CVE-2018-1336: Apache Tomcat - UTF-8 decoder can lead to DoS
Severity
Important
References
- http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090435.GA60759%40minotaur.apache.org%3E
- http://tomcat.apache.org/security-9.html
Description
An improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service.
Affected VMware Products and Versions
Severity is important unless otherwise noted.
- Pivotal tc Server versions:
- 3.1.0.RELEASE to 3.1.13.RELEASE
- 3.2.0.RELEASE to 3.2.9.RELEASE
- 4.0.0
- Pivotal tc Server individual runtime versions:
- 7.0.59.B to 7.0.84.B.RELEASE
- 8.0.20.B.RELEASE to 8.0.49.B.RELEASE
- 8.5.4.B.RELEASE to 8.5.27.B.RELEASE
- 9.0.6.B.RELEASE
Mitigation
Users of affected versions should apply the following mitigation:
- Releases that have fixed this issue include:
- Pivotal tc Server versions:
- 3.1.14.RELEASE and later
- 3.2.10.RELEASE and later
- 4.0.1.RELEASE and later
- Pivotal tc Server individual runtime versions:
- 7.0.86.B.RELEASE and later
- 8.0.51.B.RELEASE and later
- 8.5.30.B.RELEASE and later
- 9.0.7.B.RELEASE and later
- Pivotal tc Server versions: