Apache Tomcat Releases Patch For Important Security Vulnerabilities

Security updates have been released by the Apache Software Foundation or ASF. These updates address numerous vulnerabilities within the software’s Tomcat app server. One of these vulnerabilities could essentially let a remote attacker gain access to sensitive information.

An open source web server and servlet system, Apache Tomcat utilizes numerous Java EE specs such as JavaServer Pages or JSP, Java Servlet, WebSocket, and Expression Language. Also, so that Java concept can be run in it, the software features a “pure java” HTTP web server.

Apache Tomcat’s most crucial flaw is an information disclosure vulnerability. This is because of a bug located in the tracing of connecting closures, and this can ultimately lead to the reutilization of a user’s session within a new connection.

On June 16th, 2018, Dmitry Treskunov reported this vital vulnerability to the Apache Tomcat Security Team. The situation was officially released to the public on July 22nd, 2018.

Although these flaws have been repaired in Tomcat 8.5.32 and 9.0.10, the 8.5.5 to the 8.5.31 as well as the 9.0.0.M9 to the 9.0.9 still remain affected.

In its advisory, the Apache Software Foundation asserts,

“An improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service.”

The foundation also added a security patch within its most recent version of Tomcat in order to address a flaw called the low severity security constraints bypass bug. When This essentially occurs due to the absence of the hostname verification whenever TLS is being used along with the WebSocket client.

Administrators of the software are being strongly urged to apply these newly-released update ASAP. They have also been advised to only let users they trust have access to networks and to monitor the systems that are affected.

No incidents of exploitation of any of the Apache Tomcat vulnerabilities were detected, according to the Apache Software Foundation.

Any comments on this article? Leave them below.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients