Fixed in Apache Tomcat 7.0.75

Important: Information Disclosure CVE-2016-8745

Note: The issue below was fixed in Apache Tomcat 7.0.74 but the release vote for the 7.0.74 release candidate did not pass. Therefore, although users must download 7.0.75 to obtain a version that includes the fix for this issue, version 7.0.74 is not included in the list of affected versions.

A bug in the error handling of the send file code for the NIO HTTP connector resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, but not limited to, session ID and the response body.

This was fixed in revision 1777471.

This issue was identified as affecting 7.0.x by the Apache Tomcat Security Team on 3 January 2016 and made public on 5 January 2017.

Affects: 7.0.0 to 7.0.73