Vulnerabilities > CVE-2018-8037 - Race Condition vulnerability in multiple products

047910
CVSS 5.9 - MEDIUM
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
NONE
Availability impact
NONE
network
high complexity
apache
debian
CWE-362
nessus

Summary

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Leveraging Race Conditions
    This attack targets a race condition occurring when multiple processes access and manipulate the same resource concurrently and the outcome of the execution depends on the particular order in which the access takes place. The attacker can leverage a race condition by "running the race", modifying the resource and modifying the normal execution flow. For instance a race condition can occur while accessing a file, the attacker can trick the system by replacing the original file with his version and cause the system to read the malicious file.
  • Leveraging Time-of-Check and Time-of-Use (TOCTOU) Race Conditions
    This attack targets a race condition occurring between the time of check (state) for a resource and the time of use of a resource. The typical example is the file access. The attacker can leverage a file access race condition by "running the race", meaning that he would modify the resource between the first time the target program accesses the file and the time the target program uses the file. During that period of time, the attacker could do something such as replace the file and cause an escalation of privilege.

Nessus

  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2019-1529.NASL
    descriptionAn update for the pki-deps:10.6 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Public Key Infrastructure (PKI) Deps module contains fundamental packages required as dependencies for the pki-core module by Red Hat Certificate System. Security Fix(es) : * tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up (CVE-2018-8037) * tomcat: Insecure defaults in CORS filter enable
    last seen2020-05-23
    modified2019-06-19
    plugin id126030
    published2019-06-19
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126030
    titleRHEL 8 : pki-deps:10.6 (RHSA-2019:1529)
  • NASL familyWeb Servers
    NASL idTOMCAT_8_5_32.NASL
    descriptionThe version of Apache Tomcat installed on the remote host is 8.5.x prior to 8.5.32. It is, therefore, affected by multiple vulnerabilities.
    last seen2020-03-18
    modified2018-07-13
    plugin id111068
    published2018-07-13
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111068
    titleApache Tomcat 8.5.0 < 8.5.32 Multiple Vulnerabilities
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1129.NASL
    descriptionThis update for tomcat to version 9.0.10 fixes the following issues : Security issues fixed : - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters could have lead to an infinite loop in the decoder causing a Denial of Service (bsc#1102400). - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697). - CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (bsc#1102379). - CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could have resulted in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also have resulted in a user seeing a response intended for another user (bsc#1102410). Bug fixes : - Avoid overwriting of customer
    last seen2020-06-05
    modified2018-10-09
    plugin id117983
    published2018-10-09
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117983
    titleopenSUSE Security Update : tomcat (openSUSE-2018-1129)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2018-1019.NASL
    descriptionThis update for tomcat to 8.0.53 fixes the following issues : Security issue fixed : - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters could have lead to an infinite loop in the decoder causing a Denial of Service (bsc#1102400). - CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (bsc#1102379). - CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could have resulted in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also have resulted in a user seeing a response intended for another user (bsc#1102410). - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697). Bug fixes : - bsc#1067720: Avoid overwriting of customer
    last seen2020-06-05
    modified2018-09-17
    plugin id117526
    published2018-09-17
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117526
    titleopenSUSE Security Update : tomcat (openSUSE-2018-1019)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2019-1529.NASL
    descriptionFrom Red Hat Security Advisory 2019:1529 : An update for the pki-deps:10.6 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. The Public Key Infrastructure (PKI) Deps module contains fundamental packages required as dependencies for the pki-core module by Red Hat Certificate System. Security Fix(es) : * tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up (CVE-2018-8037) * tomcat: Insecure defaults in CORS filter enable
    last seen2020-06-01
    modified2020-06-02
    plugin id127594
    published2019-08-12
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127594
    titleOracle Linux 8 : pki-deps:10.6 (ELSA-2019-1529)
  • NASL familyWeb Servers
    NASL idTOMCAT_9_0_9.NASL
    descriptionThe version of Apache Tomcat installed on the remote host is 9.0.x prior to 9.0.10. It is, therefore, affected by multiple vulnerabilities. A security misconfiguration vulnerability exists in Apache Tomcat prior to version 9.0.9 due to insecure default settings for the CORS filter (CVE-2018-8014). A security misconfiguration vulnerability exists in Apache Tomcat prior to version 9.0.10. Hostname validation was not enabled by default when using TLS with the WebSocket client (CVE-2018-8034). An information disclosure vulnerability exists in Apache Tomcat prior to version 9.0.10 due to a race condition. If an async request was completed by the application at the same time as the container triggered the async timeout, this could lead to a user being sent the response of another user (CVE-2018-8037).
    last seen2020-03-18
    modified2018-07-24
    plugin id111069
    published2018-07-24
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111069
    titleApache Tomcat 9.0.0 < 9.0.10 Multiple Vulnerabilites
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-2868.NASL
    descriptionAn update is now available for Red Hat JBoss Web Server 5.0 for RHEL 6 and Red Hat JBoss Web Server 5.0 for RHEL 7. Red Hat Product Security has rated this release as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster), the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library. This release of Red Hat JBoss Web Server 5.0 Service Pack 1 serves as a replacement for Red Hat JBoss Web Server 5.0, and includes bug fixes, which are documented in the Release Notes document linked to in the References. Security Fix(es) : * tomcat: Information Disclosure (CVE-2018-8037) For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id117912
    published2018-10-04
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117912
    titleRHEL 6 / 7 : Red Hat JBoss Web Server 5.0 Service Pack 1 (RHSA-2018:2868)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-770.NASL
    descriptionThis update for tomcat to version 9.0.10 fixes the following issues : Security issues fixed : - CVE-2018-1336: An improper handing of overflow in the UTF-8 decoder with supplementary characters could have lead to an infinite loop in the decoder causing a Denial of Service (bsc#1102400). - CVE-2018-8014: Fix insecure default CORS filter settings (bsc#1093697). - CVE-2018-8034: The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default (bsc#1102379). - CVE-2018-8037: If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could have resulted in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also have resulted in a user seeing a response intended for another user (bsc#1102410). Bug fixes : - Avoid overwriting of customer
    last seen2020-06-01
    modified2020-06-02
    plugin id123330
    published2019-03-27
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123330
    titleopenSUSE Security Update : tomcat (openSUSE-2019-770)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4281.NASL
    descriptionSeveral issues were discovered in the Tomcat servlet and JSP engine. They could lead to unauthorized access to protected resources, denial-of-service, or information leak.
    last seen2020-06-01
    modified2020-06-02
    plugin id112185
    published2018-08-30
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/112185
    titleDebian DSA-4281-1 : tomcat8 - security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2018-B1832101B8.NASL
    descriptionThis update includes a rebase from 8.5.30 up to 8.5.32 which resolves two CVEs along with various other bugs/features : - rhbz#1579612 CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable
    last seen2020-06-05
    modified2019-01-03
    plugin id120717
    published2019-01-03
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/120717
    titleFedora 28 : 1:tomcat (2018-b1832101b8)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-1056.NASL
    descriptionThe defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable
    last seen2020-06-01
    modified2020-06-02
    plugin id111611
    published2018-08-10
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/111611
    titleAmazon Linux AMI : tomcat8 (ALAS-2018-1056)

Redhat

advisories
  • bugzilla
    id1636512
    titleCVE-2018-11784 tomcat: Open redirect in default servlet
    oval
    OR
    • commentRed Hat Enterprise Linux must be installed
      ovaloval:com.redhat.rhba:tst:20070304026
    • AND
      • commentRed Hat Enterprise Linux 8 is installed
        ovaloval:com.redhat.rhba:tst:20193384074
      • commentModule pki-deps:10.6 is enabled
        ovaloval:com.redhat.rhsa:tst:20191529069
      • OR
        • AND
          • commentpython3-nss is earlier than 0:1.0.1-10.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529001
          • commentpython3-nss is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529002
        • AND
          • commentpython-nss-doc is earlier than 0:1.0.1-10.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529003
          • commentpython-nss-doc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529004
        • AND
          • commentpython-nss-debugsource is earlier than 0:1.0.1-10.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529005
          • commentpython-nss-debugsource is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529006
        • AND
          • commentxsom is earlier than 0:0-19.20110809svn.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529007
          • commentxsom is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529008
        • AND
          • commentxmlstreambuffer is earlier than 0:1.5.4-8.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529009
          • commentxmlstreambuffer is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529010
        • AND
          • commentxml-commons-resolver is earlier than 0:1.2-26.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529011
          • commentxml-commons-resolver is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529012
        • AND
          • commentxml-commons-apis is earlier than 0:1.4.01-25.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529013
          • commentxml-commons-apis is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529014
        • AND
          • commentxerces-j2 is earlier than 0:2.11.0-34.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529015
          • commentxerces-j2 is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20110858006
        • AND
          • commentxalan-j2 is earlier than 0:2.7.1-38.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529017
          • commentxalan-j2 is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20140348013
        • AND
          • commentvelocity is earlier than 0:1.7-24.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529019
          • commentvelocity is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529020
        • AND
          • commentstax-ex is earlier than 0:1.7.7-8.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529021
          • commentstax-ex is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529022
        • AND
          • commentslf4j-jdk14 is earlier than 0:1.7.25-4.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529023
          • commentslf4j-jdk14 is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529024
        • AND
          • commentslf4j is earlier than 0:1.7.25-4.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529025
          • commentslf4j is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20180592002
        • AND
          • commentresteasy is earlier than 0:3.0.26-3.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529027
          • commentresteasy is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529028
        • AND
          • commentrelaxngDatatype is earlier than 0:2011.1-7.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529029
          • commentrelaxngDatatype is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529030
        • AND
          • commentpki-servlet-container is earlier than 1:9.0.7-14.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529031
          • commentpki-servlet-container is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529032
        • AND
          • commentpki-servlet-4.0-api is earlier than 1:9.0.7-14.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529033
          • commentpki-servlet-4.0-api is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529034
        • AND
          • commentjavassist-javadoc is earlier than 0:3.18.1-8.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529035
          • commentjavassist-javadoc is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529036
        • AND
          • commentjavassist is earlier than 0:3.18.1-8.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529037
          • commentjavassist is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529038
        • AND
          • commentjakarta-commons-httpclient is earlier than 1:3.1-28.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529039
          • commentjakarta-commons-httpclient is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20130270017
        • AND
          • commentjackson-module-jaxb-annotations is earlier than 0:2.7.6-4.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529041
          • commentjackson-module-jaxb-annotations is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529042
        • AND
          • commentjackson-jaxrs-providers is earlier than 0:2.9.8-1.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529043
          • commentjackson-jaxrs-providers is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529044
        • AND
          • commentjackson-jaxrs-json-provider is earlier than 0:2.9.8-1.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529045
          • commentjackson-jaxrs-json-provider is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529046
        • AND
          • commentjackson-databind is earlier than 0:2.9.8-1.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529047
          • commentjackson-databind is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529048
        • AND
          • commentjackson-core is earlier than 0:2.9.8-1.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529049
          • commentjackson-core is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529050
        • AND
          • commentjackson-annotations is earlier than 0:2.9.8-1.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529051
          • commentjackson-annotations is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529052
        • AND
          • commentglassfish-jaxb-txw2 is earlier than 0:2.2.11-11.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529053
          • commentglassfish-jaxb-txw2 is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529054
        • AND
          • commentglassfish-jaxb-runtime is earlier than 0:2.2.11-11.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529055
          • commentglassfish-jaxb-runtime is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529056
        • AND
          • commentglassfish-jaxb-core is earlier than 0:2.2.11-11.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529057
          • commentglassfish-jaxb-core is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529058
        • AND
          • commentglassfish-jaxb-api is earlier than 0:2.2.12-8.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529059
          • commentglassfish-jaxb-api is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529060
        • AND
          • commentglassfish-fastinfoset is earlier than 0:1.2.13-9.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529061
          • commentglassfish-fastinfoset is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529062
        • AND
          • commentbea-stax-api is earlier than 0:1.2.0-16.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529063
          • commentbea-stax-api is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529064
        • AND
          • commentapache-commons-lang is earlier than 0:2.6-21.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529065
          • commentapache-commons-lang is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20191529066
        • AND
          • commentapache-commons-collections is earlier than 0:3.2.2-10.module+el8.0.0+3248+9d514f3b
            ovaloval:com.redhat.rhsa:tst:20191529067
          • commentapache-commons-collections is signed with Red Hat redhatrelease2 key
            ovaloval:com.redhat.rhsa:tst:20152522006
    rhsa
    idRHSA-2019:1529
    released2019-06-18
    severityImportant
    titleRHSA-2019:1529: pki-deps:10.6 security update (Important)
  • rhsa
    idRHSA-2018:2867
  • rhsa
    idRHSA-2018:2868
rpms
  • jws5-tomcat-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-admin-webapps-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-admin-webapps-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-docs-webapp-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-docs-webapp-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-el-3.0-api-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-el-3.0-api-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-javadoc-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-javadoc-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-jsp-2.3-api-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-jsp-2.3-api-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-jsvc-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-jsvc-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-lib-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-lib-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-selinux-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-selinux-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-servlet-4.0-api-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-servlet-4.0-api-0:9.0.7-12.redhat_12.1.el7jws
  • jws5-tomcat-webapps-0:9.0.7-12.redhat_12.1.el6jws
  • jws5-tomcat-webapps-0:9.0.7-12.redhat_12.1.el7jws
  • apache-commons-collections-0:3.2.2-10.module+el8.0.0+3248+9d514f3b
  • apache-commons-lang-0:2.6-21.module+el8.0.0+3248+9d514f3b
  • bea-stax-api-0:1.2.0-16.module+el8.0.0+3248+9d514f3b
  • glassfish-fastinfoset-0:1.2.13-9.module+el8.0.0+3248+9d514f3b
  • glassfish-jaxb-api-0:2.2.12-8.module+el8.0.0+3248+9d514f3b
  • glassfish-jaxb-core-0:2.2.11-11.module+el8.0.0+3248+9d514f3b
  • glassfish-jaxb-runtime-0:2.2.11-11.module+el8.0.0+3248+9d514f3b
  • glassfish-jaxb-txw2-0:2.2.11-11.module+el8.0.0+3248+9d514f3b
  • jackson-annotations-0:2.9.8-1.module+el8.0.0+3248+9d514f3b
  • jackson-core-0:2.9.8-1.module+el8.0.0+3248+9d514f3b
  • jackson-databind-0:2.9.8-1.module+el8.0.0+3248+9d514f3b
  • jackson-jaxrs-json-provider-0:2.9.8-1.module+el8.0.0+3248+9d514f3b
  • jackson-jaxrs-providers-0:2.9.8-1.module+el8.0.0+3248+9d514f3b
  • jackson-module-jaxb-annotations-0:2.7.6-4.module+el8.0.0+3248+9d514f3b
  • jakarta-commons-httpclient-1:3.1-28.module+el8.0.0+3248+9d514f3b
  • javassist-0:3.18.1-8.module+el8.0.0+3248+9d514f3b
  • javassist-javadoc-0:3.18.1-8.module+el8.0.0+3248+9d514f3b
  • pki-servlet-4.0-api-1:9.0.7-14.module+el8.0.0+3248+9d514f3b
  • pki-servlet-container-1:9.0.7-14.module+el8.0.0+3248+9d514f3b
  • python-nss-debugsource-0:1.0.1-10.module+el8.0.0+3248+9d514f3b
  • python-nss-doc-0:1.0.1-10.module+el8.0.0+3248+9d514f3b
  • python3-nss-0:1.0.1-10.module+el8.0.0+3248+9d514f3b
  • python3-nss-debuginfo-0:1.0.1-10.module+el8.0.0+3248+9d514f3b
  • relaxngDatatype-0:2011.1-7.module+el8.0.0+3248+9d514f3b
  • resteasy-0:3.0.26-3.module+el8.0.0+3248+9d514f3b
  • slf4j-0:1.7.25-4.module+el8.0.0+3248+9d514f3b
  • slf4j-jdk14-0:1.7.25-4.module+el8.0.0+3248+9d514f3b
  • stax-ex-0:1.7.7-8.module+el8.0.0+3248+9d514f3b
  • velocity-0:1.7-24.module+el8.0.0+3248+9d514f3b
  • xalan-j2-0:2.7.1-38.module+el8.0.0+3248+9d514f3b
  • xerces-j2-0:2.11.0-34.module+el8.0.0+3248+9d514f3b
  • xml-commons-apis-0:1.4.01-25.module+el8.0.0+3248+9d514f3b
  • xml-commons-resolver-0:1.2-26.module+el8.0.0+3248+9d514f3b
  • xmlstreambuffer-0:1.5.4-8.module+el8.0.0+3248+9d514f3b
  • xsom-0:0-19.20110809svn.module+el8.0.0+3248+9d514f3b

The Hacker News

idTHN:D761F7EF41472ED13C52BD3AF1E1F9BA
last seen2018-07-24
modified2018-07-24
published2018-07-24
reporterThe Hacker News
sourcehttps://thehackernews.com/2018/07/apache-tomcat-server.html
titleApache Tomcat Patches Important Security Vulnerabilities

References