CVE-2018-1336

Impact:
Important
Public Date:
2018-07-22
Bugzilla:
1607591: CVE-2018-1336 tomcat: UTF-8 デコーダー内のバグが DoS の原因になる

The MITRE CVE dictionary describes this issue as:

UTF-8 デコーダーが補助文字のオーバーフローを不適切に処理することでデコーダーで無限ループに陥り、サービス拒否が発生します。影響を受けるバージョン: Apache Tomcat 9.0.0.M9 から 9.0.7、8.5.0 から 8.5.30、8.0.0.RC1 から 8.0.51、および 7.0.28 から 7.0.86。

Find out more about CVE-2018-1336 from the MITRE CVE dictionary dictionary and NIST NVD.

Statement

Fuse 6.3 and 7 standalone distributions ship but do not use tomcat, and as such are not affected by this flaw; however, Fuse Integration Services 2.0 and Fuse 7 on OpenShift provide the affected artifacts via their respective maven repositories, and will provide fixes for this issue in a future release.

CVSS v3 metrics

CVSS3 Base Score 7.5
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality None
Integrity Impact None
Availability Impact High

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Web Server 5.0 on RHEL 7 RHEA-2018:2188 2018-07-12
Red Hat JBoss Web Server 5.0 on RHEL 6 RHEA-2018:2189 2018-07-12
Red Hat JBoss Enterprise Application Platform 6 for RHEL 5 Server (jbossweb) RHSA-2018:2742 2018-09-24
Red Hat JBoss Enterprise Application Platform 6.3 for RHEL 7 Server (jbossweb) RHSA-2018:2741 2018-09-24
Red Hat JBoss Web Server 3.1 for RHEL 7 RHSA-2018:2701 2018-09-12
Red Hat JBoss Enterprise Application Platform 6 for RHEL 6 Server (jbossweb) RHSA-2018:2743 2018-09-24
Red Hat JBoss Web Server 3.1 for RHEL 6 RHSA-2018:2701 2018-09-12
Red Hat JBoss Enterprise Application Platform 6.4 RHSA-2018:2740 2018-09-24
Red Hat JBoss Web Server 3.1 RHSA-2018:2700 2018-09-12

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-java-common-tomcat 影響なし
Red Hat OpenShift Application Runtimes 1.0 springboot 調査中
Red Hat JBoss Web Server 3 tomcat7 影響あり
Red Hat JBoss Web Server 3 tomcat8 影響あり
Red Hat JBoss Operations Network 3 jbossweb 調査中
Red Hat JBoss Fuse Service Works 6 jbossweb 調査中
Red Hat JBoss Fuse 7 tomcat 調査中
Red Hat JBoss Fuse 6 jbossweb 調査中
Red Hat JBoss Enterprise SOA Platform 5 jbossweb 調査中
Red Hat JBoss EWS 2 tomcat7 フィクスの予定なし
Red Hat JBoss EWS 2 tomcat6 影響なし
Red Hat JBoss EAP 6 jbossweb 影響あり
Red Hat JBoss EAP 5 jbossweb 影響なし
Red Hat JBoss Data Virtualization 6 jbossweb 調査中
Red Hat JBoss Data Grid 7 tomcat 調査中
Red Hat JBoss Data Grid 6 jbossweb 調査中
Red Hat JBoss BRMS 6 tomcat 調査中
Red Hat JBoss BRMS 5 jbossweb 調査中
Red Hat JBoss BPMS 6 tomcat 調査中
Red Hat Enterprise Linux 7 tomcat 影響あり
Red Hat Enterprise Linux 6 tomcat6 影響なし
Last Modified

CVE description copyright © 2017, The MITRE Corporation