Apache Tomcat Security Advisory: CVE-2018-1336

General Information

CVE-2018-1336 reports that, "an improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service."

This vulnerability is reported in the following versions:

  • Apache Tomcat 9.0.0.M9 to 9.0.7
  • Apache Tomcat 8.5.0 to 8.5.30
  • Apache Tomcat 8.0.0.RC1 to 8.0.51
  • Apache Tomcat 7.0.28 to 7.0.86

Resolution

Liferay Subscription Services recommends customers using any of the affected versions to apply one of the following mitigations:

  • Upgrade to Apache Tomcat 9.0.7 or later.
  • Upgrade to Apache Tomcat 8.5.32 or later.
  • Upgrade to Apache Tomcat 8.0.52 or later.
  • Upgrade to Apache Tomcat 7.0.90 or later.

Additional Information

Future Service Pack releases for Liferay DXP will be bundled with a newer Tomcat version:

  • DXP 7.1: Tomcat 9.0.10 or newer
  • DXP 7.0: Tomcat 8.0.53 or newer.

See also LPE-16496.

Was this article helpful?
1 out of 1 found this helpful