CVE-2018-8037 – tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up
https://notcve.org/view.php?id=CVE-2018-8037
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31. Si la aplicación completaba una petición async al mismo tiempo que el contenedor activaba el tiempo de espera de async, existía una condición de carrera que podía hacer que un usuario viera una respuesta destinada a otro usuario. • http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090623.GA92700%40minotaur.apache.org%3E http://mail-archives.us.apache.org/mod_mbox/www-announce/201808.mbox/%3C0c616b4d-4e81-e7f8-b81d-1bb4c575aa33%40apache.org%3E http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/104894 http://www.securitytracker.com/id/1041376 https://access.redhat.com/errata/RHSA-2018:2867 https://access.redhat.com/errata/RHSA-2018:2868 • CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') •
CVE-2018-8034 – tomcat: Host name verification missing in WebSocket client
https://notcve.org/view.php?id=CVE-2018-8034
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. No hay verificación del nombre del host al emplear TLS con el cliente WebSocket. Ahora está habilitado por defecto. • http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722091057.GA70283%40minotaur.apache.org%3E http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/104895 http://www.securitytracker.com/id/1041374 https://access.redhat.com/errata/RHSA-2019:0130 https://access.redhat.com/errata/RHSA-2019:0131 https://access.redhat.com/errata/RHSA-2019:0450 https://access.redhat.com/errata/RHSA-2019:0451 https://access.redhat • CWE-20: Improper Input Validation CWE-295: Improper Certificate Validation •
CVE-2018-1336 – tomcat: A bug in the UTF-8 decoder can lead to DoS
https://notcve.org/view.php?id=CVE-2018-1336
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. Una gestión incorrecta del desbordamiento en el decodificador UTF-8 con caracteres suplementarios puede conducir a un bucle infinito en el decodificador, provocando una denegación de servicio (DoS). Versiones afectadas: Apache Tomcat de la versión 9.0.0.M9 a la 9.0.7, de la 8.5.0 a la 8.5.30, de la 8.0.0.RC1 a la 8.0.51 y de la versión 7.0.28 a la 7.0.86. • http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090435.GA60759%40minotaur.apache.org%3E http://www.securityfocus.com/bid/104898 http://www.securitytracker.com/id/1041375 https://access.redhat.com/errata/RHEA-2018:2188 https://access.redhat.com/errata/RHEA-2018:2189 https://access.redhat.com/errata/RHSA-2018:2700 https://access.redhat.com/errata/RHSA-2018:2701 https://access.redhat.com/errata/RHSA-2018:2740 https://access.redhat.com/errata/RHSA-20 • CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') •
CVE-2018-8014 – tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
https://notcve.org/view.php?id=CVE-2018-8014
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue. Las opciones por defecto para el filtro CORS proporcionado en Apache Tomcat 9.0.0.M1 a 9.0.8, 8.5.0 a 8.5.31, 8.0.0.RC1 a 8.0.52 y 7.0.41 a 7.0.88 son inseguras y permiten "supportsCredentials" para todos los orígenes. Se espera que los usuarios del filtro CORS lo tengan configurado de forma adecuada para su entorno, en lugar de emplearlo con su configuración por defecto. • http://tomcat.apache.org/security-7.html http://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-9.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/104203 http://www.securitytracker.com/id/1040998 http://www.securitytracker.com/id/1041888 https://access.redhat.com/errata/RHSA-2018:2469 https://access.redhat.com/errata/RHSA-2018:2470 https://access.redhat.com/errata/RHSA-2018:3768 https://a • CWE-284: Improper Access Control CWE-1188: Initialization of a Resource with an Insecure Default •
CVE-2018-1304 – tomcat: Incorrect handling of empty string URL in security constraints can lead to unintended exposure of resources
https://notcve.org/view.php?id=CVE-2018-1304
The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in Apache Tomcat 9.0.0.M1 to 9.0.4, 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49 and 7.0.0 to 7.0.84 when used as part of a security constraint definition. This caused the constraint to be ignored. It was, therefore, possible for unauthorised users to gain access to web application resources that should have been protected. Only security constraints with a URL pattern of the empty string were affected. El patrón de URL "" (la cadena vacía) que mapea exactamente al root de contexto no se gestionó correctamente en Apache Tomcat 9.0.0.M1 a 9.0.4, 8.5.0 a 8.5.27, 8.0.0.RC1 a 8.0.49 y 7.0.0 a 7.0.84 al emplearse como parte de una definición de limitación de seguridad. • https://github.com/knqyf263/CVE-2018-1304 http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html http://www.securityfocus.com/bid/103170 http://www.securitytracker.com/id/1040427 https://access.redhat.com/errata/RHSA-2018:0465 https://access.redhat.com/errata/RHSA-2018:0466 https://access.redhat.com/errata/RHSA-2018:1320 https://access.redhat.com/errata/RHSA-2018:1447 https://access.redha • CWE-284: Improper Access Control •