Flaw affecting tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31. A bug in the tracking of connection closures can lead to reuse of user sessions in a new connection. Upstream patch: http://svn.apache.org/viewvc?view=rev&rev=1833906 http://svn.apache.org/viewvc?view=rev&rev=1833907 References: https://tomcat.apache.org/security-8.html https://tomcat.apache.org/security-9.html
Created tomcat tracking bugs for this issue: Affects: epel-all [bug 1607585] Affects: fedora-all [bug 1607584]
I found no evidence that CVE-2018-8037 is fixed in tomcat 7.0.87.
Review of JWS 3.1 indicates that versions of Tomcat used in that release are not affected.
Red Hat Enterprise Linux 7 supports Tomcat 7 (7.0.76) which is not affected by this flaw.
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2018:2867 https://access.redhat.com/errata/RHSA-2018:2867
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.0 on RHEL 7 Red Hat JBoss Web Server 5.0 on RHEL 6 Via RHSA-2018:2868 https://access.redhat.com/errata/RHSA-2018:2868
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1529 https://access.redhat.com/errata/RHSA-2019:1529
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-8037