SB2018081030 - Fedora EPEL 6 update for tomcat
Published: August 10, 2018 Updated: April 24, 2025
Security Bulletin ID
SB2018081030
Severity
Low
Patch available
YES
Number of vulnerabilities
2
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 2 secuirty vulnerabilities.
1) Information disclosure (CVE-ID: CVE-2018-8037)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to improper handling of connection closures by the non-blocking I/O (NIO) and NIO2 connectors. A remote unauthenticated attacker can send a specially crafted request that submits malicious input, trigger bug in the tracking of connection closures, reuse user sessions in a new connection and access arbitrary data.
2) Information disclosure (CVE-ID: CVE-2018-8014)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The weakness exists due to the defaults settings for the CORS filter are insecure and enable
supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. A remote attacker can access important data.Remediation
Install update from vendor's website.