==================================================================== CERT-Renater Note d'Information No. 2017/VULN060 _____________________________________________________________________ DATE : 15/03/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tomcat versions prior to 9.0.0.M17, 8.5.11. ===================================================================== https://helpx.adobe.com/security/products/flash-player/apsb17-07.html ____________________________________________________________________ CVE-2016-8747 Apache Tomcat Information Disclosure Severity: Moderate Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M11 to 9.0.0.M15 Apache Tomcat 8.5.7 to 8.5.9 Description The refactoring to make wider use of ByteBuffer introduced a regression that could cause information to leak between requests on the same connection. When running behind a reverse proxy, this could result in information leakage between users. All HTTP connector variants are affected but HTTP/2 and AJP are not affected. Mitigation: Users of the affected versions should apply one of the following mitigations: - - Upgrade to Apache Tomcat 9.0.0.M17 or later (Apache Tomcat 9.0.0.M16 has the fix but was not released) - - Upgrade to Apache Tomcat 8.5.11 or later (Apache Tomcat 8.5.10 has the fix but was not released) Earlier versions are not affected Credit: This issue was identified by the Tomcat security team. History: 2017-03-13 Original advisory References: [1] http://tomcat.apache.org/security-9.html [2] http://tomcat.apache.org/security-8.html ========================================================== Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================