The Apache Software Foundation (ASF) has issued critical security updates to mitigate multiple vulnerabilities in its widely used Tomcat application server. These updates specifically address an important information disclosure flaw that could enable a remote attacker to gain access to sensitive information.
Apache Tomcat functions as an open-source web server and servlet container, incorporating various Java EE specifications like Java Servlet and JavaServer Pages (JSP). It creates a “pure Java” HTTP environment designed for Java-based applications. Compared to vulnerabilities seen in Apache Struts 2, which were exploited in the infamous breach of Equifax, the current issues in Tomcat are considered less likely to be actively targeted.
The pivotal vulnerability identified, tracked under CVE-2018-8037, is linked to improper connection closure management. This flaw could lead to the unintended reuse of active user sessions in a new connection, which poses a significant risk to user privacy and data security. This vulnerability was first reported by Dmitry Treskunov to the Apache Tomcat Security Team on June 16, 2018, and subsequently published on July 22, 2018.
Affected versions include Tomcat 9.0.0.M9 to 9.0.9, as well as 8.5.5 to 8.5.31. Patches for these versions have been incorporated in Tomcat 9.0.10 and 8.5.32, urging administrators to implement updates promptly.
In conjunction with this, another notable vulnerability, tracked as CVE-2018-1336, has been linked to the UTF-8 decoder within Tomcat. This issue could precipitate a denial-of-service (DoS) situation, where improper handling of overflow in the decoding process may trigger an infinite loop, incapacitating the service. Such vulnerabilities complicate system reliability and threaten operational continuity, adding to the urgency for software updates.
The ASF has addressed this DoS vulnerability in versions 9.0.7, 8.5.32, 8.0.52, and 7.0.90. Furthermore, a security patch was also introduced for a minor severity issue, identified as CVE-2018-8034, which pertains to hostname verification failures during TLS connections with WebSocket clients.
The ASF emphasizes the importance of immediate action, urging system administrators to apply these critical software updates without delay. It is also recommended to restrict network access to trusted users while monitoring affected systems closely. As of now, there have been no reports indicating that these vulnerabilities have been exploited in the wild.
From a cybersecurity perspective, various tactics from the MITRE ATT&CK framework can be associated with these vulnerabilities, notably those involving initial access and data exfiltration. The potential exploitation of such vulnerabilities underscores the inherent risks businesses face in an increasingly digital landscape and highlights the critical need for proactive measures in cybersecurity preparedness.