Apache Tomcat Information Disclosure vulnerability exists in all versions
CVE (CAN) id:cve-2016-8745
Renew Date: 2017-1-5
Degree of importance: Important
Affected version:
Apache Tomcat 9.0.0.m1 to 9.0.0.m13
Apache Tomcat 8.5.0 to 8.5.8
Apache Tomcat 8.0.0.rc1 to 8.0.39 (new)
Apache Tomcat 7.0.0 to 7.0.73 (new)
Apache Tomcat 6.0.16 to 6.0.48 (new)
Describe:
Connector code refactoring introduces a regression in the error-handling code that sends files in a NIO HTTP connector, so handling a send file error causes the current processor object to be added to the processor cache multiple times, which means the processor can be used for concurrent requests. Shared processors can cause information leaks between requests, including but not limited to session IDs and response bodies.
This error first appears in the 8.5.x version, and it appears that the connector code for the 8.5.x version is more likely to be incorrectly refactored. Initially, we thought that 8.5.x refactoring introduced an error, but further investigation indicates that the error exists in all currently supported Tomcat versions.
Solution:
Users who have installed the affected version of the NIO HTTP Connector can address the following methods:
Switch to Bio Http,nio2 http or Apr HTTP connector
Disable sending Files
Upgrade to Apache Tomcat 9.0.0.m15 or later
(Apache Tomcat 9.0.0.m14 has fixes, but not published)
Upgrade to Apache Tomcat 8.5.9 or later
Upgrade after the Apache Tomcat 8.0.40 or later release
Upgrade after the Apache Tomcat 7.0.74 or later release
Upgrade after the Apache Tomcat 6.0.49 or later release
Please click here for more details.
Turn from: http://www.oschina.net/news/80731/apache-tomcat-information-disclosure-in-all-version?nocache=1488359042440