CVE-2018-8034

First published: Sun Jul 22 2018(Updated: )

Flaw affecting tomcat 8.0.0.RC1 to 8.0.52 and 9.0.0.M1 to 9.0.9 . The host name verification when using TLS with the WebSocket client was not enabled by default. Upstream patch: <a href="http://svn.apache.org/viewvc?view=revision&revision=1833757">http://svn.apache.org/viewvc?view=revision&revision=1833757</a> <a href="http://svn.apache.org/viewvc?view=rev&rev=1833759">http://svn.apache.org/viewvc?view=rev&rev=1833759</a> References: <a href="https://tomcat.apache.org/security-8.html">https://tomcat.apache.org/security-8.html</a> <a href="https://tomcat.apache.org/security-9.html">https://tomcat.apache.org/security-9.html</a>

Credit: security@apache.org security@apache.org security@apache.org

Affected Software	Affected Version	How to fix
redhat/tomcat	<8.0.53	8.0.53
redhat/tomcat	<8.5.32	8.5.32
redhat/tomcat	<9.0.10	9.0.10
redhat/tomcat	<7.0.90	7.0.90
maven/org.apache.tomcat.embed:tomcat-embed-core	>=7.0.35<=7.0.88	7.0.90
maven/org.apache.tomcat.embed:tomcat-embed-core	>=8.0.0<8.0.53	8.0.53
maven/org.apache.tomcat.embed:tomcat-embed-core	>=8.5.0<8.5.32	8.5.32
maven/org.apache.tomcat.embed:tomcat-embed-core	>=9.0.0<=9.0.9	9.0.10
debian/tomcat9		9.0.43-2~deb11u10 9.0.43-2~deb11u11 9.0.70-2 9.0.95-1
Apache Tomcat	>=7.0.35<=7.0.88
Apache Tomcat	>=8.0.0<=8.0.52
Apache Tomcat	>=8.5.0<=8.5.31
Apache Tomcat	>=9.0.1<=9.0.9
Apache Tomcat	=8.0.0-rc1
Apache Tomcat	=8.0.0-rc10
Apache Tomcat	=8.0.0-rc2
Apache Tomcat	=8.0.0-rc3
Apache Tomcat	=8.0.0-rc4
Apache Tomcat	=8.0.0-rc5
Apache Tomcat	=8.0.0-rc6
Apache Tomcat	=8.0.0-rc7
Apache Tomcat	=8.0.0-rc8
Apache Tomcat	=8.0.0-rc9
Apache Tomcat	=9.0.0-milestone1
Apache Tomcat	=9.0.0-milestone10
Apache Tomcat	=9.0.0-milestone11
Apache Tomcat	=9.0.0-milestone12
Apache Tomcat	=9.0.0-milestone13
Apache Tomcat	=9.0.0-milestone14
Apache Tomcat	=9.0.0-milestone15
Apache Tomcat	=9.0.0-milestone16
Apache Tomcat	=9.0.0-milestone17
Apache Tomcat	=9.0.0-milestone18
Apache Tomcat	=9.0.0-milestone19
Apache Tomcat	=9.0.0-milestone2
Apache Tomcat	=9.0.0-milestone20
Apache Tomcat	=9.0.0-milestone21
Apache Tomcat	=9.0.0-milestone22
Apache Tomcat	=9.0.0-milestone23
Apache Tomcat	=9.0.0-milestone24
Apache Tomcat	=9.0.0-milestone25
Apache Tomcat	=9.0.0-milestone26
Apache Tomcat	=9.0.0-milestone27
Apache Tomcat	=9.0.0-milestone3
Apache Tomcat	=9.0.0-milestone4
Apache Tomcat	=9.0.0-milestone5
Apache Tomcat	=9.0.0-milestone6
Apache Tomcat	=9.0.0-milestone7
Apache Tomcat	=9.0.0-milestone8
Apache Tomcat	=9.0.0-milestone9
Ubuntu Linux	=14.04
Ubuntu Linux	=16.04
Debian Debian Linux	=8.0
Debian Debian Linux	=9.0
Oracle Retail Order Broker	=5.1
Oracle Retail Order Broker	=5.2
Oracle Retail Order Broker	=15.0
Apache Tomcat	=9.0.0-m1
Apache Tomcat	=9.0.0-m10
Apache Tomcat	=9.0.0-m11
Apache Tomcat	=9.0.0-m12
Apache Tomcat	=9.0.0-m13
Apache Tomcat	=9.0.0-m14
Apache Tomcat	=9.0.0-m15
Apache Tomcat	=9.0.0-m16
Apache Tomcat	=9.0.0-m17
Apache Tomcat	=9.0.0-m18
Apache Tomcat	=9.0.0-m19
Apache Tomcat	=9.0.0-m2
Apache Tomcat	=9.0.0-m20
Apache Tomcat	=9.0.0-m21
Apache Tomcat	=9.0.0-m22
Apache Tomcat	=9.0.0-m23
Apache Tomcat	=9.0.0-m24
Apache Tomcat	=9.0.0-m25
Apache Tomcat	=9.0.0-m26
Apache Tomcat	=9.0.0-m27
Apache Tomcat	=9.0.0-m3
Apache Tomcat	=9.0.0-m4
Apache Tomcat	=9.0.0-m5
Apache Tomcat	=9.0.0-m6
Apache Tomcat	=9.0.0-m7
Apache Tomcat	=9.0.0-m8
Apache Tomcat	=9.0.0-m9

Remedy

http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Remedy

https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html

Never miss a vulnerability like this again

Reference Links

agent/type
collector/launchpad-cve
source/Launchpad
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2018-8034
agent/software-canonical-lookup
agent/author
agent/weakness
agent/first-publish-date
collector/usn-cve
source/Ubuntu
agent/remedy
agent/references
agent/description
collector/mitre-cve
source/MITRE
agent/severity
agent/event
collector/github-advisory-latest
source/GitHub
alias/GHSA-46j3-r4pj-4835
collector/github-advisory
agent/last-modified-date
agent/trending
collector/security-tracker-debian
source/Debian
agent/source
agent/softwarecombine
agent/tags
collector/nvd-api
source/NVD
agent/software-canonical-lookup-request
collector/nvd-cve
collector/nvd-index
package-manager/redhat
package-manager/maven
package-manager/debian
vendor/apache
canonical/apache tomcat
version/apache tomcat/7.0.35
version/apache tomcat/7.0.88
version/apache tomcat/8.0.0
version/apache tomcat/8.0.52
version/apache tomcat/8.5.0
version/apache tomcat/8.5.31
version/apache tomcat/9.0.1
version/apache tomcat/9.0.9
version/apache tomcat/8.0.0-rc1
version/apache tomcat/8.0.0-rc10
version/apache tomcat/8.0.0-rc2
version/apache tomcat/8.0.0-rc3
version/apache tomcat/8.0.0-rc4
version/apache tomcat/8.0.0-rc5
version/apache tomcat/8.0.0-rc6
version/apache tomcat/8.0.0-rc7
version/apache tomcat/8.0.0-rc8
version/apache tomcat/8.0.0-rc9
version/apache tomcat/9.0.0-milestone1
version/apache tomcat/9.0.0-milestone10
version/apache tomcat/9.0.0-milestone11
version/apache tomcat/9.0.0-milestone12
version/apache tomcat/9.0.0-milestone13
version/apache tomcat/9.0.0-milestone14
version/apache tomcat/9.0.0-milestone15
version/apache tomcat/9.0.0-milestone16
version/apache tomcat/9.0.0-milestone17
version/apache tomcat/9.0.0-milestone18
version/apache tomcat/9.0.0-milestone19
version/apache tomcat/9.0.0-milestone2
version/apache tomcat/9.0.0-milestone20
version/apache tomcat/9.0.0-milestone21
version/apache tomcat/9.0.0-milestone22
version/apache tomcat/9.0.0-milestone23
version/apache tomcat/9.0.0-milestone24
version/apache tomcat/9.0.0-milestone25
version/apache tomcat/9.0.0-milestone26
version/apache tomcat/9.0.0-milestone27
version/apache tomcat/9.0.0-milestone3
version/apache tomcat/9.0.0-milestone4
version/apache tomcat/9.0.0-milestone5
version/apache tomcat/9.0.0-milestone6
version/apache tomcat/9.0.0-milestone7
version/apache tomcat/9.0.0-milestone8
version/apache tomcat/9.0.0-milestone9
vendor/canonical
canonical/ubuntu linux
version/ubuntu linux/14.04
version/ubuntu linux/16.04
vendor/debian
canonical/debian debian linux
version/debian debian linux/8.0
version/debian debian linux/9.0
vendor/oracle
canonical/oracle retail order broker
version/oracle retail order broker/5.1
version/oracle retail order broker/5.2
version/oracle retail order broker/15.0
version/apache tomcat/9.0.0-m1
version/apache tomcat/9.0.0-m10
version/apache tomcat/9.0.0-m11
version/apache tomcat/9.0.0-m12
version/apache tomcat/9.0.0-m13
version/apache tomcat/9.0.0-m14
version/apache tomcat/9.0.0-m15
version/apache tomcat/9.0.0-m16
version/apache tomcat/9.0.0-m17
version/apache tomcat/9.0.0-m18
version/apache tomcat/9.0.0-m19
version/apache tomcat/9.0.0-m2
version/apache tomcat/9.0.0-m20
version/apache tomcat/9.0.0-m21
version/apache tomcat/9.0.0-m22
version/apache tomcat/9.0.0-m23
version/apache tomcat/9.0.0-m24
version/apache tomcat/9.0.0-m25
version/apache tomcat/9.0.0-m26
version/apache tomcat/9.0.0-m27
version/apache tomcat/9.0.0-m3
version/apache tomcat/9.0.0-m4
version/apache tomcat/9.0.0-m5
version/apache tomcat/9.0.0-m6
version/apache tomcat/9.0.0-m7
version/apache tomcat/9.0.0-m8
version/apache tomcat/9.0.0-m9

CVE-2018-8034

Remedy

Remedy

Never miss a vulnerability like this again

Reference Links

Company

Resources

Contact