Bug 1607591 (CVE-2018-1336)

Summary: CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aileenc, alazarot, alee, anstephe, aogburn, avibelli, bgeorges, bmaxwell, cdewolf, chazlett, chris.snell, coolsvap, csutherl, darran.lofthouse, dchong, dimitris, dosoudil, drieden, etirelli, fgavrilo, gvarsami, gzaronik, hhorak, ibek, igreen, ikanello, ivan.afonichev, java-sig-commits, jawilson, jbalunas, jclere, jcoleman, jdoyle, jolee, jondruse, jorton, jpallich, jschatte, jshepherd, jstastny, kconner, krathod, krzysztof.daniel, kverlaen, ldimaggi, lgao, loleary, lpetrovi, lthon, mbabacek, mhatanak, mizdebsk, mszynkie, myarboro, nwallace, paradhya, pgallagh, pgier, pjurak, ppalaga, psakar, pslavice, rmaucher, rnetuka, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, rzhang, sdaley, spinder, sstavrev, tcunning, theute, tkirby, trogers, twalsh, vhalbert, vtunka, weli, yozone, zmiele
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 8.0.52, tomcat 8.5.31, tomcat 9.0.8, tomcat 7.0.88 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:33:59 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1608607, 1608608, 1608655, 1608656, 1614559, 1614560, 1624929, 1624931    
Bug Blocks: 1607593    

Description Pedro Sampaio 2018-07-23 19:29:47 UTC 
Flaw affecting tomcat 8.0.0.RC1 to 8.0.51 and 9.0.0.M1 to 9.0.7. An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service.

Upstream patch:

http://svn.apache.org/viewvc?view=rev&rev=1830375
http://svn.apache.org/viewvc?view=rev&rev=1830373

References:

https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-9.html
Comment 9 Chess Hazlett 2018-08-17 19:28:45 UTC 
Statement:

Fuse 6.3 and 7 standalone distributions ship but do not use tomcat, and as such are not affected by this flaw; however, Fuse Integration Services 2.0 and Fuse 7 on OpenShift provide the affected artifacts via their respective maven repositories, and will provide fixes for this issue in a future release.
Comment 10 Laura Pardo 2018-09-03 15:48:49 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 1624931]
Affects: fedora-all [bug 1624929]
Comment 11 errata-xmlrpc 2018-09-12 17:03:38 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2018:2700 https://access.redhat.com/errata/RHSA-2018:2700
Comment 12 errata-xmlrpc 2018-09-12 17:13:42 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7
  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2018:2701 https://access.redhat.com/errata/RHSA-2018:2701
Comment 14 errata-xmlrpc 2018-09-24 21:47:12 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:2740 https://access.redhat.com/errata/RHSA-2018:2740
Comment 15 errata-xmlrpc 2018-09-24 22:05:06 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2018:2741 https://access.redhat.com/errata/RHSA-2018:2741
Comment 16 errata-xmlrpc 2018-09-24 22:08:51 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2018:2742 https://access.redhat.com/errata/RHSA-2018:2742
Comment 17 errata-xmlrpc 2018-09-24 22:10:15 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:2743 https://access.redhat.com/errata/RHSA-2018:2743
Comment 19 errata-xmlrpc 2018-10-16 08:34:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2921 https://access.redhat.com/errata/RHSA-2018:2921
Comment 21 errata-xmlrpc 2018-10-16 17:06:33 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Operations Network

Via RHSA-2018:2930 https://access.redhat.com/errata/RHSA-2018:2930
Comment 22 errata-xmlrpc 2018-10-17 19:30:10 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8

Via RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:2939
Comment 23 errata-xmlrpc 2018-10-18 07:15:18 UTC 
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes (text-only advisories)

Via RHSA-2018:2945 https://access.redhat.com/errata/RHSA-2018:2945
Comment 28 Jean-frederic Clere 2018-10-24 10:30:52 UTC 
Oops https://bugzilla.redhat.com/show_bug.cgi?id=1608656 it was fixed in 6.4.21
Comment 32 errata-xmlrpc 2018-12-04 16:01:54 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.2

Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768