What is the severity of CVE-2018-8034?

CVE-2018-8034 is considered a moderate severity vulnerability due to insufficient hostname verification in TLS connections.

How do I fix CVE-2018-8034?

To fix CVE-2018-8034, upgrade your Tomcat installation to version 8.0.53, 8.5.32, or 9.0.10 or later.

Which versions of Tomcat are affected by CVE-2018-8034?

CVE-2018-8034 affects Tomcat versions 8.0.0.RC1 to 8.0.52 and 9.0.0.M1 to 9.0.9.

What kind of attack can CVE-2018-8034 enable?

CVE-2018-8034 could allow an attacker to perform man-in-the-middle attacks if hostname verification is bypassed.

Is CVE-2018-8034 present in embedded versions of Tomcat?

Yes, CVE-2018-8034 is present in embedded versions of Tomcat that fall within the affected version ranges.

Vulnerability/
CVE-2018-8034

high

7.5

CWE

295

22/7/2018

1/8/2018

17/10/2018

21/11/2024

CVE-2018-8034

First published: Sun Jul 22 2018(Updated: )

Flaw affecting tomcat 8.0.0.RC1 to 8.0.52 and 9.0.0.M1 to 9.0.9 . The host name verification when using TLS with the WebSocket client was not enabled by default. Upstream patch: <a href="http://svn.apache.org/viewvc?view=revision&revision=1833757">http://svn.apache.org/viewvc?view=revision&revision=1833757</a> <a href="http://svn.apache.org/viewvc?view=rev&rev=1833759">http://svn.apache.org/viewvc?view=rev&rev=1833759</a> References: <a href="https://tomcat.apache.org/security-8.html">https://tomcat.apache.org/security-8.html</a> <a href="https://tomcat.apache.org/security-9.html">https://tomcat.apache.org/security-9.html</a>

Credit: security@apache.org security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
redhat/tomcat	<8.0.53	8.0.53
redhat/tomcat	<8.5.32	8.5.32
redhat/tomcat	<9.0.10	9.0.10
redhat/tomcat	<7.0.90	7.0.90
maven/org.apache.tomcat.embed:tomcat-embed-core	>=7.0.35<=7.0.88	7.0.90
maven/org.apache.tomcat.embed:tomcat-embed-core	>=8.0.0<8.0.53	8.0.53
maven/org.apache.tomcat.embed:tomcat-embed-core	>=8.5.0<8.5.32	8.5.32
maven/org.apache.tomcat.embed:tomcat-embed-core	>=9.0.0<=9.0.9	9.0.10
debian/tomcat9		9.0.43-2~deb11u10 9.0.43-2~deb11u11 9.0.70-2 9.0.95-1
Tomcat	>=7.0.35<=7.0.88
Tomcat	>=8.0.0<=8.0.52
Tomcat	>=8.5.0<=8.5.31
Tomcat	>=9.0.1<=9.0.9
Tomcat	=8.0.0-rc1
Tomcat	=8.0.0-rc10
Tomcat	=8.0.0-rc2
Tomcat	=8.0.0-rc3
Tomcat	=8.0.0-rc4
Tomcat	=8.0.0-rc5
Tomcat	=8.0.0-rc6
Tomcat	=8.0.0-rc7
Tomcat	=8.0.0-rc8
Tomcat	=8.0.0-rc9
Tomcat	=9.0.0-milestone1
Tomcat	=9.0.0-milestone10
Tomcat	=9.0.0-milestone11
Tomcat	=9.0.0-milestone12
Tomcat	=9.0.0-milestone13
Tomcat	=9.0.0-milestone14
Tomcat	=9.0.0-milestone15
Tomcat	=9.0.0-milestone16
Tomcat	=9.0.0-milestone17
Tomcat	=9.0.0-milestone18
Tomcat	=9.0.0-milestone19
Tomcat	=9.0.0-milestone2
Tomcat	=9.0.0-milestone20
Tomcat	=9.0.0-milestone21
Tomcat	=9.0.0-milestone22
Tomcat	=9.0.0-milestone23
Tomcat	=9.0.0-milestone24
Tomcat	=9.0.0-milestone25
Tomcat	=9.0.0-milestone26
Tomcat	=9.0.0-milestone27
Tomcat	=9.0.0-milestone3
Tomcat	=9.0.0-milestone4
Tomcat	=9.0.0-milestone5
Tomcat	=9.0.0-milestone6
Tomcat	=9.0.0-milestone7
Tomcat	=9.0.0-milestone8
Tomcat	=9.0.0-milestone9
Ubuntu	=14.04
Ubuntu	=16.04
Debian	=8.0
Debian	=9.0
Oracle Retail Order Broker	=5.1
Oracle Retail Order Broker	=5.2
Oracle Retail Order Broker	=15.0
Tomcat	=9.0.0-m1
Tomcat	=9.0.0-m10
Tomcat	=9.0.0-m11
Tomcat	=9.0.0-m12
Tomcat	=9.0.0-m13
Tomcat	=9.0.0-m14
Tomcat	=9.0.0-m15
Tomcat	=9.0.0-m16
Tomcat	=9.0.0-m17
Tomcat	=9.0.0-m18
Tomcat	=9.0.0-m19
Tomcat	=9.0.0-m2
Tomcat	=9.0.0-m20
Tomcat	=9.0.0-m21
Tomcat	=9.0.0-m22
Tomcat	=9.0.0-m23
Tomcat	=9.0.0-m24
Tomcat	=9.0.0-m25
Tomcat	=9.0.0-m26
Tomcat	=9.0.0-m27
Tomcat	=9.0.0-m3
Tomcat	=9.0.0-m4
Tomcat	=9.0.0-m5
Tomcat	=9.0.0-m6
Tomcat	=9.0.0-m7
Tomcat	=9.0.0-m8
Tomcat	=9.0.0-m9

Remedy

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Remedy

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2018-8034?
CVE-2018-8034 is considered a moderate severity vulnerability due to insufficient hostname verification in TLS connections.
How do I fix CVE-2018-8034?
To fix CVE-2018-8034, upgrade your Tomcat installation to version 8.0.53, 8.5.32, or 9.0.10 or later.
Which versions of Tomcat are affected by CVE-2018-8034?
CVE-2018-8034 affects Tomcat versions 8.0.0.RC1 to 8.0.52 and 9.0.0.M1 to 9.0.9.
What kind of attack can CVE-2018-8034 enable?
CVE-2018-8034 could allow an attacker to perform man-in-the-middle attacks if hostname verification is bypassed.
Is CVE-2018-8034 present in embedded versions of Tomcat?
Yes, CVE-2018-8034 is present in embedded versions of Tomcat that fall within the affected version ranges.

agent/type
collector/launchpad-cve
source/Launchpad
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2018-8034
agent/software-canonical-lookup
agent/author
agent/weakness
agent/first-publish-date
collector/usn-cve
source/Ubuntu
agent/remedy
agent/references
agent/description
collector/mitre-cve
source/MITRE
agent/severity
agent/event
collector/github-advisory-latest
source/GitHub
alias/GHSA-46j3-r4pj-4835
collector/github-advisory
agent/last-modified-date
agent/trending
collector/security-tracker-debian
source/Debian
agent/source
agent/softwarecombine
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup-request
collector/nvd-cve
collector/nvd-index
package-manager/redhat
package-manager/maven
package-manager/debian
vendor/apache
canonical/tomcat
version/tomcat/7.0.35
version/tomcat/7.0.88
version/tomcat/8.0.0
version/tomcat/8.0.52
version/tomcat/8.5.0
version/tomcat/8.5.31
version/tomcat/9.0.1
version/tomcat/9.0.9
version/tomcat/8.0.0-rc1
version/tomcat/8.0.0-rc10
version/tomcat/8.0.0-rc2
version/tomcat/8.0.0-rc3
version/tomcat/8.0.0-rc4
version/tomcat/8.0.0-rc5
version/tomcat/8.0.0-rc6
version/tomcat/8.0.0-rc7
version/tomcat/8.0.0-rc8
version/tomcat/8.0.0-rc9
version/tomcat/9.0.0-milestone1
version/tomcat/9.0.0-milestone10
version/tomcat/9.0.0-milestone11
version/tomcat/9.0.0-milestone12
version/tomcat/9.0.0-milestone13
version/tomcat/9.0.0-milestone14
version/tomcat/9.0.0-milestone15
version/tomcat/9.0.0-milestone16
version/tomcat/9.0.0-milestone17
version/tomcat/9.0.0-milestone18
version/tomcat/9.0.0-milestone19
version/tomcat/9.0.0-milestone2
version/tomcat/9.0.0-milestone20
version/tomcat/9.0.0-milestone21
version/tomcat/9.0.0-milestone22
version/tomcat/9.0.0-milestone23
version/tomcat/9.0.0-milestone24
version/tomcat/9.0.0-milestone25
version/tomcat/9.0.0-milestone26
version/tomcat/9.0.0-milestone27
version/tomcat/9.0.0-milestone3
version/tomcat/9.0.0-milestone4
version/tomcat/9.0.0-milestone5
version/tomcat/9.0.0-milestone6
version/tomcat/9.0.0-milestone7
version/tomcat/9.0.0-milestone8
version/tomcat/9.0.0-milestone9
vendor/canonical
canonical/ubuntu
version/ubuntu/14.04
version/ubuntu/16.04
vendor/debian
canonical/debian
version/debian/8.0
version/debian/9.0
vendor/oracle
canonical/oracle retail order broker
version/oracle retail order broker/5.1
version/oracle retail order broker/5.2
version/oracle retail order broker/15.0
version/tomcat/9.0.0-m1
version/tomcat/9.0.0-m10
version/tomcat/9.0.0-m11
version/tomcat/9.0.0-m12
version/tomcat/9.0.0-m13
version/tomcat/9.0.0-m14
version/tomcat/9.0.0-m15
version/tomcat/9.0.0-m16
version/tomcat/9.0.0-m17
version/tomcat/9.0.0-m18
version/tomcat/9.0.0-m19
version/tomcat/9.0.0-m2
version/tomcat/9.0.0-m20
version/tomcat/9.0.0-m21
version/tomcat/9.0.0-m22
version/tomcat/9.0.0-m23
version/tomcat/9.0.0-m24
version/tomcat/9.0.0-m25
version/tomcat/9.0.0-m26
version/tomcat/9.0.0-m27
version/tomcat/9.0.0-m3
version/tomcat/9.0.0-m4
version/tomcat/9.0.0-m5
version/tomcat/9.0.0-m6
version/tomcat/9.0.0-m7
version/tomcat/9.0.0-m8
version/tomcat/9.0.0-m9

CVE-2018-8034

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is the severity of CVE-2018-8034?

How do I fix CVE-2018-8034?

Which versions of Tomcat are affected by CVE-2018-8034?

What kind of attack can CVE-2018-8034 enable?

Is CVE-2018-8034 present in embedded versions of Tomcat?

Company

Resources

Contact