4.3
MEDIUM

CVE-2018-8037

Published: 02/08/2018 Updated: 17/10/2018
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 5.9 | Impact Score: 3.6 | Exploitability Score: 2.2

Vulnerability Summary

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

A vulnerability in Apache Tomcat could allow an unauthenticated, remote attacker to access sensitive information on a targeted system.

The vulnerability exists because the non-blocking I/O (NIO) and NIO2 connectors of the affected software improperly handle connection closures. An attacker could exploit this vulnerability by sending a request that submits malicious input to the targeted system. A successful exploit could allow an attacker to access sensitive information by reusing a user session, which could be used to conduct further attacks.

The Apache Software Foundation has confirmed the vulnerability and released software updates.

Vector: AV:N/AC:M/Au:N/C:P/I:N/A:N
Access Complexity: MEDIUM
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: PARTIAL
Integrity Impact: NONE
Availability Impact: NONE

Vulnerability Trend

Affected Products

Vendor Product Versions
ApacheTomcat8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 8.5.23, 8.5.24, 8.5.27, 8.5.28, 8.5.29, 9.0.0, 9.0.1, 9.0.2, 9.0.3, 9.0.4, 9.0.5, 9.0.6, 9.0.7
DebianDebian Linux9.0

Mitigation

Administrators are advised to apply the appropriate updates.

Administrators are advised to allow only trusted users to have network access.

Administrators are advised to run both firewall and antivirus applications to minimize the potential of inbound and outbound threats.

Administrators may consider using IP-based access control lists (ACLs) to allow only trusted systems to access the affected systems.

Administrators can help protect affected systems from external attacks by using a solid firewall strategy.

Administrators are advised to monitor affected systems.

Exploitation

To exploit this vulnerability, an attacker must submit a request that submits malicious input to the targeted system, making exploitation more difficult in environments that restrict network access from untrusted sources.

Mailing Lists

Github Repositories

Aware IM Developer Resources Aware IM is a rapid application development tool that lets you create powerful aesthetically appealing web applications quickly. Aware IM developer tools, tips, news and resources. Changelog Software Written in 100% Java programming language. Aware IM is based on the plethora of Java technologies such as J2EE application server, JDBC, JMS, JSP/

References