728x90
CVE-2016-8745 Apache Tomcat Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.0.M13 Apache Tomcat 8.5.0 to 8.5.8 Earlier versions are not affected. Description The refactoring of the Connector code for 8.5.x onwards introduced a regression in the error handling of the send file code for the NIO HTTP connector. An error during send file processing resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. Mitigation Users of the NIO HTTP connector with the affected versions should apply one of the following mitigations - Switch to the NIO2 HTTP or APR HTTP connector - Disable send file - Upgrade to Apache Tomcat 9.0.0.M15 or later (Apache Tomcat 9.0.0.M14 has the fix but was not released) - Upgrade to Apache Tomcat 8.5.9 or later Credit: This issue was reported publicly as Bug 60409 [1] and the security implications identified by the Tomcat security team. References: [1] https://bz.apache.org/bugzilla/show_bug.cgi?id=60409 [2] http://tomcat.apache.org/security-9.html [3] http://tomcat.apache.org/security-8.html
728x90
'취약점 정보2' 카테고리의 다른 글
| 2016년 12월 Microsoft 보안 공지 요약 (0) | 2016.12.14 |
|---|---|
| Adobe Flash Player 업데이트 권고 (0) | 2016.12.14 |
| Apple Releases Security Updates (애플제품 업데이트 권고) (0) | 2016.12.13 |
| McAfee Releases Security Bulletin for Virus Scan Enterprise (0) | 2016.12.13 |
| CVE-2016-8655 Linux af_packet.c race condition (local root) (0) | 2016.12.12 |