www-announce mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject [SECURITY] CVE-2016-8747 Apache Tomcat Information Disclosure
Date Mon, 13 Mar 2017 20:05:14 GMT
CVE-2016-8747 Apache Tomcat Information Disclosure

Severity: Moderate

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M11 to 9.0.0.M15
Apache Tomcat 8.5.7 to 8.5.9

The refactoring to make wider use of ByteBuffer introduced a regression
that could cause information to leak between requests on the same
connection. When running behind a reverse proxy, this could result in
information leakage between users. All HTTP connector variants are
affected but HTTP/2 and AJP are not affected.

Users of the affected versions should apply one of the following
- Upgrade to Apache Tomcat 9.0.0.M17 or later
  (Apache Tomcat 9.0.0.M16 has the fix but was not released)
- Upgrade to Apache Tomcat 8.5.11 or later
  (Apache Tomcat 8.5.10 has the fix but was not released)
Earlier versions are not affected

This issue was identified by the Tomcat security team.

2017-03-13 Original advisory

[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html

View raw message