomcat 8.5.2

apache tomcat 7.0.37

apache tomcat 7.0.38

apache tomcat 7.0.39

apache tomcat 7.0.26

apache tomcat 7.0.27

apache tomcat 7.0.14

apache tomcat 7.0.15

apache tomcat 7.0.2

apache tomcat 7.0.3

apache tomcat 7.0.4

apache tomcat 7.0.41

apache tomcat 7.0.42

apache tomcat 7.0.49

apache tomcat 7.0.50

apache tomcat 7.0.59

apache tomcat 7.0.60

apache tomcat 7.0.67

apache tomcat 7.0.68

apache tomcat 8.0.6

apache tomcat 8.0.7

apache tomcat 8.0.14

apache tomcat 8.0.15

apache tomcat 8.0.22

apache tomcat 8.0.23

apache tomcat 8.0.31

apache tomcat 8.0.32

apache tomcat 8.0.39

apache tomcat 8.5.0

apache tomcat 8.5.7

apache tomcat 8.5.8

Vendor Advisories

Synopsis Moderate: tomcat6 security update Type/Severity Security Advisory: Moderate Topic An update for tomcat6 is now available for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, wh ...
Synopsis Moderate: tomcat security update Type/Severity Security Advisory: Moderate Topic An update for tomcat is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring System (CVSS) base score, whic ...
It was discovered that incorrect error handling in the NIO HTTP connector of the Tomcat servlet and JSP engine could result in information disclosure For the stable distribution (jessie), this problem has been fixed in version 7056-3+deb8u7 We recommend that you upgrade your tomcat7 packages ...
It was discovered that incorrect error handling in the NIO HTTP connector of the Tomcat servlet and JSP engine could result in information disclosure For the stable distribution (jessie), this problem has been fixed in version 8014-1+deb8u6 For the testing distribution (stretch), this problem has been fixed in version 859-1 For the unstable ...
A bug in the error handling of the send file code for the NIO HTTP connector resulted in the current Processor object being added to the Processor cache multiple times This in turn meant that the same Processor could be used for concurrent requests Sharing a Processor can result in information leakage between requests including, not not limited t ...
Synopsis Important: Red Hat JBoss Web Server security and enhancement update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web ServerRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System ...
A bug was discovered in the error handling of the send file code for the NIO HTTP connector This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body ...
It was discovered that the code that parsed the HTTP request line permittedinvalid characters This could be exploited, in conjunction with a proxy thatalso permitted the invalid characters but with a different interpretation, toinject data into the HTTP response By manipulating the HTTP response theattacker could poison a web-cache, perform an XS ...
Several security issues were fixed in Tomcat ...
USN-3177-1 introduced a regression in Tomcat ...
Oracle Solaris Third Party Bulletin - January 2017 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Up ...
Oracle Linux Bulletin - January 2017 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin Oracle Linux Bulletins are published on the same day as Oracle Critical ...
Oracle Solaris Third Party Bulletin - April 2017 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical Patch Upda ...
Oracle Critical Patch Update Advisory - April 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous ...
Oracle Linux Bulletin - April 2017 Description The Oracle Linux Bulletin lists all CVEs that had been resolved and announced in Oracle Linux Security Advisories (ELSA) in the last one month prior to the release of the bulletin Oracle Linux Bulletins are published on the same day as Oracle Critical Patch Updates are release ...
Oracle Critical Patch Update Advisory - October 2017 Description A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the ...

Github Repositories

Cyber Securiy MOOC Unsecure project

LINK: githubcom/ilmari666/cybsec Based on the Springboot-template as per course material that can be installed and run with suitably configured Netbeans and Maven Five flaws as per wwwowasporg/images/7/72/OWASP_Top_10-2017_%28en%29pdfpdf This document can be read at githubcom/ilmari666/cybsec/blob/master/READMEmd FLAW 1: A2:2017 Broken Authentica

Recent Articles

VNC server library gets security fix
The Register • Richard Chirgwin • 09 Jan 2017

Debian plugs overflow vuln

An important fix for libvncserver has landed in Debian and on the library's GitHub page.
Late in 2016, a bug emerged in the VNC libraries that left clients vulnerable to malicious servers.
As the Debian advisory states, the fix addresses two bugs: CVE-2016-9941 and CVE-2016-9942. The libraries incorrectly handled incoming packets, leading to heap-based buffer overflows.
Clients could be attacked either for denial-of-service, or potentially for remote code execution.
The f...

VNC server library gets security fix
The Register • Richard Chirgwin • 09 Jan 2017

Debian plugs overflow vuln

An important fix for libvncserver has landed in Debian and on the library's GitHub page.
Late in 2016, a bug emerged in the VNC libraries that left clients vulnerable to malicious servers.
As the Debian advisory states, the fix addresses two bugs: CVE-2016-9941 and CVE-2016-9942. The libraries incorrectly handled incoming packets, leading to heap-based buffer overflows.
Clients could be attacked either for denial-of-service, or potentially for remote code execution.
The f...

References

CWE-388https://lists.apache.org/thread.html/4113c05d37f37c12b8033205684f04033c5f7a9bae117d4af23b32b4@%3Cannounce.tomcat.apache.org%3Ehttps://security.gentoo.org/glsa/201705-09http://www.securitytracker.com/id/1037432http://www.securityfocus.com/bid/94828http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlhttp://www.debian.org/security/2017/dsa-3755http://www.debian.org/security/2017/dsa-3754https://access.redhat.com/errata/RHSA-2017:0935https://access.redhat.com/errata/RHSA-2017:0456https://access.redhat.com/errata/RHSA-2017:0455http://rhn.redhat.com/errata/RHSA-2017-0527.htmlhttp://rhn.redhat.com/errata/RHSA-2017-0457.htmlhttp://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlhttps://security.netapp.com/advisory/ntap-20180607-0002/https://lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3Ehttps://access.redhat.com/errata/RHSA-2017:0527https://nvd.nist.govhttps://usn.ubuntu.com/3177-1/https://www.securityfocus.com/bid/94828https://www.debian.org/security/./dsa-3754