Apache Tomcat Fixes Available for Important Security Vulnerabilities


The Apache Software Foundation (ASF) informed users of several security vulnerabilities in its Tomcat application server, including bugs that could lead to information disclosure and denial-of-service (DoS) condition. An open source implementation of the Java Servlet, JavaServer Pages (JSP), Java WebSocket and Java Expression Language technologies, Apache Tomcat is the most widely used web application server boasting a market share of over 60 percent.

US-CERT has released an alert recommending users to review the Apache advisories and apply the updates. These latest flaws are less likely to be exploited in the wild, unlike the Apache Struts vulnerabilities that were exploited to breach the systems of Equifax late last year, reports THN. That bug had leveraged common username and password combinations, making it more easily exploitable.

Corporate & Government Web Servers Under “Massive” Attack as Hackers Actively Exploit Apache Struts Flaws

The latest releases fix a vulnerability tracked as CVE-2018-8037, which is an information disclosure issue that can lead to user sessions getting mixed up. The bug rated as "important" impacts Tomcat versions 9.0.0.M9 through 9.0.9 and 8.5.5 through 8.5.31. Patches are available in Tomcat versions 9.0.10 and 8.5.32.

The Foundation has also released fixes for CVE-2018-1336, which is a bug in the UTF-8 decoder that can lead to a DoS condition. “An improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service,” the ASF said. This bug flaw affects versions 7.0.x, 8.0.x, 8.5.x and 9.0.x, and has been addressed with versions 9.0.7, 8.5.32, 8.0.52, and 7.0.90.

According to the US-CERT, a remote attacker could exploit one of these vulnerabilities to obtain sensitive information. Users and administrators are recommended to review the Apache security advisories for CVE-2018-8037 and CVE-2018-1336 and apply the necessary updates. The ASF said that it has not detected any exploitation of one of these bugs in the wild.