Oracle Solaris 11: CVE-2018-8034: Vulnerability in Apache Tomcat
Several security issues were fixed in Tomcat.
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
A vulnerability in the WebSocket client of Apache Tomcat could allow an unauthenticated, remote attacker to bypass security restrictions on a targeted system. The vulnerability exists because the affected software improperly verifies hostnames when using Transport Layer Security (TLS) connections. An attacker could exploit this vulnerability by performing a man-in-the-middle attack on the Apache WebSocket client. A successful exploit could allow the attacker to bypass security restrictions on the system. The Apache Software Foundation has confirmed the vulnerability and released software updates.
Vendor | Product | Versions |
---|---|---|
Apache | Tomcat | 7.0.35, 7.0.36, 7.0.37, 7.0.38, 7.0.39, 7.0.40, 7.0.41, 7.0.42, 7.0.43, 7.0.44, 7.0.45, 7.0.46, 7.0.47, 7.0.48, 7.0.49, 7.0.50, 7.0.51, 7.0.54, 7.0.55, 7.0.56, 7.0.57, 7.0.58, 7.0.59, 7.0.60, 7.0.61, 7.0.62, 7.0.63, 7.0.64, 7.0.65, 7.0.66, 7.0.67, 7.0.68, 7.0.69, 7.0.70, 7.0.71, 7.0.72, 7.0.73, 7.0.74, 7.0.75, 7.0.76, 7.0.77, 7.0.78, 7.0.79, 7.0.80, 7.0.81, 7.0.82, 7.0.83, 7.0.84, 7.0.85, 8.0.0, 8.0.1, 8.0.2, 8.0.4, 8.0.6, 8.0.7, 8.0.9, 8.0.10, 8.0.11, 8.0.12, 8.0.13, 8.0.14, 8.0.15, 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26, 8.0.27, 8.0.28, 8.0.29, 8.0.30, 8.0.31, 8.0.32, 8.0.33, 8.0.34, 8.0.35, 8.0.36, 8.0.37, 8.0.38, 8.0.39, 8.0.40, 8.0.41, 8.0.42, 8.0.43, 8.0.44, 8.0.47, 8.0.48, 8.0.49, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.23, 8.5.24, 8.5.27, 8.5.28, 8.5.29, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7 |
Canonical | Ubuntu Linux | 14.04, 16.04 |
Debian | Debian Linux | 8.0, 9.0 |
gocarts(go-CERT-alerts-summarizer) gocarts checks alerts of X-CERT (eg JPCERT, US-CERT) This project refers to knqyf263/gost Abstract gocarts is written in Go, and therefore you can just grab the binary releases and drop it in your $PATH gocarts summarizes alerts by CVE ID You can search alert's detail by CVE ID Main features gocarts has the following features S