Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 12 Dec 2016 09:42:20 +0000
From: Mark Thomas <>
Subject: [SECURITY] CVE-2016-8745 Apache Tomcat Information Disclosure

CVE-2016-8745 Apache Tomcat Information Disclosure

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.0.M13
Apache Tomcat 8.5.0 to 8.5.8
Earlier versions are not affected.

The refactoring of the Connector code for 8.5.x onwards introduced a
regression in the error handling of the send file code for the NIO HTTP
connector. An error during send file processing resulted in the current
Processor object being added to the Processor cache multiple times. This
in turn meant that the same Processor could be used for concurrent
requests. Sharing a Processor can result in information leakage between
requests including, not not limited to, session ID and the response body.

Users of the NIO HTTP connector with the affected versions should apply
one of the following mitigations
- Switch to the NIO2 HTTP or APR HTTP connector
- Disable send file
- Upgrade to Apache Tomcat 9.0.0.M15 or later
  (Apache Tomcat 9.0.0.M14 has the fix but was not released)
- Upgrade to Apache Tomcat 8.5.9 or later

This issue was reported publicly as Bug 60409 [1] and the security
implications identified by the Tomcat security team.


Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.