Bug 1607591 (CVE-2018-1336) - CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
Summary: CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-1336
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1608607 1608608 1608655 1608656 1614559 1614560 1624929 1624931
Blocks: 1607593
TreeView+ depends on / blocked
 
Reported: 2018-07-23 19:29 UTC by Pedro Sampaio
Modified: 2024-02-21 19:58 UTC (History)
84 users (show)

Fixed In Version: tomcat 8.0.52, tomcat 8.5.31, tomcat 9.0.8, tomcat 7.0.88
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:33:59 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2700 0 None None None 2018-09-12 17:04:00 UTC
Red Hat Product Errata RHSA-2018:2701 0 None None None 2018-09-12 17:14:05 UTC
Red Hat Product Errata RHSA-2018:2740 0 None None None 2018-09-24 21:47:38 UTC
Red Hat Product Errata RHSA-2018:2741 0 None None None 2018-09-24 22:05:33 UTC
Red Hat Product Errata RHSA-2018:2742 0 None None None 2018-09-24 22:09:15 UTC
Red Hat Product Errata RHSA-2018:2743 0 None None None 2018-09-24 22:10:37 UTC
Red Hat Product Errata RHSA-2018:2921 0 None None None 2018-10-16 08:34:59 UTC
Red Hat Product Errata RHSA-2018:2930 0 None None None 2018-10-16 17:06:58 UTC
Red Hat Product Errata RHSA-2018:2939 0 None None None 2018-10-17 19:30:36 UTC
Red Hat Product Errata RHSA-2018:2945 0 None None None 2018-10-18 07:15:42 UTC
Red Hat Product Errata RHSA-2018:3768 0 None None None 2018-12-04 16:02:19 UTC

Description Pedro Sampaio 2018-07-23 19:29:47 UTC 
Flaw affecting tomcat 8.0.0.RC1 to 8.0.51 and 9.0.0.M1 to 9.0.7. An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service.

Upstream patch:

http://svn.apache.org/viewvc?view=rev&rev=1830375
http://svn.apache.org/viewvc?view=rev&rev=1830373

References:

https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-9.html
Comment 9 Chess Hazlett 2018-08-17 19:28:45 UTC 
Statement:

Fuse 6.3 and 7 standalone distributions ship but do not use tomcat, and as such are not affected by this flaw; however, Fuse Integration Services 2.0 and Fuse 7 on OpenShift provide the affected artifacts via their respective maven repositories, and will provide fixes for this issue in a future release.
Comment 10 Laura Pardo 2018-09-03 15:48:49 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 1624931]
Affects: fedora-all [bug 1624929]
Comment 11 errata-xmlrpc 2018-09-12 17:03:38 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2018:2700 https://access.redhat.com/errata/RHSA-2018:2700
Comment 12 errata-xmlrpc 2018-09-12 17:13:42 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7
  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2018:2701 https://access.redhat.com/errata/RHSA-2018:2701
Comment 14 errata-xmlrpc 2018-09-24 21:47:12 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:2740 https://access.redhat.com/errata/RHSA-2018:2740
Comment 15 errata-xmlrpc 2018-09-24 22:05:06 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2018:2741 https://access.redhat.com/errata/RHSA-2018:2741
Comment 16 errata-xmlrpc 2018-09-24 22:08:51 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2018:2742 https://access.redhat.com/errata/RHSA-2018:2742
Comment 17 errata-xmlrpc 2018-09-24 22:10:15 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:2743 https://access.redhat.com/errata/RHSA-2018:2743
Comment 19 errata-xmlrpc 2018-10-16 08:34:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2921 https://access.redhat.com/errata/RHSA-2018:2921
Comment 21 errata-xmlrpc 2018-10-16 17:06:33 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Operations Network

Via RHSA-2018:2930 https://access.redhat.com/errata/RHSA-2018:2930
Comment 22 errata-xmlrpc 2018-10-17 19:30:10 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8

Via RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:2939
Comment 23 errata-xmlrpc 2018-10-18 07:15:18 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes (text-only advisories)

Via RHSA-2018:2945 https://access.redhat.com/errata/RHSA-2018:2945
Comment 28 Jean-frederic Clere 2018-10-24 10:30:52 UTC 
Oops https://bugzilla.redhat.com/show_bug.cgi?id=1608656 it was fixed in 6.4.21
Comment 32 errata-xmlrpc 2018-12-04 16:01:54 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.2

Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768
Note You need to log in before you can comment on or make changes to this bug.