CVE-2017-5651

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.0 through 8.5.12 Apache Tomcat versions 9.0.0.M1 through 9.0.0.M18

Description The refactoring of the HTTP connectors introduced a regression in the send file processing. If the send file processing completed quickly, it was possible for the Processor to be added to the processor cache twice. This could result in the same Processor being used for multiple requests which in turn could lead to unexpected errors and/or response mix-up. The issue is related to the incorrect handling of data, which could allow a remote attacker to obtain confidential information.

Recommendations For Apache Tomcat versions 8.5.0 through 8.5.12, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 9.0.0.M1 through 9.0.0.M18, update to a version outside of this range to resolve the issue. As a temporary workaround, consider disabling the send file processing feature until a patch is available. Restrict access to the affected HTTP connectors to minimize the risk of exploitation.