Apache Tomcat Information Disclosure vulnerability exists in all versions _tomcat

Source: Internet
Author: User
Tags apache tomcat cve
Apache Tomcat Information Disclosure vulnerability exists in all versions

CVE (CAN) id:cve-2016-8745

Renew Date: 2017-1-5

Degree of importance: Important

Affected version:

Apache Tomcat 9.0.0.m1 to 9.0.0.m13

Apache Tomcat 8.5.0 to 8.5.8

Apache Tomcat 8.0.0.rc1 to 8.0.39 (new)

Apache Tomcat 7.0.0 to 7.0.73 (new)

Apache Tomcat 6.0.16 to 6.0.48 (new)

Describe:

Connector code refactoring introduces a regression in the error-handling code that sends files in a NIO HTTP connector, so handling a send file error causes the current processor object to be added to the processor cache multiple times, which means the processor can be used for concurrent requests. Shared processors can cause information leaks between requests, including but not limited to session IDs and response bodies.

This error first appears in the 8.5.x version, and it appears that the connector code for the 8.5.x version is more likely to be incorrectly refactored. Initially, we thought that 8.5.x refactoring introduced an error, but further investigation indicates that the error exists in all currently supported Tomcat versions.

Solution:

Users who have installed the affected version of the NIO HTTP Connector can address the following methods:

Switch to Bio Http,nio2 http or Apr HTTP connector

Disable sending Files

Upgrade to Apache Tomcat 9.0.0.m15 or later

(Apache Tomcat 9.0.0.m14 has fixes, but not published)

Upgrade to Apache Tomcat 8.5.9 or later

Upgrade after the Apache Tomcat 8.0.40 or later release

Upgrade after the Apache Tomcat 7.0.74 or later release

Upgrade after the Apache Tomcat 6.0.49 or later release

Please click here for more details.

Turn from: http://www.oschina.net/news/80731/apache-tomcat-information-disclosure-in-all-version?nocache=1488359042440

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.