CVE-2016-8745

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 9.0.0.M1 through 9.0.0.M13 Apache Tomcat versions 8.5.0 through 8.5.8 Apache Tomcat versions 8.0.0.RC1 through 8.0.39 Apache Tomcat versions 7.0.0 through 7.0.73 Apache Tomcat versions 6.0.16 through 6.0.48

Description A bug in the error handling of the send file code for the NIO HTTP connector resulted in the current Processor object being added to the Processor cache multiple times. This allowed the same Processor to be used for concurrent requests, potentially leading to information leakage between requests, including session ID and the response body.

Recommendations For Apache Tomcat versions 9.0.0.M1 through 9.0.0.M13, update to a version outside of this range to mitigate the risk. For Apache Tomcat versions 8.5.0 through 8.5.8, update to a version outside of this range to mitigate the risk. For Apache Tomcat versions 8.0.0.RC1 through 8.0.39, update to a version outside of this range to mitigate the risk. For Apache Tomcat versions 7.0.0 through 7.0.73, update to a version outside of this range to mitigate the risk. For Apache Tomcat versions 6.0.16 through 6.0.48, update to a version outside of this range to mitigate the risk. As a temporary workaround, consider disabling the NIO HTTP connector until a patch is available.