TTCSIRT-147.072418: TT-CSIRT Advisory – Apache Security Updates
Apache has released a security update stating that it has discovered the following vulnerabilities in all versions of Apache Tomcat 9.0 and above:
a) Due to a mishandling of close in NIO/NIO2 connectors user sessions can get mixed up – CVE-2018-8037.
b) A bug in the UTF-8 decoder can lead to Denial of Service (DoS) attackts – CVE-2018-1336.
c) When running with HTTP PUTs enabled, an attacker could upload a JSP file to the server via a specially crafted request thereby allowing any code contained in it to be executed by the server – CVE-2017-12617.
d) The HTTP/2 implementation allows an attacker to bypass a number of security checks that prevented directory traversal attacks – CVE-2017-7675.
| Further information on these vulnerabilities and how they can be mitigated can be found on the Apache Tomcat Website at https://tomcat.apache.org/security-9.html |