製品・ソフトウェアに関する情報
Apache Tomcat の複数の脆弱性に対するアップデート
Title Apache Tomcat の複数の脆弱性に対するアップデート
Summary

The Apache Software Foundation から、Apache Tomcat に関する次の複数の脆弱性に対するアップデートが公開されました。   * UTF-8 デコーダにおける補助文字の取り扱い不備により、デコーダが無限ループとなる (CVE-2018-1336)   * コネクタ NIO/NIO2 におけるコネクションの管理不備 (CVE-2018-8037)   * WebSocket クライアントの TLS 接続において、ホスト名が検証されない (CVE-2018-8034)

Possible impacts 想定される影響は各脆弱性により異なりますが、次のような影響を受ける可能性があります。    * サービス運用妨害 (DoS) 攻撃が行われる - CVE-2018-1336   * 既存のユーザセッションが別の接続に再利用される - CVE-2018-8037   * 中間者攻撃 (man-in-the-middle attack) が行われる - CVE-2018-8034
Solution

[アップデートする] 開発者が提供する情報をもとに、最新版へアップデートしてください。 開発者はこれらの脆弱性の対策版として、次のバージョンをリリースしています。   * Apache Tomcat 9.0.10   * Apache Tomcat 8.5.32   * Apache Tomcat 8.0.53   * Apache Tomcat 7.0.90

Publication Date July 23, 2018, midnight
Registration Date July 24, 2018, 11:08 a.m.
Last Update Sept. 6, 2023, 10:06 a.m.
Affected System
Apache Software Foundation
Apache Tomcat 7.0.28 から 7.0.86 まで (CVE-2018-1336)
Apache Tomcat 7.0.35 から 7.0.88 まで (CVE-2018-8034)
Apache Tomcat 8.0.0.RC1 から 8.0.51 (CVE-2018-1336)
Apache Tomcat 8.0.0.RC1 から 8.0.52 まで (CVE-2018-8034)
Apache Tomcat 8.5.0 から 8.5.30 まで (CVE-2018-1336)
Apache Tomcat 8.5.0 から 8.5.31 まで (CVE-2018-8034)
Apache Tomcat 8.5.5 から 8.5.31 まで (CVE-2018-8037)
Apache Tomcat 9.0.0.M1 から 9.0.9 まで (CVE-2018-8034)
Apache Tomcat 9.0.0.M9 から 9.0.7 まで (CVE-2018-1336)
Apache Tomcat 9.0.0.M9 から 9.0.9 まで (CVE-2018-8037)
日本電気
CONNEXIVE PF 
EnterpriseIdentityManager 
ESMPRO/ServerManager 
InfoCage 
IoT 共通基盤 
iStorage HSシリーズ
NEC Cyber Security Platform 
SimpWright 
SystemDirector Enterprise 
SystemDirector Enterprise Asset Innovation Suite 
UNIVERGE 3C 
WebOTX Application Server Enterprise
WebOTX Application Server Express
WebOTX Application Server Standard
WebOTX Developer 
WebOTX Enterprise Service Bus 
WebOTX Portal 
WebSAM Application Navigator 
WebSAM MCOperations 
WebSAM SystemManager 
WebSAM SystemManager G 
WebSAM vDC Automation 
CVE (情報セキュリティ 共通脆弱性識別子)
ベンダー情報
その他
Change Log
No Changed Details Date of change
2 [2018年09月04日]
  ベンダ情報:日本電気 (NV18-016) を追加
Sept. 4, 2018, 10:11 a.m.
3 [2019年07月24日]
  参考情報:National Vulnerability Database (NVD) (CVE-2018-1336) を追加
  参考情報:National Vulnerability Database (NVD) (CVE-2018-8034) を追加
  参考情報:National Vulnerability Database (NVD) (CVE-2018-8037) を追加
July 24, 2019, 4:33 p.m.
1 [2018年07月24日]
  掲載
July 24, 2018, 11:08 a.m.
4 [2023年09月05日]
  影響を受けるシステム:ベンダ情報 (NV18-016) の更新に伴い内容を更新
Sept. 6, 2023, 10:03 a.m.

NVD Vulnerability Information
CVE-2018-1336
Summary

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Publication Date Aug. 2, 2018, 11:29 p.m.
Registration Date March 1, 2021, 6:53 p.m.
Last Update Nov. 21, 2024, 12:59 p.m.
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:apache:tomcat:8.0.0:rc6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc9:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* 8.0.0 8.0.51
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* 8.5.0 8.5.30
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* 9.0.1 9.0.7
cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* 7.0.28 7.0.86
Configuration2 or higher or less more than less than
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.0.0:*:*:*:*:*:*:*
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:jboss_enterprise_application_platform:6.4.0:*:*:*:*:*:*:*
Configuration3 or higher or less more than less than
cpe:2.3:a:redhat:jboss_enterprise_web_server:3.0.0:*:*:*:*:*:*:*
execution environment
1 cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
2 cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
Configuration4 or higher or less more than less than
cpe:2.3:a:redhat:jboss_enterprise_web_server:5.0.0:*:*:*:*:*:*:*
execution environment
1 cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
2 cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
Configuration5 or higher or less more than less than
cpe:2.3:o:redhat:enterprise_linux_desktop:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_workstation:7.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Related information, measures and tools
Common Vulnerabilities List
CVE-2018-8034
Summary

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Publication Date Aug. 2, 2018, 3:29 a.m.
Registration Date March 1, 2021, 7:40 p.m.
Last Update Nov. 21, 2024, 1:13 p.m.
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:apache:tomcat:8.0.0:rc6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc9:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone1:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* 7.0.35 7.0.88
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* 9.0.1 9.0.9
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* 8.5.0 8.5.31
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* 8.0.0 8.0.52
cpe:2.3:a:apache:tomcat:8.0.0:rc4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:8.0.0:rc8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone2:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone3:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone4:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone5:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone6:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone7:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone8:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
Configuration2 or higher or less more than less than
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:lts:*:*:*
cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:lts:*:*:*
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Configuration3 or higher or less more than less than
cpe:2.3:a:oracle:retail_order_broker:5.1:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*
cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*
Related information, measures and tools
Common Vulnerabilities List
CVE-2018-8037
Summary

If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.

Publication Date Aug. 2, 2018, 11:29 p.m.
Registration Date March 1, 2021, 7:40 p.m.
Last Update Nov. 21, 2024, 1:13 p.m.
Affected software configurations
Configuration1 or higher or less more than less than
cpe:2.3:a:apache:tomcat:9.0.0:*:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* 8.5.5 8.5.31
cpe:2.3:a:apache:tomcat:*:*:*:*:*:*:*:* 9.0.1 9.0.9
cpe:2.3:a:apache:tomcat:9.0.0:milestone10:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone11:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone12:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone13:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone14:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone15:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone16:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone17:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone18:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone19:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone20:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone21:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone22:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone23:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone24:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone25:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone26:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone27:*:*:*:*:*:*
cpe:2.3:a:apache:tomcat:9.0.0:milestone9:*:*:*:*:*:*
Configuration2 or higher or less more than less than
cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*
Related information, measures and tools
Common Vulnerabilities List