Fixed in Apache Tomcat 8.0.41

Note: The issue below was fixed in Apache Tomcat 8.0.40 but the release vote for the 8.0.40 release candidate did not pass. Therefore, although users must download 8.0.41 to obtain a version that includes the fix for this issue, version 8.0.40 is not included in the list of affected versions.

Important: Information Disclosure CVE-2016-8745

A bug in the error handling of the send file code for the NIO HTTP connector resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, but not limited to, session ID and the response body.

This was fixed in revision 1777469.

This issue was identified as affecting 8.0.x by the Apache Tomcat Security Team on 3 January 2016 and made public on 5 January 2017.

Affects: 8.0.0.RC1 to 8.0.39