Saturday, January 18, 2025
HomeSecurity UpdateApache Software Foundation Releases Important Security Patches for Multiple Apache Tomcat Versions

Apache Software Foundation Releases Important Security Patches for Multiple Apache Tomcat Versions

Published on

SIEM as a Service

Follow Us on Google News

The Apache Software Foundation released Apache security updates for Vulnerabilities that affects multiple versions of Apache Tomcat.

The codes for Apache project written by more than 6,000 volunteer individuals and employees from various corporation across six continents.

Apache security updates

CVE-2018-8034 – Host Name Bypass

Apache missing hostname verification when using TLS with WebSocket client was missing, now it has been enabled by default. The Low severity bug reported publicly on 11 June 2018 and the vulnerability fixed on 22 July 2018. It receives CVSS3 Base Score 4.3.

The vulnerability affects 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.35 to 7.0.88 and it has been fixed with versions 9.0.10, 8.5.32, 8.0.53, 7.0.90 or later versions.

CVE-2018-1336 – Denial of Service

Another important vulnerability is with the improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. It receives CVSS3 Base Score 7.5 and the attack complexity is low.

Affected versions 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, 7.0.28 to 7.0.86 and the vulnerability was fixed with 7.0.90, 8.0.52, 8.5.32, 9.0.7 or later versions.

CVE-2018-8037 – Information Disclosure

A critical bug with connection closures may allow attackers to reuse the user sessions with the new connection. It receives CVSS3 Base Score 9.1 and the attack complexity is low.

The vulnerability impacts 9.0.0.M9 to 9.0.9, 8.5.5 to 8.5.31 and the vulnerability was fixed with 8.5.32, 9.0.10 or later.

A remote attacker could exploit any one of these vulnerabilities to extract sensitive information. Server administrators are recommended to apply the Apache security updates to mitigate the risks.

Also Read

Lynis – Open Source Security Auditing & Pentesting Tool – A Detailed Explanation

Apache Struts2 Remote Code Execution Vulnerability S2-046

New Apache Struts Vulnerability Allows Attackers to Take Control Over Web Servers

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Hackers Easily Bypass Active Directory Group Policy to Allow Vulnerable NTLMv1 Auth Protocol

Researchers have discovered a critical flaw in Active Directory’s NTLMv1 mitigation strategy, where misconfigured...

AWS Warns of Multiple Vulnerabilities in Amazon WorkSpaces, Amazon AppStream 2.0, & Amazon DCV

Amazon Web Services (AWS) has issued a critical security advisory highlighting vulnerabilities in specific...

FlowerStorm PaaS Platform Attacking Microsoft Users With Fake Login Pages

Rockstar2FA is a PaaS kit that mimics the legitimate credential-request behavior of cloud/SaaS platforms....

New Tool Unveiled to Scan Hacking Content on Telegram

A Russian software developer, aided by the National Technology Initiative, has introduced a groundbreaking...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Wireshark 4.4.2 Released: What’s New!

The Wireshark Foundation has officially announced the release of Wireshark 4.4.2, the latest version...

Parrot Security OS 6.1 Released – What’s New

The Parrot Security team has officially announced the release of Parrot OS 6.1, the...

SAP Security: Code Injection & Other Vulnerabilities Patched

Organizations using SAP products are urged to prioritize patching vulnerabilities outlined in the latest...