SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat NIO HTTP Connector Cache Bug Lets Remote Users Obtain Potentially Sensitive Information from Other User Requests
SecurityTracker Alert ID:  1037432
SecurityTracker URL:  http://securitytracker.com/id/1037432
CVE Reference:   CVE-2016-8745   (Links to External Site)
Updated:  Jan 5 2017
Original Entry Date:  Dec 13 2016
Impact:   Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 6.0.16 to 6.0.48, 7.0.0 to 7.0.73, 8.0.0.RC1 to 8.0.39, 8.5.0 to 8.5.8, 9.0.0.M1 to 9.0.0.M13
Description:   A vulnerability was reported in Apache Tomcat. A remote user can obtain potentially sensitive information on the target system.

A remote user can send a specially crafted request to trigger a flaw in the NIO HTTP Connector and cause data to be added to the processor cache multiple times, which may allow the remote user to view potentially sensitive information from other user requests.

Systems using the NIO HTTP connector are affected.

Evgenij Ryazanov reported this vulnerability.
Impact:   A remote user can obtain potentially sensitive information from other user requests.
Solution:   The vendor has issued a fix (6.0.49, 7.0.74, and 8.0.40 [pending]; 8.5.9, 9.0.0.M15).

The vendor advisories are available at:

http://tomcat.apache.org/security-6.html
http://tomcat.apache.org/security-7.html
http://tomcat.apache.org/security-8.html
http://tomcat.apache.org/security-9.html
Vendor URL:  tomcat.apache.org/security-9.html (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Mar 16 2017 (Oracle Issues Fix for Oracle Linux) Apache Tomcat NIO HTTP Connector Cache Bug Lets Remote Users Obtain Potentially Sensitive Information from Other User Requests
Oracle has issued a fix for Oracle Linux 6.


 Source Message Contents
Subject:  [oss-security] [SECURITY] CVE-2016-8745 Apache Tomcat Information Disclosure

CVE-2016-8745 Apache Tomcat Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M13
Apache Tomcat 8.5.0 to 8.5.8
Earlier versions are not affected.

Description
The refactoring of the Connector code for 8.5.x onwards introduced a
regression in the error handling of the send file code for the NIO HTTP
connector. An error during send file processing resulted in the current
Processor object being added to the Processor cache multiple times. This
in turn meant that the same Processor could be used for concurrent
requests. Sharing a Processor can result in information leakage between
requests including, not not limited to, session ID and the response body.

Mitigation
Users of the NIO HTTP connector with the affected versions should apply
one of the following mitigations
- Switch to the NIO2 HTTP or APR HTTP connector
- Disable send file
- Upgrade to Apache Tomcat 9.0.0.M15 or later
  (Apache Tomcat 9.0.0.M14 has the fix but was not released)
- Upgrade to Apache Tomcat 8.5.9 or later

Credit:
This issue was reported publicly as Bug 60409 [1] and the security
implications identified by the Tomcat security team.

References:
[1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60409
[2] http://tomcat.apache.org/security-9.html
[3] http://tomcat.apache.org/security-8.html


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC