CVE-2018-8037

Impact:
Important
Public Date:
2018-07-22
Bugzilla:
1607582: CVE-2018-8037 tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up

The MITRE CVE dictionary describes this issue as:

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

Find out more about CVE-2018-8037 from the MITRE CVE dictionary dictionary and NIST NVD.

CVSS v3 metrics

NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.

CVSS3 Base Score 9.1
CVSS3 Base Metrics CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity Impact High
Availability Impact None

Affected Packages State

Platform Package State
Red Hat Software Collections for Red Hat Enterprise Linux rh-java-common-tomcat Not affected
Red Hat OpenShift Application Runtimes 1.0 springboot Affected
Red Hat JBoss Web Server 3 tomcat7 Affected
Red Hat JBoss Web Server 3 tomcat8 Affected
Red Hat JBoss Operations Network 3 jbossweb Affected
Red Hat JBoss Fuse Service Works 6 jbossweb Affected
Red Hat JBoss Fuse 7 tomcat Not affected
Red Hat JBoss Fuse 6 tomcat Not affected
Red Hat JBoss Enterprise SOA Platform 5 jbossweb Not affected
Red Hat JBoss EWS 5 tomcat Affected
Red Hat JBoss EWS 2 tomcat7 Will not fix
Red Hat JBoss EWS 2 tomcat6 Not affected
Red Hat JBoss EAP 6 jbossweb Not affected
Red Hat JBoss EAP 5 jbossweb Not affected
Red Hat JBoss Data Virtualization 6 jbossweb Affected
Red Hat JBoss Data Grid 7 tomcat Not affected
Red Hat JBoss Data Grid 6 jbossweb Not affected
Red Hat JBoss BRMS 6 tomcat Not affected
Red Hat JBoss BRMS 5 jbossweb Not affected
Red Hat JBoss BPMS 6 tomcat Not affected
Red Hat Enterprise Linux 7 tomcat Affected
Red Hat Enterprise Linux 6 tomcat6 Not affected

Last Modified

CVE description copyright © 2017, The MITRE Corporation

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.