Apache Tomcat 7.0.x < 7.0.74 / 8.0.x < 8.0.40 / 8.5.x < 8.5.9 / 9.x < 9.0.0.M15 DoS
Medium Nessus Network Monitor Plugin ID 9909
SynopsisThe remote web server is missing an Apache Tomcat patch update.
DescriptionThe version of Apache Tomcat installed on the remote host is version 7.0.x prior to 7.0.74, 8.0.x prior to 8.0.40, 8.5.x prior to 8.5.9, or 9.x prior to 9.0.0.M15, and is affected by a flaw in the NIO HTTP connector. The issue is triggered when handling send file errors, as a 'Processor' object may be shared among concurrent requests. This may allow a remote attacker to potentially disclose sensitive information like session IDs or response body related to another request. (CVE-2016-8745)
- A flaw exists in the JSP engine that is triggered during the processing of HTTPS requests. This may allow a remote attacker to cause an infinite loop, which may potentially consume excessive resources, leading to a denial of service condition. (CVE-2017-6056)
SolutionUpdate to Apache Tomcat version 9.0.0.M15 or later. If version 9.x cannot be obtained, versions 8.5.9, 8.0.40, and 7.0.74 have also been patched for these vulnerabilities.