Synology-SA-18:38 Tomcat

Publish Time: 2018-07-24 18:54:48 UTC+8

Last Updated: 2019-12-24 14:39:08 UTC+8

Severity
Important
Status
Resolved

Abstract

CVE-2018-1336 and CVE-2018-8034 allow remote attackers to conduct denial-of-service attacks or man-in-the-middle attackers to bypass security constraint via a susceptible version of Tomcat 6 and Tomcat 7.

None of Synology products are affected by CVE-2018-8037 as it only affects Apache Tomcat 8.5.5 and later.

Affected Products

Product Severity Fixed Release Availability
Tomcat 6 Important Will not fix.
Tomcat 7 Important Upgrade to 7.0.90-0114 or above.

Mitigation

If you need immediate assistance, please contact Synology technical support via https://account.synology.com/en-global/support.

Detail

  • CVE-2018-1336

    • Severity: Important
    • CVSS3 Base Score: 7.5
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
    • An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.
  • CVE-2018-8034

    • Severity: Moderate
    • CVSS3 Base Score: 6.5
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
    • The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
  • CVE-2018-8037

    • Severity: Not affected
    • CVSS3 Base Score: 0.0
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N
    • If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

Reference

Revision

Revision Date Description
1 2018-07-24 Initial public release.
2 2018-08-24 Updated Detail.
3 2019-01-04 Update for Tomcat 7 is now available in Affected Products.