CVE-2018-8037

Publication date 2 August 2018

Last updated 24 July 2024

Ubuntu priority

Cvss 3 Severity Score

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
tomcat8	18.10 cosmic	Not affected
	18.04 LTS bionic	Fixed 8.5.39-1ubuntu1~18.04.1
	16.04 LTS xenial	Not affected
	14.04 LTS trusty	Not in release
tomcat8.0	18.10 cosmic	Not in release
	18.04 LTS bionic	Not in release
	16.04 LTS xenial	Not in release
	14.04 LTS trusty	Not in release

Notes

debian

Vulnerable code only present in 8.5.5 to 8.5.31 in 8.x series

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
tomcat8	Upstream: https://svn.apache.org/r1833907 Upstream: https://svn.apache.org/r1833826 Upstream: https://svn.apache.org/r1833832 Upstream: https://svn.apache.org/r1837531

Severity score breakdown

Parameter	Value
Base score	5.9 · Medium
Attack vector	Network
Attack complexity	High
Privileges required	None
User interaction	None
Scope	Unchanged
Confidentiality	High
Integrity impact	None
Availability impact	None
Vector	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

References

Other references

https://www.cve.org/CVERecord?id=CVE-2018-8037