Fixed in Apache Tomcat 8.5.32

Important: Information Disclosure CVE-2018-8037

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user.

This was fixed in revisions 1833826, 1833832, 1837531 and 1833907.

This issue was reported to the Apache Tomcat Security Team by Dmitry Treskunov on 16 June 2018 and made public on 22 July 2018.

Affects: 8.5.5 to 8.5.31

Low: host name verification missing in WebSocket client CVE-2018-8034

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default.

This was fixed in revision 1833758.

This issue was reported publicly on 11 June 2018 and formally announced as a vulnerability on 22 July 2018.

Affects: 8.5.0 to 8.5.31

Low: CORS filter has insecure defaults CVE-2018-8014

The defaults settings for the CORS filter are insecure and enable supportsCredentials for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

This was fixed in revision 1831728.

This issue was reported publicly on 1 May 2018 and formally announced as a vulnerability on 16 May 2018.