Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Apache Tomcat 7.0.x < 7.0.74 / 8.0.x < 8.0.40 / 8.5.x < 8.5.9 / 9.x < 9.0.0.M15 DoS

Medium

Synopsis

The remote web server is missing an Apache Tomcat patch update.

Description

The version of Apache Tomcat installed on the remote host is version 7.0.x prior to 7.0.74, 8.0.x prior to 8.0.40, 8.5.x prior to 8.5.9, or 9.x prior to 9.0.0.M15, and is affected by a flaw in the NIO HTTP connector. The issue is triggered when handling send file errors, as a 'Processor' object may be shared among concurrent requests. This may allow a remote attacker to potentially disclose sensitive information like session IDs or response body related to another request. (CVE-2016-8745) - A flaw exists in the JSP engine that is triggered during the processing of HTTPS requests. This may allow a remote attacker to cause an infinite loop, which may potentially consume excessive resources, leading to a denial of service condition. (CVE-2017-6056)

Solution

Update to Apache Tomcat version 9.0.0.M15 or later. If version 9.x cannot be obtained, versions 8.5.9, 8.0.40, and 7.0.74 have also been patched for these vulnerabilities.