SB2018081002 - Amazon Linux AMI update for tomcat8
Published: August 10, 2018
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 4 secuirty vulnerabilities.
1) Security restrictions bypass (CVE-ID: CVE-2018-8034)
The vulnerability allows a remote attacker to bypass security restrictions on the target system.
The vulnerability exists due to host name verification when using TLS with the WebSocket client was missing. A remote unauthenticated attacker can bypass security restrictions when using TLS.
2) Information disclosure (CVE-ID: CVE-2018-8037)
The vulnerability allows a remote attacker to obtain potentially sensitive information on the target system.
The vulnerability exists due to improper handling of connection closures by the non-blocking I/O (NIO) and NIO2 connectors. A remote unauthenticated attacker can send a specially crafted request that submits malicious input, trigger bug in the tracking of connection closures, reuse user sessions in a new connection and access arbitrary data.
3) Infinite loop (CVE-ID: CVE-2018-1336)
The vulnerability allows a remote attacker to cause DoS condition on the target system.
The vulnerability exists due to improper handing of overflow in the UTF-8 decoder with supplementary characters. A remote attacker can send trigger an infinite loop in the decoder and cause the service to crash.
4) Information disclosure (CVE-ID: CVE-2018-8014)
supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. A remote attacker can access important data.Remediation
Install update from vendor's website.