The Apache Software Foundation (ASF) has released security updates to address multiple vulnerabilities on its Apache Tomcat application server, one of which allows a remote attacker to receive confidential information.
Apache Tomcat is an open source web server and a servlet system that uses several Java EE specifications, such as Java Servlet, JavaServer pages, expression language, and WebSocket, and provides the HTTP web server environment with “pure Java” for the Java concept.
Unlike the vulnerabilities of Apache Struts2, which were used to violate the US credit history agency Equifax systems last year, the new Apache Tomcat vulnerabilities are less likely to be used in the wild.
Apache Tomcat – Vulnerability in Disclosure of Information
The most critical vulnerability (CVE-2018-8037) of all in Apache Tomcat is an information disclosure vulnerability because of an error in tracking the connection closure, which can lead to reuse of user sessions in the new connection.
The vulnerability, noted as significant, was reported to the security group Apache Tomcat by Dmitry Treskunov on June 16, 2018, and released on July 22, 2018.
The vulnerability affects versions of Tomcat 9.0.0.M9 – 9.0.9 and 8.5.5 – 8.5.31 and is fixed in Tomcat 9.0.10 and 8.5.32.
Apache Tomcat – Denial of Service (DoS) Vulnerability
Apache Tomcat is located in the decoder UTF-8, which can lead to denial of service (DoS).
“Incorrect overflow control in the UTF-8 decoder with additional symbols can lead to an endless cycle in the decoder causing a denial of service,” says the Apache Software Foundation, in his opinion.
Apache Tomcat server software updates (hotfixes)
This vulnerability affects versions of Tomcat 7.0.x, 8.0.x, 8.5.x and 9.0.x and is supported in versions of Tomcat 9.0.7, 8.5.32, 8.0.52 and 7.0.90.
The Apache Software Foundation also included a security patch in the latest versions of Tomcat to correct a low-security severity error (CVE-2018-8034) error due to a lack of host name verification for the first time. using TLS with the WebSocket client.
Administrators are strongly encouraged to apply software updates as soon as possible. It is recommended that only trusted users access the network and monitor the affected systems.
Apache Software Foundation claims to have found no instances of using any of these vulnerabilities in Apache Tomcat in the wild.
A remote attacker may use one of these vulnerabilities to obtain confidential information.