Categories: Security Update

Apache Software Foundation Releases Important Security Patches for Multiple Apache Tomcat Versions

The Apache Software Foundation released Apache security updates for Vulnerabilities that affects multiple versions of Apache Tomcat.

The codes for Apache project written by more than 6,000 volunteer individuals and employees from various corporation across six continents.

Apache security updates

CVE-2018-8034 – Host Name Bypass

Apache missing hostname verification when using TLS with WebSocket client was missing, now it has been enabled by default. The Low severity bug reported publicly on 11 June 2018 and the vulnerability fixed on 22 July 2018. It receives CVSS3 Base Score 4.3.

The vulnerability affects 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.35 to 7.0.88 and it has been fixed with versions 9.0.10, 8.5.32, 8.0.53, 7.0.90 or later versions.

CVE-2018-1336 – Denial of Service

Another important vulnerability is with the improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. It receives CVSS3 Base Score 7.5 and the attack complexity is low.

Affected versions 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, 7.0.28 to 7.0.86 and the vulnerability was fixed with 7.0.90, 8.0.52, 8.5.32, 9.0.7 or later versions.

CVE-2018-8037 – Information Disclosure

A critical bug with connection closures may allow attackers to reuse the user sessions with the new connection. It receives CVSS3 Base Score 9.1 and the attack complexity is low.

The vulnerability impacts 9.0.0.M9 to 9.0.9, 8.5.5 to 8.5.31 and the vulnerability was fixed with 8.5.32, 9.0.10 or later.

A remote attacker could exploit any one of these vulnerabilities to extract sensitive information. Server administrators are recommended to apply the Apache security updates to mitigate the risks.

Also Read

Lynis – Open Source Security Auditing & Pentesting Tool – A Detailed Explanation

Apache Struts2 Remote Code Execution Vulnerability S2-046

New Apache Struts Vulnerability Allows Attackers to Take Control Over Web Servers

Gurubaran

Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Leave a Comment
Share
Published by
Gurubaran
Tags: Apache security updatesSecurity Update
7 years ago

Recent Posts

Hunters International Claims Tata Technologies Cyberattack

Multinational engineering and technology services firm Tata Technologies has reportedly fallen victim to a significant…

1 minute ago

Authorities Seize $31 Million Linked to Crypto Exchange Hack

U.S. authorities announced the seizure of $31 million tied to the 2021 Uranium Finance decentralized…

22 minutes ago

Google, Meta, and Apple Power the World’s Biggest Surveillance System

Imagine a government that tracks your daily movements, monitors your communications, and catalogs your digital…

27 minutes ago

Docusnap for Windows Flaw Exposes Sensitive Data to Attackers

A recently disclosed vulnerability in Docusnap's Windows client software (CVE-2025-26849) enables attackers to decrypt sensitive…

2 hours ago

CISA Warns of Active Exploitation of Microsoft Windows Win32k Vulnerability

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added CVE-2018-8639, a decade-old Microsoft Windows privilege…

2 hours ago

Update Alert: Google Warns of Critical Android Vulnerabilities Under Exploit

Google’s March 2025 Android Security Bulletin has unveiled two critical vulnerabilities—CVE-2024-43093 and CVE-2024-50302—currently under limited,…

5 hours ago