Last updated: 1/Aug/2018
Apache Software Foundation has announced the following multiple critical vulnerabilities for Apache Tomcat:
An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service.
A bug in the tracking of connection closures can lead to reuse of user sessions in a new connection
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default.
These vulnerabilities exist in the following versions of Apache Tomcat:
Apache Tomcat 9.0.0.M9 to 9.0.7
Apache Tomcat 8.5.0 to 8.5.30
Apache Tomcat 8.0.0.RC1 to 8.0.51
Apache Tomcat 7.0.28 to 7.0.86
Apache Tomcat 9.0.0.M1 to 9.0.9
Apache Tomcat 8.5.0 to 8.5.31
Apache Tomcat 8.0.0.RC1 to 8.0.52
Apache Tomcat 7.0.35 to 7.0.88
Apache Tomcat 9.0.0.M9 to 9.0.9
Apache Tomcat 8.5.5 to 8.5.31
For more detail, contact Apache Software Foundation.
Impact on the WingArc1st Products
CVE-2018-1336 can affect following products:
|SVF Web Designer||9.2|
|SVF Java Products||8.2 to 9.2|
|Report Director Enterprise||8.2 to 9.2|
|Universal Connect/X||8.2 to 9.2|
|SPA||9.3 to 10.0|
|Dr.Sum EA TextOLAP||4.0 to 4.2|
|Dr.Sum EA Datalizer||4.1 to 4.2|
|MotionBoard||4.1 to 5.7|
|MotionBoard for Dr. Sum||5.7|
|MotionBoard for Dr. Sum EA||4.1 to 5.7|
CVE-2018-8037 can affect following product:
For SVF and SPA, we will release following service packs to address the issues.
|Product||SP version||Planned Release Date|
For Dr. Sum, we will release patches to 4.2 and 5.0 in the future (release date is TBD). please upgrade to either 4.2 or 5.0 before applying the patch if you have earlier version.
For MotionBoard, we will release patches to 5.7 in the future (release date is TBD). please upgrade to 5.7 before applying the patch if you have earlier version.