CVE-2018-1336 reports that, "an improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service."
This vulnerability is reported in the following versions:
- Apache Tomcat 9.0.0.M9 to 9.0.7
- Apache Tomcat 8.5.0 to 8.5.30
- Apache Tomcat 8.0.0.RC1 to 8.0.51
- Apache Tomcat 7.0.28 to 7.0.86
Liferay Subscription Services recommends customers using any of the affected versions to apply one of the following mitigations:
- Upgrade to Apache Tomcat 9.0.7 or later.
- Upgrade to Apache Tomcat 8.5.32 or later.
- Upgrade to Apache Tomcat 8.0.52 or later.
- Upgrade to Apache Tomcat 7.0.90 or later.
Future Service Pack releases for Liferay DXP will be bundled with a newer Tomcat version:
- DXP 7.1: Tomcat 9.0.10 or newer
- DXP 7.0: Tomcat 8.0.53 or newer.
See also LPE-16496.