CVE-2018-8037

Impact:
Important
Public Date:
2018-07-22
Bugzilla:
1607582: CVE-2018-8037 tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up

The MITRE CVE dictionary describes this issue as:

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

Find out more about CVE-2018-8037 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

CVSS3 Base Score 9.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact None

Red Hat Security Errata

Platform Errata Release Date
Red Hat JBoss Web Server 5.0 on RHEL 7 (jws5-tomcat) RHSA-2018:2868 2018-10-03
Red Hat JBoss Web Server 5.0 on RHEL 6 (jws5-tomcat) RHSA-2018:2868 2018-10-03
Red Hat JBoss Web Server 5.0 RHSA-2018:2867 2018-10-03

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-java-common-tomcat Not affected
Red Hat OpenShift Application Runtimes 1.0 springboot Affected
Red Hat JBoss Web Server 3 tomcat7 Not affected
Red Hat JBoss Web Server 3 tomcat8 Not affected
Red Hat JBoss Operations Network 3 jbossweb Not affected
Red Hat JBoss Fuse Service Works 6 jbossweb Not affected
Red Hat JBoss Fuse 7 tomcat Not affected
Red Hat JBoss Fuse 6 tomcat Not affected
Red Hat JBoss Enterprise SOA Platform 5 jbossweb Not affected
Red Hat JBoss EWS 2 tomcat7 Not affected
Red Hat JBoss EWS 2 tomcat6 Not affected
Red Hat JBoss EAP 6 jbossweb Not affected
Red Hat JBoss EAP 5 jbossweb Not affected
Red Hat JBoss Data Virtualization 6 jbossweb Not affected
Red Hat JBoss Data Grid 7 tomcat Not affected
Red Hat JBoss Data Grid 6 jbossweb Not affected
Red Hat JBoss BRMS 6 tomcat Not affected
Red Hat JBoss BRMS 5 jbossweb Not affected
Red Hat JBoss BPMS 6 tomcat Not affected
Red Hat Enterprise Linux 7 tomcat Not affected
Red Hat Enterprise Linux 6 tomcat6 Not affected

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.