Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
NONE Availability impact
NONE Published: 2018-08-02
Updated: 2024-11-21
Summary
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging Race Conditions
This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
- Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.
Nessus
NASL family | Red Hat Local Security Checks |
NASL id | REDHAT-RHSA-2019-1529.NASL |
description | An update for the pki-deps:10.6 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Public Key Infrastructure (PKI) Deps module contains fundamental packages required as dependencies for the pki-core module by Red Hat Certificate System. Security Fix(es) : * tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up (CVE-2018-8037) * tomcat: Insecure defaults in CORS filter enable |
last seen | 2020-05-23 |
modified | 2019-06-19 |
plugin id | 126030 |
published | 2019-06-19 |
reporter | This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/126030 |
title | RHEL 8 : pki-deps:10.6 (RHSA-2019:1529) |
NASL family | Web Servers |
NASL id | TOMCAT_8_5_32.NASL |
description | The version of Apache Tomcat installed on the remote host is 8.5.x prior to 8.5.32. It is, therefore, affected by multiple vulnerabilities. |
last seen | 2020-03-18 |
modified | 2018-07-13 |
plugin id | 111068 |
published | 2018-07-13 |
reporter | This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/111068 |
title | Apache Tomcat 8.5.0 < 8.5.32 Multiple Vulnerabilities |
NASL family | SuSE Local Security Checks |
NASL id | OPENSUSE-2018-1129.NASL |
description | This update for tomcat to version 9.0.10 fixes the following issues : Security issues fixed : - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters could have lead to an infinite loop in the decoder causing a Denial of Service (bsc#1102400). - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697). - CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (bsc#1102379). - CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could have resulted in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also have resulted in a user seeing a response intended for another user (bsc#1102410). Bug fixes : - Avoid overwriting of customer |
last seen | 2020-06-05 |
modified | 2018-10-09 |
plugin id | 117983 |
published | 2018-10-09 |
reporter | This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/117983 |
title | openSUSE Security Update : tomcat (openSUSE-2018-1129) |
NASL family | SuSE Local Security Checks |
NASL id | OPENSUSE-2018-1019.NASL |
description | This update for tomcat to 8.0.53 fixes the following issues : Security issue fixed : - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters could have lead to an infinite loop in the decoder causing a Denial of Service (bsc#1102400). - CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (bsc#1102379). - CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could have resulted in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also have resulted in a user seeing a response intended for another user (bsc#1102410). - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697). Bug fixes : - bsc#1067720: Avoid overwriting of customer |
last seen | 2020-06-05 |
modified | 2018-09-17 |
plugin id | 117526 |
published | 2018-09-17 |
reporter | This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/117526 |
title | openSUSE Security Update : tomcat (openSUSE-2018-1019) |
NASL family | Oracle Linux Local Security Checks |
NASL id | ORACLELINUX_ELSA-2019-1529.NASL |
description | From Red Hat Security Advisory 2019:1529 : An update for the pki-deps:10.6 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Public Key Infrastructure (PKI) Deps module contains fundamental packages required as dependencies for the pki-core module by Red Hat Certificate System. Security Fix(es) : * tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up (CVE-2018-8037) * tomcat: Insecure defaults in CORS filter enable |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 127594 |
published | 2019-08-12 |
reporter | This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/127594 |
title | Oracle Linux 8 : pki-deps:10.6 (ELSA-2019-1529) |
NASL family | Web Servers |
NASL id | TOMCAT_9_0_9.NASL |
description | The version of Apache Tomcat installed on the remote host is 9.0.x prior to 9.0.10. It is, therefore, affected by multiple vulnerabilities. A security misconfiguration vulnerability exists in Apache Tomcat prior to version 9.0.9 due to insecure default settings for the CORS filter (CVE-2018-8014). A security misconfiguration vulnerability exists in Apache Tomcat prior to version 9.0.10. Hostname validation was not enabled by default when using TLS with the WebSocket client (CVE-2018-8034). An information disclosure vulnerability exists in Apache Tomcat prior to version 9.0.10 due to a race condition. If an async request was completed by the application at the same time as the container triggered the async timeout, this could lead to a user being sent the response of another user (CVE-2018-8037). |
last seen | 2020-03-18 |
modified | 2018-07-24 |
plugin id | 111069 |
published | 2018-07-24 |
reporter | This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/111069 |
title | Apache Tomcat 9.0.0 < 9.0.10 Multiple Vulnerabilites |
NASL family | Red Hat Local Security Checks |
NASL id | REDHAT-RHSA-2018-2868.NASL |
description | An update is now available for Red Hat JBoss Web Server 5.0 for RHEL 6 and Red Hat JBoss Web Server 5.0 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.0 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 5.0, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * tomcat: Information Disclosure (CVE-2018-8037) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 117912 |
published | 2018-10-04 |
reporter | This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/117912 |
title | RHEL 6 / 7 : Red Hat JBoss Web Server 5.0 Service Pack 1 (RHSA-2018:2868) |
NASL family | SuSE Local Security Checks |
NASL id | OPENSUSE-2019-770.NASL |
description | This update for tomcat to version 9.0.10 fixes the following issues : Security issues fixed : - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters could have lead to an infinite loop in the decoder causing a Denial of Service (bsc#1102400). - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697). - CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (bsc#1102379). - CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could have resulted in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also have resulted in a user seeing a response intended for another user (bsc#1102410). Bug fixes : - Avoid overwriting of customer |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 123330 |
published | 2019-03-27 |
reporter | This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/123330 |
title | openSUSE Security Update : tomcat (openSUSE-2019-770) |
NASL family | Debian Local Security Checks |
NASL id | DEBIAN_DSA-4281.NASL |
description | Several issues were discovered in the Tomcat servlet and JSP engine. They could lead to unauthorized access to protected resources, denial-of-service, or information leak. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 112185 |
published | 2018-08-30 |
reporter | This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/112185 |
title | Debian DSA-4281-1 : tomcat8 - security update |
NASL family | Fedora Local Security Checks |
NASL id | FEDORA_2018-B1832101B8.NASL |
description | This update includes a rebase from 8.5.30 up to 8.5.32 which resolves two CVEs along with various other bugs/features : - rhbz#1579612 CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable |
last seen | 2020-06-05 |
modified | 2019-01-03 |
plugin id | 120717 |
published | 2019-01-03 |
reporter | This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/120717 |
title | Fedora 28 : 1:tomcat (2018-b1832101b8) |
NASL family | Amazon Linux Local Security Checks |
NASL id | ALA_ALAS-2018-1056.NASL |
description | The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 111611 |
published | 2018-08-10 |
reporter | This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. |
source | https://www.tenable.com/plugins/nessus/111611 |
title | Amazon Linux AMI : tomcat8 (ALAS-2018-1056) |
Redhat
advisories | bugzilla | id | 1636512 | title | CVE-2018-11784 tomcat: Open redirect in default servlet |
| oval | OR | comment | Red Hat Enterprise Linux must be installed | oval | oval:com.redhat.rhba:tst:20070304026 |
AND | comment | Red Hat Enterprise Linux 8 is installed | oval | oval:com.redhat.rhba:tst:20193384074 |
comment | Module pki-deps:10.6 is enabled | oval | oval:com.redhat.rhsa:tst:20191529069 |
|
|
| rhsa | id | RHSA-2019:1529 | released | 2019-06-18 | severity | Important | title | RHSA-2019:1529: pki-deps:10.6 security update (Important) |
|
|
rpms | - jws5-tomcat-0:9.0.7-12.redhat_12.1.el6jws
- jws5-tomcat-0:9.0.7-12.redhat_12.1.el7jws
- jws5-tomcat-admin-webapps-0:9.0.7-12.redhat_12.1.el6jws
- jws5-tomcat-admin-webapps-0:9.0.7-12.redhat_12.1.el7jws
- jws5-tomcat-docs-webapp-0:9.0.7-12.redhat_12.1.el6jws
- jws5-tomcat-docs-webapp-0:9.0.7-12.redhat_12.1.el7jws
- jws5-tomcat-el-3.0-api-0:9.0.7-12.redhat_12.1.el6jws
- jws5-tomcat-el-3.0-api-0:9.0.7-12.redhat_12.1.el7jws
- jws5-tomcat-javadoc-0:9.0.7-12.redhat_12.1.el6jws
- jws5-tomcat-javadoc-0:9.0.7-12.redhat_12.1.el7jws
- jws5-tomcat-jsp-2.3-api-0:9.0.7-12.redhat_12.1.el6jws
- jws5-tomcat-jsp-2.3-api-0:9.0.7-12.redhat_12.1.el7jws
- jws5-tomcat-jsvc-0:9.0.7-12.redhat_12.1.el6jws
- jws5-tomcat-jsvc-0:9.0.7-12.redhat_12.1.el7jws
- jws5-tomcat-lib-0:9.0.7-12.redhat_12.1.el6jws
- jws5-tomcat-lib-0:9.0.7-12.redhat_12.1.el7jws
- jws5-tomcat-selinux-0:9.0.7-12.redhat_12.1.el6jws
- jws5-tomcat-selinux-0:9.0.7-12.redhat_12.1.el7jws
- jws5-tomcat-servlet-4.0-api-0:9.0.7-12.redhat_12.1.el6jws
- jws5-tomcat-servlet-4.0-api-0:9.0.7-12.redhat_12.1.el7jws
- jws5-tomcat-webapps-0:9.0.7-12.redhat_12.1.el6jws
- jws5-tomcat-webapps-0:9.0.7-12.redhat_12.1.el7jws
- apache-commons-collections-0:3.2.2-10.module+el8.0.0+3248+9d514f3b
- apache-commons-lang-0:2.6-21.module+el8.0.0+3248+9d514f3b
- bea-stax-api-0:1.2.0-16.module+el8.0.0+3248+9d514f3b
- glassfish-fastinfoset-0:1.2.13-9.module+el8.0.0+3248+9d514f3b
- glassfish-jaxb-api-0:2.2.12-8.module+el8.0.0+3248+9d514f3b
- glassfish-jaxb-core-0:2.2.11-11.module+el8.0.0+3248+9d514f3b
- glassfish-jaxb-runtime-0:2.2.11-11.module+el8.0.0+3248+9d514f3b
- glassfish-jaxb-txw2-0:2.2.11-11.module+el8.0.0+3248+9d514f3b
- jackson-annotations-0:2.9.8-1.module+el8.0.0+3248+9d514f3b
- jackson-core-0:2.9.8-1.module+el8.0.0+3248+9d514f3b
- jackson-databind-0:2.9.8-1.module+el8.0.0+3248+9d514f3b
- jackson-jaxrs-json-provider-0:2.9.8-1.module+el8.0.0+3248+9d514f3b
- jackson-jaxrs-providers-0:2.9.8-1.module+el8.0.0+3248+9d514f3b
- jackson-module-jaxb-annotations-0:2.7.6-4.module+el8.0.0+3248+9d514f3b
- jakarta-commons-httpclient-1:3.1-28.module+el8.0.0+3248+9d514f3b
- javassist-0:3.18.1-8.module+el8.0.0+3248+9d514f3b
- javassist-javadoc-0:3.18.1-8.module+el8.0.0+3248+9d514f3b
- pki-servlet-4.0-api-1:9.0.7-14.module+el8.0.0+3248+9d514f3b
- pki-servlet-container-1:9.0.7-14.module+el8.0.0+3248+9d514f3b
- python-nss-debugsource-0:1.0.1-10.module+el8.0.0+3248+9d514f3b
- python-nss-doc-0:1.0.1-10.module+el8.0.0+3248+9d514f3b
- python3-nss-0:1.0.1-10.module+el8.0.0+3248+9d514f3b
- python3-nss-debuginfo-0:1.0.1-10.module+el8.0.0+3248+9d514f3b
- relaxngDatatype-0:2011.1-7.module+el8.0.0+3248+9d514f3b
- resteasy-0:3.0.26-3.module+el8.0.0+3248+9d514f3b
- slf4j-0:1.7.25-4.module+el8.0.0+3248+9d514f3b
- slf4j-jdk14-0:1.7.25-4.module+el8.0.0+3248+9d514f3b
- stax-ex-0:1.7.7-8.module+el8.0.0+3248+9d514f3b
- velocity-0:1.7-24.module+el8.0.0+3248+9d514f3b
- xalan-j2-0:2.7.1-38.module+el8.0.0+3248+9d514f3b
- xerces-j2-0:2.11.0-34.module+el8.0.0+3248+9d514f3b
- xml-commons-apis-0:1.4.01-25.module+el8.0.0+3248+9d514f3b
- xml-commons-resolver-0:1.2-26.module+el8.0.0+3248+9d514f3b
- xmlstreambuffer-0:1.5.4-8.module+el8.0.0+3248+9d514f3b
- xsom-0:0-19.20110809svn.module+el8.0.0+3248+9d514f3b
|