CVE-2016-8745
tomcat: information disclosure due to incorrect Processor sharing
Severity Score
Exploit Likelihood
Affected Versions
138Public Exploits
0Exploited in Wild
-Decision
Descriptions
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.
Un fallo en el control de errores del código de envío de archivo para el conector NIO HTTP en Apache Tomcat 9.0.0.M1 a 9.0.0.M13, 8.5.0 a 8.5.8, 8.0.0.RC1 a 8.0.39, 7.0.0 a 7.0.73 y 6.0.16 a 6.0.48 daba lugar a la adición del objeto Processor a la caché Processor varias veces. Esto significa que el mismo Processor podría emplearse para peticiones simultáneas. Compartir un Processor puede desembocar en un filtrado de información entre peticiones incluyendo, pero sin limitarse al ID de sesión y el cuerpo de la respuesta. Este error se detectó por primera vez en las versiones 8.5.x en adelante, donde parece que la refactorización del código Connector para las versiones 8.5.x en adelante aumentaba la posibilidad de que se observase el error. Al principio, se pensó que la refactorización de las versiones 8.5.x introdujo el error, pero investigaciones en mayor profundida han determinado que el error está presente en todas las versiones de Tomcat compatibles actualmente.
A bug was discovered in the error handling of the send file code for the NIO HTTP connector. This led to the current Processor object being added to the Processor cache multiple times allowing information leakage between requests including, and not limited to, session ID and the response body.
USN-3177-1 fixed vulnerabilities in Tomcat. The update introduced a regression in environments where Tomcat is started with a security manager. This update fixes the problem. It was discovered that the Tomcat realm implementations incorrectly handled passwords when a username didn't exist. A remote attacker could possibly use this issue to enumerate usernames. This issue only applied to Ubuntu 12.04 LTS, Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. Alvaro Munoz and Alexander Mirosh discovered that Tomcat incorrectly limited use of a certain utility method. A malicious application could possibly use this to bypass Security Manager restrictions. Various other issues were also addressed.
CVSS Scores
SSVC
- Decision:Attend
Timeline
- 2016-10-18 CVE Reserved
- 2016-12-12 CVE Published
- 2024-11-14 CVE Updated
- 2025-03-30 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-388: 7PK - Errors
CAPEC
References (32)
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://rhn.redhat.com/errata/RHSA-2017-0457.html | 2023-12-08 | |
| http://rhn.redhat.com/errata/RHSA-2017-0527.html | 2023-12-08 | |
| http://www.debian.org/security/2017/dsa-3754 | 2023-12-08 | |
| http://www.debian.org/security/2017/dsa-3755 | 2023-12-08 | |
| https://access.redhat.com/errata/RHSA-2017:0455 | 2023-12-08 | |
| https://access.redhat.com/errata/RHSA-2017:0456 | 2023-12-08 | |
| https://access.redhat.com/errata/RHSA-2017:0935 | 2023-12-08 | |
| https://security.gentoo.org/glsa/201705-09 | 2023-12-08 | |
| https://access.redhat.com/security/cve/CVE-2016-8745 | 2017-04-12 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1403824 | 2017-04-12 |