CVE-2018-8037

Name of the Vulnerable Software and Affected Versions Apache Tomcat versions 8.5.5 through 8.5.31 Apache Tomcat versions 9.0.0.M9 through 9.0.9

Description The issue is caused by synchronization errors when using a shared resource, which could allow a remote attacker to disclose protected information. A race condition exists when an async request is completed by the application at the same time as the container triggers the async timeout, potentially resulting in a user seeing a response intended for another user. An additional issue is present in the NIO and NIO2 connectors that do not correctly track the closure of the connection when an async request is completed by the application and timed out by the container at the same time.

Recommendations For Apache Tomcat versions 8.5.5 through 8.5.31, update to a version outside of this range to resolve the issue. For Apache Tomcat versions 9.0.0.M9 through 9.0.9, update to a version outside of this range to resolve the issue. As a temporary workaround, consider restricting access to the NIO and NIO2 connectors until a patch is available.