5
MEDIUM

CVE-2018-1336

Published: 02/08/2018 Updated: 05/12/2018
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9

Vulnerability Summary

Amazon Linux AMI: CVE-2018-1336: Security patch for tomcat8 ((Multiple Advisories))

Several security issues were fixed in Tomcat.

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

A vulnerability in the UTF-8 decoder component of Apache Tomcat could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on a targeted system. The vulnerability exists because the UTF-8 decoder component of the affected software improperly handles user-supplied input containing supplementary characters. An attacker could exploit this vulnerability by sending a request that submits malicious input to the targeted system. A successful exploit could cause an infinite loop condition in the UTF-8 decoder component of the software, resulting in a DoS condition. The Apache Software Foundation has confirmed the vulnerability and released software updates.

Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P
Access Complexity: LOW
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: NONE
Integrity Impact: NONE
Availability Impact: PARTIAL

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheTomcat7.0.28, 7.0.29, 7.0.30, 7.0.31, 7.0.32, 7.0.33, 7.0.34, 7.0.35, 7.0.36, 7.0.37, 7.0.38, 7.0.39, 7.0.40, 7.0.41, 7.0.42, 7.0.43, 7.0.44, 7.0.45, 7.0.46, 7.0.47, 7.0.48, 7.0.49, 7.0.50, 7.0.51, 7.0.54, 7.0.55, 7.0.56, 7.0.57, 7.0.58, 7.0.59, 7.0.60, 7.0.61, 7.0.62, 7.0.63, 7.0.64, 7.0.65, 7.0.66, 7.0.67, 7.0.68, 7.0.69, 7.0.70, 7.0.71, 7.0.72, 7.0.73, 7.0.74, 7.0.75, 7.0.76, 7.0.77, 7.0.78, 7.0.79, 7.0.80, 7.0.81, 7.0.82, 7.0.83, 7.0.84, 7.0.85, 8.0.0, 8.0.1, 8.0.2, 8.0.4, 8.0.6, 8.0.7, 8.0.9, 8.0.10, 8.0.11, 8.0.12, 8.0.13, 8.0.14, 8.0.15, 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26, 8.0.27, 8.0.28, 8.0.29, 8.0.30, 8.0.31, 8.0.32, 8.0.33, 8.0.34, 8.0.35, 8.0.36, 8.0.37, 8.0.38, 8.0.39, 8.0.40, 8.0.41, 8.0.42, 8.0.43, 8.0.44, 8.0.47, 8.0.48, 8.0.49, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.23, 8.5.24, 8.5.27, 8.5.28, 8.5.29, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7
RedhatJboss Enterprise Application Platform6.0.0, 6.4.0
RedhatJboss Enterprise Web Server3.0.0, 5.0.0
CanonicalUbuntu Linux14.04, 16.04
DebianDebian Linux8.0, 9.0

Vendor Advisories

Synopsis Important: Red Hat JBoss Web Server 310 Service Pack 5 security and bug fix update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31Red Hat Product Security has rated this release as having a security impactof Important A Common Vulnera ...
Synopsis Important: tomcat security update Type/Severity Security Advisory: Important Topic An update for tomcat is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, w ...
Synopsis Important: Red Hat OpenShift Application Runtimes Spring Boot 1516 update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat OpenShift Application RuntimesRed Hat Product Security has rated this update as having a security impact of Important A Common Vulner ...
Synopsis Important: Red Hat JBoss Web Server 310 Service Pack 5 security and bug fix update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31 for RHEL 6 and Red Hat JBoss Web Server 31 for RHEL 7Red Hat Product Security has rated this release as ...
Several security issues were fixed in Tomcat ...
Synopsis Important: Red Hat JBoss Operations Network 3311 security and bug fix update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Operations NetworkRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerabi ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6421 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 5Red Hat Product Security has rated this update as having a ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6421 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise LinuxRed Hat Product Security has rated this update as having a s ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6421 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a ...
Synopsis Important: Red Hat JBoss Enterprise Application Platform 6421 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a ...
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service Versions Affected: Apache Tomcat 900M9 to 907, 850 to 8530, 800RC1 to 8051, and 7028 to 7086 ...
Synopsis Critical: Red Hat FIS 20 on Fuse 630 R8 security and bug fix update Type/Severity Security Advisory: Critical Topic An update is now available for Red Hat Fuse Integration ServicesRed Hat Product Security has rated this update as having a security impact of Critical A Common Vulnerability Scor ...
Synopsis Important: Red Hat Fuse 72 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat FuseRed Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, which gives a de ...
Several issues were discovered in the Tomcat servlet and JSP engine They could lead to unauthorized access to protected resources, denial-of-service, or information leak For the stable distribution (stretch), these problems have been fixed in version 8514-1+deb9u3 We recommend that you upgrade your tomcat8 packages For the detailed security s ...
The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration Therefore, it is expected that most users will not be impacted ...
The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration Therefore, it is expected that most users will not be impacted ...
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service(CVE-2018-1336 ) ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4281-1 security () debian org wwwdebianorg/security/ Sebastien Delafond August 29, 2018 wwwdebianorg/security/faq ...

Github Repositories

Aware IM Developer Resources Aware IM is a rapid low-code application development tool that lets you create powerful aesthetically appealing web applications quickly Aware IM developer tools, tips, news and resources Changelog Helpdesk - Rennur Apps rennurappsfreshservicecom helpdesk@rennurappsfreshservicecom Software Written in 100% Java programming langua

gocarts(go-CERT-alerts-summarizer) gocarts checks alerts of X-CERT (eg JPCERT, US-CERT) This project refers to knqyf263/gost Abstract gocarts is written in Go, and therefore you can just grab the binary releases and drop it in your $PATH gocarts summarizes alerts by CVE ID You can search alert's detail by CVE ID Main features gocarts has the following features S

References