CVE-2018-8037: Race Condition
First published: Sun Jul 22 2018(Updated: )
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.
Credit: security@apache.org security@apache.org security@apache.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/jws5-tomcat | <0:9.0.7-12.redhat_12.1.el6 | 0:9.0.7-12.redhat_12.1.el6 |
| redhat/jws5-tomcat | <0:9.0.7-12.redhat_12.1.el7 | 0:9.0.7-12.redhat_12.1.el7 |
| debian/tomcat9 | 9.0.31-1~deb10u6 9.0.31-1~deb10u10 9.0.43-2~deb11u6 9.0.43-2~deb11u9 9.0.70-2 | |
| Apache Tomcat | >=8.5.5<=8.5.31 | |
| Apache Tomcat | >=9.0.1<=9.0.9 | |
| Apache Tomcat | =9.0.0 | |
| Apache Tomcat | =9.0.0-m10 | |
| Apache Tomcat | =9.0.0-m11 | |
| Apache Tomcat | =9.0.0-m12 | |
| Apache Tomcat | =9.0.0-m13 | |
| Apache Tomcat | =9.0.0-m14 | |
| Apache Tomcat | =9.0.0-m15 | |
| Apache Tomcat | =9.0.0-m16 | |
| Apache Tomcat | =9.0.0-m17 | |
| Apache Tomcat | =9.0.0-m18 | |
| Apache Tomcat | =9.0.0-m19 | |
| Apache Tomcat | =9.0.0-m20 | |
| Apache Tomcat | =9.0.0-m21 | |
| Apache Tomcat | =9.0.0-m22 | |
| Apache Tomcat | =9.0.0-m23 | |
| Apache Tomcat | =9.0.0-m24 | |
| Apache Tomcat | =9.0.0-m25 | |
| Apache Tomcat | =9.0.0-m26 | |
| Apache Tomcat | =9.0.0-m27 | |
| Apache Tomcat | =9.0.0-m9 | |
| Debian Debian Linux | =9.0 | |
| Apache Tomcat | =9.0.0-milestone10 | |
| Apache Tomcat | =9.0.0-milestone11 | |
| Apache Tomcat | =9.0.0-milestone12 | |
| Apache Tomcat | =9.0.0-milestone13 | |
| Apache Tomcat | =9.0.0-milestone14 | |
| Apache Tomcat | =9.0.0-milestone15 | |
| Apache Tomcat | =9.0.0-milestone16 | |
| Apache Tomcat | =9.0.0-milestone17 | |
| Apache Tomcat | =9.0.0-milestone18 | |
| Apache Tomcat | =9.0.0-milestone19 | |
| Apache Tomcat | =9.0.0-milestone20 | |
| Apache Tomcat | =9.0.0-milestone21 | |
| Apache Tomcat | =9.0.0-milestone22 | |
| Apache Tomcat | =9.0.0-milestone23 | |
| Apache Tomcat | =9.0.0-milestone24 | |
| Apache Tomcat | =9.0.0-milestone25 | |
| Apache Tomcat | =9.0.0-milestone26 | |
| Apache Tomcat | =9.0.0-milestone27 | |
| Apache Tomcat | =9.0.0-milestone9 | |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=9.0.0.M9<9.0.10 | 9.0.10 |
| maven/org.apache.tomcat.embed:tomcat-embed-core | >=8.5.5<8.5.32 | 8.5.32 |
| redhat/tomcat | <8.5.32 | 8.5.32 |
| redhat/tomcat | <9.0.10 | 9.0.10 |
| redhat/tomcat | <7.0.87 | 7.0.87 |
| >=8.5.5<=8.5.31 | ||
| >=9.0.1<=9.0.9 | ||
| =9.0.0 | ||
| =9.0.0-milestone10 | ||
| =9.0.0-milestone11 | ||
| =9.0.0-milestone12 | ||
| =9.0.0-milestone13 | ||
| =9.0.0-milestone14 | ||
| =9.0.0-milestone15 | ||
| =9.0.0-milestone16 | ||
| =9.0.0-milestone17 | ||
| =9.0.0-milestone18 | ||
| =9.0.0-milestone19 | ||
| =9.0.0-milestone20 | ||
| =9.0.0-milestone21 | ||
| =9.0.0-milestone22 | ||
| =9.0.0-milestone23 | ||
| =9.0.0-milestone24 | ||
| =9.0.0-milestone25 | ||
| =9.0.0-milestone26 | ||
| =9.0.0-milestone27 | ||
| =9.0.0-milestone9 | ||
| =9.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://www.cve.org/CVERecord?id=CVE-2018-8037 https://nvd.nist.gov/vuln/detail/CVE-2018-8037
- https://bugzilla.redhat.com/show_bug.cgi?id=1607582
- https://access.redhat.com/errata/RHSA-2019:1529
- https://access.redhat.com/errata/RHSA-2018:2867
- https://access.redhat.com/errata/RHSA-2018:2868
- https://access.redhat.com/security/cve/CVE-2018-8037
- https://svn.apache.org/r1833906
- https://svn.apache.org/r1833907
- https://security-tracker.debian.org/tracker/CVE-2018-8037
- http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090623.GA92700%40minotaur.apache.org%3E
- http://mail-archives.us.apache.org/mod_mbox/www-announce/201808.mbox/%3C0c616b4d-4e81-e7f8-b81d-1bb4c575aa33%40apache.org%3E
- http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
- http://www.securityfocus.com/bid/104894
- http://www.securitytracker.com/id/1041376
- https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/2ee3af8a43cb019e7898c9330cc8e73306553a27f2e4735dfb522d39@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/5d15316dfb4adf75d96d394745f8037533fa3bcc1ac8f619bf5c044c@%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3E
- https://security.netapp.com/advisory/ntap-20180817-0001/
- https://www.debian.org/security/2018/dsa-4281
- https://www.oracle.com/security-alerts/cpuapr2020.html
- https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
- https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/2ee3af8a43cb019e7898c9330cc8e73306553a27f2e4735dfb522d39%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/5d15316dfb4adf75d96d394745f8037533fa3bcc1ac8f619bf5c044c%40%3Cusers.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9%40%3Cdev.tomcat.apache.org%3E
- https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a%40%3Cdev.tomcat.apache.org%3E
- https://nvd.nist.gov/vuln/detail/CVE-2018-8037
- https://web.archive.org/web/20200227102808/http://www.securityfocus.com/bid/104894
- https://web.archive.org/web/20200515223903/http://www.securitytracker.com/id/1041376
- https://github.com/advisories/GHSA-6v52-mj5r-7j2m (Advisory)
- http://svn.apache.org/viewvc?view=rev&rev=1833906
- http://svn.apache.org/viewvc?view=rev&rev=1833907
- https://tomcat.apache.org/security-8.html
- https://tomcat.apache.org/security-9.html
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1607585
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1607584
- https://access.redhat.com/security/cve/cve-2018-8037
- https://github.com/apache/tomcat/commit/4c04369c287233ea2e8e5135f6c31d02e2d76293
- https://github.com/apache/tomcat/commit/ccf2e6bf5205561ad18c2300153e9173ec509d73
- https://github.com/apache/tomcat/commit/ed4b9d791f9470e4c3de691dd0153a9ce431701b
- https://github.com/apache/tomcat/commit/f94eedf02b5973598ab3dbbd4504da588e9ba6cb
- https://security.netapp.com/advisory/ntap-20180817-0001
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2018-8037?
CVE-2018-8037 is a vulnerability in Apache Tomcat that could result in a race condition and allow a user to see a response intended for a different user.
What is the severity of CVE-2018-8037?
CVE-2018-8037 has a severity rating of 9.1, which is considered critical.
Which versions of Apache Tomcat are affected by CVE-2018-8037?
Apache Tomcat versions 8.5.32 to 8.5.31 and versions 9.0.10 to 9.0.9 are affected by CVE-2018-8037.
How can I fix CVE-2018-8037?
To fix CVE-2018-8037, update to Apache Tomcat version 8.5.32 or 9.0.10 or later.
Where can I find more information about CVE-2018-8037?
You can find more information about CVE-2018-8037 on the Apache Tomcat official website and in the provided references.
- collector/redhat-cve
- collector/security-tracker-debian
- collector/nvd-index
- collector/nvd-api
- agent/first-publish-date
- agent/type
- agent/severity
- agent/remedy
- agent/author
- agent/description
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-6v52-mj5r-7j2m
- alias/CVE-2018-8037
- agent/software-canonical-lookup
- agent/weakness
- agent/softwarecombine
- agent/last-modified-date
- agent/references
- agent/tags
- agent/event
- collector/nvd-cve
- source/NVD
- collector/redhat-bugzilla
- source/Red Hat
- collector/github-advisory
- package-manager/redhat
- package-manager/debian
- vendor/apache
- canonical/apache tomcat
- version/apache tomcat/8.5.5
- version/apache tomcat/8.5.31
- version/apache tomcat/9.0.1
- version/apache tomcat/9.0.9
- version/apache tomcat/9.0.0
- version/apache tomcat/9.0.0-m10
- version/apache tomcat/9.0.0-m11
- version/apache tomcat/9.0.0-m12
- version/apache tomcat/9.0.0-m13
- version/apache tomcat/9.0.0-m14
- version/apache tomcat/9.0.0-m15
- version/apache tomcat/9.0.0-m16
- version/apache tomcat/9.0.0-m17
- version/apache tomcat/9.0.0-m18
- version/apache tomcat/9.0.0-m19
- version/apache tomcat/9.0.0-m20
- version/apache tomcat/9.0.0-m21
- version/apache tomcat/9.0.0-m22
- version/apache tomcat/9.0.0-m23
- version/apache tomcat/9.0.0-m24
- version/apache tomcat/9.0.0-m25
- version/apache tomcat/9.0.0-m26
- version/apache tomcat/9.0.0-m27
- version/apache tomcat/9.0.0-m9
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/9.0
- version/apache tomcat/9.0.0-milestone10
- version/apache tomcat/9.0.0-milestone11
- version/apache tomcat/9.0.0-milestone12
- version/apache tomcat/9.0.0-milestone13
- version/apache tomcat/9.0.0-milestone14
- version/apache tomcat/9.0.0-milestone15
- version/apache tomcat/9.0.0-milestone16
- version/apache tomcat/9.0.0-milestone17
- version/apache tomcat/9.0.0-milestone18
- version/apache tomcat/9.0.0-milestone19
- version/apache tomcat/9.0.0-milestone20
- version/apache tomcat/9.0.0-milestone21
- version/apache tomcat/9.0.0-milestone22
- version/apache tomcat/9.0.0-milestone23
- version/apache tomcat/9.0.0-milestone24
- version/apache tomcat/9.0.0-milestone25
- version/apache tomcat/9.0.0-milestone26
- version/apache tomcat/9.0.0-milestone27
- version/apache tomcat/9.0.0-milestone9
- package-manager/maven