If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

An update of the apache package has been released.

The version of Tomcat installed on the remote host is prior to 9.0.10. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_9.0.10_security-9 advisory.

  - The host name verification when using TLS with the WebSocket client was missing. It is now enabled by     default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and     7.0.35 to 7.0.88. (CVE-2018-8034)

  - If an async request was completed by the application at the same time as the container triggered the async     timeout, a race condition existed that could result in a user seeing a response intended for a different     user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the     closure of the connection when an async request was completed by the application and timed out by the     container at the same time. This could also result in a user seeing a response intended for another user.
    Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31. (CVE-2018-8037)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2019:1529 advisory.

  - tomcat: Open redirect in default servlet (CVE-2018-11784)

  - tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)

  - tomcat: Host name verification missing in WebSocket client (CVE-2018-8034)

  - tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up     (CVE-2018-8037)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2019-1529 advisory.

    - Resolves: rhbz#1658846 CVE-2018-8034 pki-servlet-container: tomcat: host name verification missing in     WebSocket client
    - Resolves: rhbz#1579614 CVE-2018-8014 pki-servlet-container: tomcat: Insecure defaults in CORS filter     enable 'supportsCredentials' for all origins
    - Resolves: rhbz#1619232 - CVE-2018-8037 pki-servlet-container: tomcat: Due to a mishandling of close in     NIO/NIO2 connectors user sessions can get mixed up
    - Resolves: rhbz#1641874 - CVE-2018-11784 pki-servlet-container: tomcat: Open redirect in default servlet

    velocity

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2019:1529 advisory.

    The Public Key Infrastructure (PKI) Deps module contains fundamental packages required as dependencies for     the pki-core module by Red Hat Certificate System.

    Security Fix(es):

    * tomcat: Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up     (CVE-2018-8037)

    * tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins (CVE-2018-8014)

    * tomcat: Open redirect in default servlet (CVE-2018-11784)

    * tomcat: Host name verification missing in WebSocket client (CVE-2018-8034)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for tomcat to version 9.0.10 fixes the following issues :

Security issues fixed :

  - CVE-2018-1336: An improper handing of overflow in the     UTF-8 decoder with supplementary characters could have     lead to an infinite loop in the decoder causing a Denial     of Service (bsc#1102400).

  - CVE-2018-8014: Fix insecure default CORS filter settings     (bsc#1093697).

  - CVE-2018-8034: The host name verification when using TLS     with the WebSocket client was missing. It is now enabled     by default (bsc#1102379).

  - CVE-2018-8037: If an async request was completed by the     application at the same time as the container triggered     the async timeout, a race condition existed that could     have resulted in a user seeing a response intended for a     different user. An additional issue was present in the     NIO and NIO2 connectors that did not correctly track the     closure of the connection when an async request was     completed by the application and timed out by the     container at the same time. This could also have     resulted in a user seeing a response intended for     another user (bsc#1102410).

Bug fixes :

  - Avoid overwriting of customer's configuration during     update (bsc#1067720)

  - Disable adding OSGi metadata to JAR files

  - See changelog at     http://tomcat.apache.org/tomcat-9.0-doc/changelog.html#T     omcat_9.0.10_(markt)

This update was imported from the SUSE:SLE-15:Update update project.

This update includes a rebase from 8.5.30 up to 8.5.32 which resolves two CVEs along with various other bugs/features :

  - rhbz#1579612 CVE-2018-8014 tomcat: Insecure defaults in     CORS filter enable 'supportsCredentials' for all origins

  - rhbz#1607586 CVE-2018-8034 tomcat: host name     verification missing in WebSocket client

  - rhbz#1607584 CVE-2018-8037 tomcat: Due to a mishandling     of close in NIO/NIO2 connectors user sessions can get     mixed up

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of Apache Tomcat installed on the remote host is 8.5.x prior to 8.5.32. It is, therefore, affected by multiple vulnerabilities :

 - A flaw exists in WebSocket client because host name verification is missing

 - A flaw exists in NIO/NIO2 connectors due to a mishandling of close that can lead to reuse of user sessions

 - A flaw exists in CORS filter due to insecure defaults

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Apache Tomcat installed on the remote host is 9.0.x prior to 9.0.10. It is, therefore, affected by multiple vulnerabilities :

 - A flaw exists in WebSocket client because host name verification is missing

 - A flaw exists in NIO/NIO2 connectors due to a mishandling of close that can lead to reuse of user sessions

 - A flaw exists in CORS filter due to insecure defaults

Note that the scanner has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2018:2868 advisory.

    Red Hat JBoss Web Server is a fully integrated and certified set of components for hosting Java web     applications. It is comprised of the Apache Tomcat Servlet container, JBoss HTTP Connector (mod_cluster),     the PicketLink Vault extension for Apache Tomcat, and the Tomcat Native library.

    This release of Red Hat JBoss Web Server 5.0 Service Pack 1 serves as a replacement for Red Hat JBoss Web     Server 5.0, and includes bug fixes, which are documented in the Release Notes document linked to in the     References.

    Security Fix(es):

    * tomcat: Information Disclosure (CVE-2018-8037)

    For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and     other related information, refer to the CVE page(s) listed in the References section.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

This update for tomcat to 8.0.53 fixes the following issues :

Security issue fixed :

  - CVE-2018-1336: An improper handing of overflow in the     UTF-8 decoder with supplementary characters could have     lead to an infinite loop in the decoder causing a Denial     of Service (bsc#1102400).

  - CVE-2018-8034: The host name verification when using TLS     with the WebSocket client was missing. It is now enabled     by default (bsc#1102379).

  - CVE-2018-8037: If an async request was completed by the     application at the same time as the container triggered     the async timeout, a race condition existed that could     have resulted in a user seeing a response intended for a     different user. An additional issue was present in the     NIO and NIO2 connectors that did not correctly track the     closure of the connection when an async request was     completed by the application and timed out by the     container at the same time. This could also have     resulted in a user seeing a response intended for     another user (bsc#1102410).

  - CVE-2018-8014: Fix insecure default CORS filter settings     (bsc#1093697).

Bug fixes :

  - bsc#1067720: Avoid overwriting of customer's     configuration during update.

  - bsc#1095472: Add Obsoletes for tomcat6 packages.

This update was imported from the SUSE:SLE-12-SP2:Update update project.

Several issues were discovered in the Tomcat servlet and JSP engine.
They could lead to unauthorized access to protected resources, denial-of-service, or information leak.

The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.(CVE-2018-8014)

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 8.5.0 to 8.5.30. (CVE-2018-1336)

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 8.5.0 to 8.5.31.(CVE-2018-8034)

A bug in the tracking of connection closures can lead to reuse of user sessions in a new connection. Versions Affected: Apache Tomcat 8.5.5 to 8.5.31.(CVE-2018-8037)

The version of Tomcat installed on the remote host is prior to 8.5.32. It is, therefore, affected by multiple vulnerabilities as referenced in the fixed_in_apache_tomcat_8.5.32_security-8 advisory.

  - If an async request was completed by the application at the same time as the container triggered the async     timeout, a race condition existed that could result in a user seeing a response intended for a different     user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the     closure of the connection when an async request was completed by the application and timed out by the     container at the same time. This could also result in a user seeing a response intended for another user.
    Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31. (CVE-2018-8037)

  - The host name verification when using TLS with the WebSocket client was missing. It is now enabled by     default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and     7.0.35 to 7.0.88. (CVE-2018-8034)

  - The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31,     8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is     expected that users of the CORS filter will have configured it appropriately for their environment rather     than using it in the default configuration. Therefore, it is expected that most users will not be impacted     by this issue. (CVE-2018-8014)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
203097	Photon OS 2.0: Apache PHSA-2018-2.0-0116	Nessus	PhotonOS Local Security Checks	high
176310	Apache Tomcat 9.0.0.M1 < 9.0.10 multiple vulnerabilities	Nessus	Web Servers	high
145683	CentOS 8 : pki-deps:10.6 (CESA-2019:1529)	Nessus	CentOS Local Security Checks	critical
127594	Oracle Linux 8 : pki-deps:10.6 (ELSA-2019-1529)	Nessus	Oracle Linux Local Security Checks	critical
126030	RHEL 8 : pki-deps:10.6 (RHSA-2019:1529)	Nessus	Red Hat Local Security Checks	critical
123330	openSUSE Security Update : tomcat (openSUSE-2019-770)	Nessus	SuSE Local Security Checks	critical
120717	Fedora 28 : 1:tomcat (2018-b1832101b8)	Nessus	Fedora Local Security Checks	critical
112296	Apache Tomcat 8.5.0 < 8.5.32 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
112290	Apache Tomcat 9.0.0.M1 < 9.0.10 Multiple Vulnerabilities	Web App Scanning	Component Vulnerability	critical
117983	openSUSE Security Update : tomcat (openSUSE-2018-1129)	Nessus	SuSE Local Security Checks	critical
117912	RHEL 6 / 7 : Red Hat JBoss Web Server 5.0 Service Pack 1 (RHSA-2018:2868)	Nessus	Red Hat Local Security Checks	medium
117526	openSUSE Security Update : tomcat (openSUSE-2018-1019)	Nessus	SuSE Local Security Checks	critical
112185	Debian DSA-4281-1 : tomcat8 - security update	Nessus	Debian Local Security Checks	high
111611	Amazon Linux AMI : tomcat8 (ALAS-2018-1056)	Nessus	Amazon Linux Local Security Checks	critical
111068	Apache Tomcat 8.5.5 < 8.5.32 multiple vulnerabilities	Nessus	Web Servers	critical

Detections

Analytics

CVE-2018-8037

medium

Tenable Plugins

high

high

critical

critical

critical

critical

critical

critical

critical

critical

medium

critical

high

critical

critical