Bug 1607591 (CVE-2018-1336) - CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
Summary: CVE-2018-1336 tomcat: A bug in the UTF-8 decoder can lead to DoS
Status: NEW
Alias: CVE-2018-1336
Product: Security Response
Classification: Other
Component: vulnerability   
(Show other bugs)
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=important,public=20180722,repo...
Keywords: Security
Depends On: 1608655 1614559 1608607 1608608 1608656 1614560 1624929 1624931
Blocks: 1607593
TreeView+ depends on / blocked
 
Reported: 2018-07-23 19:29 UTC by Pedro Sampaio
Modified: 2019-04-15 10:33 UTC (History)
83 users (show)

Fixed In Version: tomcat 8.0.52, tomcat 8.5.31, tomcat 9.0.8, tomcat 7.0.88
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2018:2700 None None None 2018-09-12 17:04 UTC
Red Hat Product Errata RHSA-2018:2701 None None None 2018-09-12 17:14 UTC
Red Hat Product Errata RHSA-2018:2740 None None None 2018-09-24 21:47 UTC
Red Hat Product Errata RHSA-2018:2741 None None None 2018-09-24 22:05 UTC
Red Hat Product Errata RHSA-2018:2742 None None None 2018-09-24 22:09 UTC
Red Hat Product Errata RHSA-2018:2743 None None None 2018-09-24 22:10 UTC
Red Hat Product Errata RHSA-2018:2921 None None None 2018-10-16 08:34 UTC
Red Hat Product Errata RHSA-2018:2930 None None None 2018-10-16 17:06 UTC
Red Hat Product Errata RHSA-2018:2939 None None None 2018-10-17 19:30 UTC
Red Hat Product Errata RHSA-2018:2945 None None None 2018-10-18 07:15 UTC
Red Hat Product Errata RHSA-2018:3768 None None None 2018-12-04 16:02 UTC

Description Pedro Sampaio 2018-07-23 19:29:47 UTC
Flaw affecting tomcat 8.0.0.RC1 to 8.0.51 and 9.0.0.M1 to 9.0.7. An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service.

Upstream patch:

http://svn.apache.org/viewvc?view=rev&rev=1830375
http://svn.apache.org/viewvc?view=rev&rev=1830373

References:

https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-9.html

Comment 9 Chess Hazlett 2018-08-17 19:28:45 UTC
Statement:

Fuse 6.3 and 7 standalone distributions ship but do not use tomcat, and as such are not affected by this flaw; however, Fuse Integration Services 2.0 and Fuse 7 on OpenShift provide the affected artifacts via their respective maven repositories, and will provide fixes for this issue in a future release.

Comment 10 Laura Pardo 2018-09-03 15:48:49 UTC
Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 1624931]
Affects: fedora-all [bug 1624929]

Comment 11 errata-xmlrpc 2018-09-12 17:03:38 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2018:2700 https://access.redhat.com/errata/RHSA-2018:2700

Comment 12 errata-xmlrpc 2018-09-12 17:13:42 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7
  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2018:2701 https://access.redhat.com/errata/RHSA-2018:2701

Comment 14 errata-xmlrpc 2018-09-24 21:47:12 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2018:2740 https://access.redhat.com/errata/RHSA-2018:2740

Comment 15 errata-xmlrpc 2018-09-24 22:05:06 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2018:2741 https://access.redhat.com/errata/RHSA-2018:2741

Comment 16 errata-xmlrpc 2018-09-24 22:08:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2018:2742 https://access.redhat.com/errata/RHSA-2018:2742

Comment 17 errata-xmlrpc 2018-09-24 22:10:15 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2018:2743 https://access.redhat.com/errata/RHSA-2018:2743

Comment 19 errata-xmlrpc 2018-10-16 08:34:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:2921 https://access.redhat.com/errata/RHSA-2018:2921

Comment 21 errata-xmlrpc 2018-10-16 17:06:33 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Operations Network

Via RHSA-2018:2930 https://access.redhat.com/errata/RHSA-2018:2930

Comment 22 errata-xmlrpc 2018-10-17 19:30:10 UTC
This issue has been addressed in the following products:

  Red Hat Fuse Intergration Services 2.0 based on Fuse 6.3 R8

Via RHSA-2018:2939 https://access.redhat.com/errata/RHSA-2018:2939

Comment 23 errata-xmlrpc 2018-10-18 07:15:18 UTC
This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes (text-only advisories)

Via RHSA-2018:2945 https://access.redhat.com/errata/RHSA-2018:2945

Comment 28 Jean-frederic Clere 2018-10-24 10:30:52 UTC
Oops https://bugzilla.redhat.com/show_bug.cgi?id=1608656 it was fixed in 6.4.21

Comment 32 errata-xmlrpc 2018-12-04 16:01:54 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.2

Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768


Note You need to log in before you can comment on or make changes to this bug.