All Vulnerability Reports

CVE-2018-8037: Apache Tomcat - NIO/NIO2 connectors user sessions can get mixed up


Severity

Important

References
Description

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user.

Affected Pivotal Products and Versions

Severity is important unless otherwise noted.

  • Pivotal tc Server versions:
    • 3.2.0.RELEASE to 3.2.10.RELEASE
    • 4.0.0.RELEASE to 4.0.1.RELEASE
  • Pivotal tc Server individual runtime versions:
    • 8.5.4.B.RELEASE to 8.5.30.B.RELEASE
    • 9.0.6.B.RELEASE to 9.0.7.B.RELEASE
Mitigation

Users of affected versions should apply the following mitigation:

  • Releases that have fixed this issue include:
    • Pivotal tc Server versions:
      • 3.2.11.RELEASE and later
      • 4.0.2.RELEASE and later
    • Pivotal tc Server individual runtime versions:
      • 8.5.32.A.RELEASE and later
      • 9.0.10.A.RELEASE and later