Apache Tomcat Information Disclosure vulnerability exists in all versions _tomcat

Apache Tomcat Information Disclosure vulnerability exists in all versions

CVE (CAN) id:cve-2016-8745

Renew Date: 2017-1-5

Degree of importance: Important

Affected version:

Apache Tomcat 9.0.0.m1 to 9.0.0.m13

Apache Tomcat 8.5.0 to 8.5.8

Apache Tomcat 8.0.0.rc1 to 8.0.39 (new)

Apache Tomcat 7.0.0 to 7.0.73 (new)

Apache Tomcat 6.0.16 to 6.0.48 (new)

Describe:

Connector code refactoring introduces a regression in the error-handling code that sends files in a NIO HTTP connector, so handling a send file error causes the current processor object to be added to the processor cache multiple times, which means the processor can be used for concurrent requests. Shared processors can cause information leaks between requests, including but not limited to session IDs and response bodies.

This error first appears in the 8.5.x version, and it appears that the connector code for the 8.5.x version is more likely to be incorrectly refactored. Initially, we thought that 8.5.x refactoring introduced an error, but further investigation indicates that the error exists in all currently supported Tomcat versions.

Solution:

Users who have installed the affected version of the NIO HTTP Connector can address the following methods:

Switch to Bio Http,nio2 http or Apr HTTP connector

Disable sending Files

Upgrade to Apache Tomcat 9.0.0.m15 or later

(Apache Tomcat 9.0.0.m14 has fixes, but not published)

Upgrade to Apache Tomcat 8.5.9 or later

Upgrade after the Apache Tomcat 8.0.40 or later release

Upgrade after the Apache Tomcat 7.0.74 or later release

Upgrade after the Apache Tomcat 6.0.49 or later release

Please click here for more details.

Turn from: http://www.oschina.net/news/80731/apache-tomcat-information-disclosure-in-all-version?nocache=1488359042440