You are viewing a plain text version of this content. The canonical link for it is here.
Posted to announce@apache.org by Mark Thomas <ma...@apache.org> on 2017/03/13 20:05:14 UTC
[SECURITY] CVE-2016-8747 Apache Tomcat Information Disclosure
CVE-2016-8747 Apache Tomcat Information Disclosure
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M11 to 9.0.0.M15
Apache Tomcat 8.5.7 to 8.5.9
Description
The refactoring to make wider use of ByteBuffer introduced a regression
that could cause information to leak between requests on the same
connection. When running behind a reverse proxy, this could result in
information leakage between users. All HTTP connector variants are
affected but HTTP/2 and AJP are not affected.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.0.M17 or later
(Apache Tomcat 9.0.0.M16 has the fix but was not released)
- Upgrade to Apache Tomcat 8.5.11 or later
(Apache Tomcat 8.5.10 has the fix but was not released)
Earlier versions are not affected
Credit:
This issue was identified by the Tomcat security team.
History:
2017-03-13 Original advisory
References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
Re: Fwd: [SECURITY] CVE-2016-8747 Apache Tomcat Information
Disclosure
Posted by Jacques Le Roux <ja...@les7arts.com>.
We are not concerned and if we switch to to 8.5 it will be 8.5.9, one worry less
See OFBIZ-7348 for more
Jacques
Le 14/03/2017 � 09:38, Michael Brohl a �crit :
> FYI
>
>
> -------- Weitergeleitete Nachricht --------
> Betreff: [SECURITY] CVE-2016-8747 Apache Tomcat Information Disclosure
> Datum: Mon, 13 Mar 2017 20:05:14 +0000
> Von: Mark Thomas <ma...@apache.org>
> An: Tomcat Users List <us...@tomcat.apache.org>
> Kopie (CC): Tomcat Developers List <de...@tomcat.apache.org>, announce@tomcat.apache.org <an...@tomcat.apache.org>, announce@apache.org
>
>
>
> CVE-2016-8747 Apache Tomcat Information Disclosure
>
> Severity: Moderate
>
> Vendor: The Apache Software Foundation
>
> Versions Affected:
> Apache Tomcat 9.0.0.M11 to 9.0.0.M15
> Apache Tomcat 8.5.7 to 8.5.9
>
> Description
> The refactoring to make wider use of ByteBuffer introduced a regression
> that could cause information to leak between requests on the same
> connection. When running behind a reverse proxy, this could result in
> information leakage between users. All HTTP connector variants are
> affected but HTTP/2 and AJP are not affected.
>
> Mitigation:
> Users of the affected versions should apply one of the following
> mitigations:
> - Upgrade to Apache Tomcat 9.0.0.M17 or later
> (Apache Tomcat 9.0.0.M16 has the fix but was not released)
> - Upgrade to Apache Tomcat 8.5.11 or later
> (Apache Tomcat 8.5.10 has the fix but was not released)
> Earlier versions are not affected
>
> Credit:
> This issue was identified by the Tomcat security team.
>
> History:
> 2017-03-13 Original advisory
>
> References:
> [1] http://tomcat.apache.org/security-9.html
> [2] http://tomcat.apache.org/security-8.html
>
>
Fwd: [SECURITY] CVE-2016-8747 Apache Tomcat Information Disclosure
Posted by Michael Brohl <mi...@ecomify.de>.
FYI
-------- Weitergeleitete Nachricht --------
Betreff: [SECURITY] CVE-2016-8747 Apache Tomcat Information Disclosure
Datum: Mon, 13 Mar 2017 20:05:14 +0000
Von: Mark Thomas <ma...@apache.org>
An: Tomcat Users List <us...@tomcat.apache.org>
Kopie (CC): Tomcat Developers List <de...@tomcat.apache.org>,
announce@tomcat.apache.org <an...@tomcat.apache.org>,
announce@apache.org
CVE-2016-8747 Apache Tomcat Information Disclosure
Severity: Moderate
Vendor: The Apache Software Foundation
Versions Affected:
Apache Tomcat 9.0.0.M11 to 9.0.0.M15
Apache Tomcat 8.5.7 to 8.5.9
Description
The refactoring to make wider use of ByteBuffer introduced a regression
that could cause information to leak between requests on the same
connection. When running behind a reverse proxy, this could result in
information leakage between users. All HTTP connector variants are
affected but HTTP/2 and AJP are not affected.
Mitigation:
Users of the affected versions should apply one of the following
mitigations:
- Upgrade to Apache Tomcat 9.0.0.M17 or later
(Apache Tomcat 9.0.0.M16 has the fix but was not released)
- Upgrade to Apache Tomcat 8.5.11 or later
(Apache Tomcat 8.5.10 has the fix but was not released)
Earlier versions are not affected
Credit:
This issue was identified by the Tomcat security team.
History:
2017-03-13 Original advisory
References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html