Government of the Republic of Trinidad and Tobago

TTCSIRT-147.072418: TT-CSIRT Advisory – Apache Security Updates

TTCSIRT-147.072418: TT-CSIRT Advisory – Apache Security Updates

Apache has released a security update stating that it has discovered the following vulnerabilities in all versions of Apache Tomcat 9.0 and above:

a) Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up – CVE-2018-8037.

b) A bug in the UTF-8 decoder can lead to Denial of Service (DoS) attackts – CVE-2018-1336.

c) When running with HTTP PUTs enabled, an attacker could upload a JSP file to the server via a specially crafted request thereby allowing any code contained in it to be executed by the server – CVE-2017-12617.

d) The HTTP/2 implementation allows an attacker to bypass a number of security checks that prevented directory traversal attacks – CVE-2017-7675.

Further information on these vulnerabilities and how they can be mitigated can be found on the Apache Tomcat Website at