Apache Software Foundation fixes important flaws in Apache Tomcat
25.7.18 securityaffairs

The Apache Software Foundation has rolled out security updates for the Tomcat application server that address several flaws.
The Apache Software Foundation has released security updates for the Tomcat application server that address several vulnerabilities, including issues that trigger a denial-of-service (DoS) condition or can lead to information disclosure.

Apache Tomcat is an open-source Java Servlet Container that implements several Java EE specifications including Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket, and provides a “pure Java” HTTP web server environment in which Java code can run.

It has been estimated that Tomcat has a market share of over 60 percent.

The first flaw addressed by the Apache Software Foundation is the CVE-18-8037, it is an important bug in the tracking of connection closures that can lead to reuse of user sessions in a new connection.

The flaw affects Tomcat versions 9.0.0.M9 through 9.0.9 and 8.5.5 through 8.5.31. Tomcat 9.0.10 and 8.5.32 releases address the vulnerabilities.

Another important issue addressed by the Foundation is the CVE-18-1336, it is an improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder triggering a Denial of Service condition.

The vulnerability affects Tomcat versions 7.0.x, 8.0.x, 8.5.x and 9.0.x.

Versions 9.0.7, 8.5.32, 8.0.52 and 7.0.90 addresses the vulnerability.

The Apache Software Foundation also fixed a low severity security constraints bypass tracked as CVE-18-8034.

“The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default,” reads the security advisory.

The vulnerability has been addressed with the release of the latest Tomcat 7.0.x, 8.0.x, 8.5.x and 9.0.x versions.

The US-CERT has released a security alert that urges users to apply security updates.

“The Apache Software Foundation has released security updates to address vulnerabilities in Apache Tomcat versions 9.0.0.M9 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. A remote attacker could exploit one of these vulnerabilities to obtain sensitive information.” reads the security advisory published by the US-CERT.

“NCCIC encourages users and administrators to review the Apache security advisories for CVE-18-8037 and CVE-18-1336 and apply the necessary updates.”

Apache Tomcat vulnerabilities are less likely to be exploited in the wild.

Ignite is impacted by two security holes, both of which could lead to arbitrary code execution .