CVE-2018-1336

Current Description

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Basic Data

PublishedAugust 02, 2018
Last ModifiedApril 15, 2020
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeCWE-835
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationNONE
CVSS 2 - Confidentiality ImpactNONE
CVSS 2 - Availability ImpactPARTIAL
CVSS 2 - Base Score5.0
SeverityMEDIUM
Exploitability Score10.0
Impact Score2.9
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationApacheTomcat********7.0.287.0.86
    2.3ApplicationApacheTomcat********8.0.08.0.51
    2.3ApplicationApacheTomcat8.0.0rc1******
    2.3ApplicationApacheTomcat8.0.0rc10******
    2.3ApplicationApacheTomcat8.0.0rc2******
    2.3ApplicationApacheTomcat8.0.0rc3******
    2.3ApplicationApacheTomcat8.0.0rc4******
    2.3ApplicationApacheTomcat8.0.0rc5******
    2.3ApplicationApacheTomcat8.0.0rc6******
    2.3ApplicationApacheTomcat8.0.0rc7******
    2.3ApplicationApacheTomcat8.0.0rc8******
    2.3ApplicationApacheTomcat8.0.0rc9******
    2.3ApplicationApacheTomcat********8.5.08.5.30
    2.3ApplicationApacheTomcat9.0.0m10******
    2.3ApplicationApacheTomcat9.0.0m11******
    2.3ApplicationApacheTomcat9.0.0m12******
    2.3ApplicationApacheTomcat9.0.0m13******
    2.3ApplicationApacheTomcat9.0.0m14******
    2.3ApplicationApacheTomcat9.0.0m15******
    2.3ApplicationApacheTomcat9.0.0m16******
    2.3ApplicationApacheTomcat9.0.0m17******
    2.3ApplicationApacheTomcat9.0.0m18******
    2.3ApplicationApacheTomcat9.0.0m19******
    2.3ApplicationApacheTomcat9.0.0m20******
    2.3ApplicationApacheTomcat9.0.0m21******
    2.3ApplicationApacheTomcat9.0.0m22******
    2.3ApplicationApacheTomcat9.0.0m23******
    2.3ApplicationApacheTomcat9.0.0m24******
    2.3ApplicationApacheTomcat9.0.0m25******
    2.3ApplicationApacheTomcat9.0.0m26******
    2.3ApplicationApacheTomcat9.0.0m27******
    2.3ApplicationApacheTomcat9.0.0m9******
    2.3ApplicationApacheTomcat********9.0.19.0.7
  • OR - Configuration 2
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationRedhatJboss Enterprise Application Platform6.0.0*******
    2.3ApplicationRedhatJboss Enterprise Application Platform6.4.0*******
    2.3OSCanonicalUbuntu Linux14.04***lts***
    2.3OSCanonicalUbuntu Linux16.04***lts***
    2.3OSDebianDebian Linux8.0*******
    2.3OSDebianDebian Linux9.0*******
  • AND
    • OR - Configuration 3
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationRedhatJboss Enterprise Web Server3.0.0*******
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSRedhatEnterprise Linux6.0*******
      2.3OSRedhatEnterprise Linux7.0*******
  • AND
    • OR - Configuration 4
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3ApplicationRedhatJboss Enterprise Web Server5.0.0*******
    • OR Running on/with:
      Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
      2.3OSRedhatEnterprise Linux6.0*******
      2.3OSRedhatEnterprise Linux7.0*******
  • OR - Configuration 5
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3OSRedhatEnterprise Linux Desktop7.0*******
    2.3OSRedhatEnterprise Linux Server7.0*******
    2.3OSRedhatEnterprise Linux Workstation7.0*******

Vulnerable Software List

VendorProductVersions
Debian Debian Linux 8.0, 9.0
Apache Tomcat *, 8.0.0, 9.0.0
Redhat Enterprise Linux Workstation 7.0
Redhat Jboss Enterprise Application Platform 6.0.0, 6.4.0
Redhat Jboss Enterprise Web Server 3.0.0, 5.0.0
Redhat Enterprise Linux Desktop 7.0
Redhat Enterprise Linux Server 7.0
Canonical Ubuntu Linux 14.04, 16.04

References

NameSourceURLTags
[www-announce] 20180722 [SECURITY] CVE-2018-1336 Apache Tomcat - Denial of Servicehttp://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090435.GA60759%40minMLISTMailing List Vendor Advisory
104898http://www.securityfocus.com/bid/104898BIDThird Party Advisory VDB Entry
1041375http://www.securitytracker.com/id/1041375SECTRACKThird Party Advisory VDB Entry
RHEA-2018:2188https://access.redhat.com/errata/RHEA-2018:2188REDHATThird Party Advisory
RHEA-2018:2189https://access.redhat.com/errata/RHEA-2018:2189REDHATThird Party Advisory
RHSA-2018:2700https://access.redhat.com/errata/RHSA-2018:2700REDHATThird Party Advisory
RHSA-2018:2701https://access.redhat.com/errata/RHSA-2018:2701REDHATThird Party Advisory
RHSA-2018:2740https://access.redhat.com/errata/RHSA-2018:2740REDHATThird Party Advisory
RHSA-2018:2741https://access.redhat.com/errata/RHSA-2018:2741REDHATThird Party Advisory
RHSA-2018:2742https://access.redhat.com/errata/RHSA-2018:2742REDHATThird Party Advisory
RHSA-2018:2743https://access.redhat.com/errata/RHSA-2018:2743REDHATThird Party Advisory
RHSA-2018:2921https://access.redhat.com/errata/RHSA-2018:2921REDHATThird Party Advisory
RHSA-2018:2930https://access.redhat.com/errata/RHSA-2018:2930REDHATThird Party Advisory
RHSA-2018:2939https://access.redhat.com/errata/RHSA-2018:2939REDHATThird Party Advisory
RHSA-2018:2945https://access.redhat.com/errata/RHSA-2018:2945REDHATThird Party Advisory
RHSA-2018:3768https://access.redhat.com/errata/RHSA-2018:3768REDHATThird Party Advisory
[tomcat-dev] 20190415 svn commit: r1857582 [18/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3CdevMLISTVendor Advisory
[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3CdevMLISTMailing List Third Party Advisory
[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3CdevMLISTMailing List Third Party Advisory
[tomcat-dev] 20190415 svn commit: r1857582 [17/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3CdevMLISTVendor Advisory
[tomcat-dev] 20190325 svn commit: r1856174 [23/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3CdevMLISTMailing List Third Party Advisory
[tomcat-dev] 20190415 svn commit: r1857582 [19/22] - in /tomcat/site/trunk: docs/ xdocs/stylesheets/https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3CdevMLISTVendor Advisory
[tomcat-dev] 20190413 svn commit: r1857494 [16/20] - in /tomcat/site/trunk: ./ docs/ xdocs/https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3CdevMLISTVendor Advisory
[tomcat-dev] 20190413 svn commit: r1857494 [17/20] - in /tomcat/site/trunk: ./ docs/ xdocs/https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3CdevMLISTVendor Advisory
[tomcat-dev] 20190325 svn commit: r1856174 [24/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3CdevMLISTMailing List Third Party Advisory
[tomcat-dev] 20190413 svn commit: r1857496 [3/4] - in /tomcat/site/trunk: ./ docs/ xdocs/https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3CdevMLISTVendor Advisory
[tomcat-dev] 20190319 svn commit: r1855831 [24/30] - in /tomcat/site/trunk: ./ docs/ xdocs/https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3CdevMLISTMailing List Third Party Advisory
[tomcat-dev] 20200203 svn commit: r1873527 [25/30] - /tomcat/site/trunk/docs/https://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3CdeMLISTVendor Advisory
[tomcat-dev] 20200213 svn commit: r1873980 [29/34] - /tomcat/site/trunk/docs/https://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3CdeMLISTVendor Advisory
[tomcat-dev] 20200203 svn commit: r1873527 [24/30] - /tomcat/site/trunk/docs/https://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3CdeMLISTVendor Advisory
[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3CdeMLISTVendor Advisory
[tomcat-dev] 20200213 svn commit: r1873980 [28/34] - /tomcat/site/trunk/docs/https://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3CdeMLISTVendor Advisory
[debian-lts-announce] 20180902 [SECURITY] [DLA 1491-1] tomcat8 security updatehttps://lists.debian.org/debian-lts-announce/2018/09/msg00001.htmlMLISTThird Party Advisory
https://security.netapp.com/advisory/ntap-20180817-0001/https://security.netapp.com/advisory/ntap-20180817-0001/CONFIRMThird Party Advisory
https://support.f5.com/csp/article/K73008537?utm_source=f5support&utm_medium=RSShttps://support.f5.com/csp/article/K73008537?utm_source=f5support&utm_medium=RSSCONFIRMThird Party Advisory
USN-3723-1https://usn.ubuntu.com/3723-1/UBUNTUThird Party Advisory
DSA-4281https://www.debian.org/security/2018/dsa-4281DEBIANThird Party Advisory
N/Ahttps://www.oracle.com/security-alerts/cpuapr2020.htmlN/A