General

On July the 22nd the Apache Tomcat team released more information about three security vulnerabilities worth mentioning. They have already fixed the vulnerabilities in previous patch releases. Those three vulnerabilities are:

• CVE-2018-8037: User sessions can get mixed up
• CVE-2018-1336: Denial Of Service (DoS) via UTF-8 decoder
• CVE-2018-8034: No host name verification in WebSocket client

The different vulnerabilities affect the Tomcat 7.0.x, 8.5.x and 9.0.x versions. (Older versions of Tomcat (e.g. 6.0.x and older) are EOL (End of life). The Tomcat 8.0.x line is also EOL.) Please note that there are lots of other products and projects that are based on Tomcat (e.g. TomEE) and might also be affected.

User sessions can get mixed up

CVE: CVE-2018-8037

Affected versions:

• Tomcat 9.0.0.M9 to 9.0.9
• Tomcat 8.5.5 to 8.5.31

As it reads in the security announcement:

A bug in the tracking of connection closures can lead to reuse of user sessions
in a new connection.

This was initially reported as “User session are mixed up after internal exceptions” by a JetBrains employee:

We faced an issue when one user became logged in as another one.
I suppose that Tomcat may mix up responses and return session cookie
to the wrong request.

It seems that it may be related to the following errors occured at the same time:

java.lang.NullPointerException
[..]

It seems not yet entirely clear what triggers this potentially grave vulnerability in the NIO and NIO2 connectors. According to the reporter it was accompanied by several exceptions happening in the same time frame.

Denial Of Service (DoS) via UTF-8 decoder

CVE: CVE-2018-1336

Affected versions:

• Tomcat 9.0.0.M9 to 9.0.7
• Tomcat 8.5.0 to 8.5.30
• Tomcat 8.0.0.RC1 to 8.0.51
• Tomcat 7.0.28 to 7.0.86

As it reads in the security announcement:

An improper handling of overflow in the UTF-8 decoder with supplementary characters
can lead to an infinite loop in the decoder causing a Denial of Service.

Tomcat uses the UTF-8 decoder of the late Apache Harmony project, that decoder has a not supported edge case (aka Bug), which can lead to an infinite loop while trying to decode UTF-8 encoded characters.

No host name verification in WebSocket client

CVE: CVE-2018-8034

Affected versions:

• Tomcat 9.0.0.M1 to 9.0.9
• Tomcat 8.5.0 to 8.5.31
• Tomcat 8.0.0.RC1 to 8.0.52
• Tomcat 7.0.35 to 7.0.88

Lastly, the WebSocket client did not verify if the hostname in the TLS certificate and the actual hostname of the remote host matched.

Final Thoughts

If you are a user of Apache Tomcat it is recommended to subscribe to the official tomcat-announce mailinglist to get information about new releases and security vulnerabilities directly from the Tomcat team.

We recommend to update your Tomcat installations each time a new Tomcat patch release is announced.