CVE-2018-1336

An improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86.

Published : 2018-08-02 14:29 Updated : 2019-04-22 17:48

5.0
CVSS Score More info
Score 5.0 / 10
5.0
Vendor Product Version URI
Apache Tomcat 7.0.28 cpe:/a:apache:tomcat:7.0.28
Apache Tomcat 7.0.29 cpe:/a:apache:tomcat:7.0.29
Apache Tomcat 7.0.30 cpe:/a:apache:tomcat:7.0.30
Apache Tomcat 7.0.31 cpe:/a:apache:tomcat:7.0.31
Apache Tomcat 7.0.32 cpe:/a:apache:tomcat:7.0.32
Apache Tomcat 7.0.33 cpe:/a:apache:tomcat:7.0.33
Apache Tomcat 7.0.34 cpe:/a:apache:tomcat:7.0.34
Apache Tomcat 7.0.35 cpe:/a:apache:tomcat:7.0.35
Apache Tomcat 7.0.36 cpe:/a:apache:tomcat:7.0.36
Apache Tomcat 7.0.37 cpe:/a:apache:tomcat:7.0.37
Apache Tomcat 7.0.38 cpe:/a:apache:tomcat:7.0.38
Apache Tomcat 7.0.39 cpe:/a:apache:tomcat:7.0.39
Apache Tomcat 7.0.40 cpe:/a:apache:tomcat:7.0.40
Apache Tomcat 7.0.41 cpe:/a:apache:tomcat:7.0.41
Apache Tomcat 7.0.42 cpe:/a:apache:tomcat:7.0.42
Apache Tomcat 7.0.43 cpe:/a:apache:tomcat:7.0.43
Apache Tomcat 7.0.44 cpe:/a:apache:tomcat:7.0.44
Apache Tomcat 7.0.45 cpe:/a:apache:tomcat:7.0.45
Apache Tomcat 7.0.46 cpe:/a:apache:tomcat:7.0.46
Apache Tomcat 7.0.47 cpe:/a:apache:tomcat:7.0.47
Apache Tomcat 7.0.48 cpe:/a:apache:tomcat:7.0.48
Apache Tomcat 7.0.49 cpe:/a:apache:tomcat:7.0.49
Apache Tomcat 7.0.50 cpe:/a:apache:tomcat:7.0.50
Apache Tomcat 7.0.51 cpe:/a:apache:tomcat:7.0.51
Apache Tomcat 7.0.54 cpe:/a:apache:tomcat:7.0.54
Apache Tomcat 7.0.55 cpe:/a:apache:tomcat:7.0.55
Apache Tomcat 7.0.56 cpe:/a:apache:tomcat:7.0.56
Apache Tomcat 7.0.57 cpe:/a:apache:tomcat:7.0.57
Apache Tomcat 7.0.58 cpe:/a:apache:tomcat:7.0.58
Apache Tomcat 7.0.59 cpe:/a:apache:tomcat:7.0.59
Apache Tomcat 7.0.60 cpe:/a:apache:tomcat:7.0.60
Apache Tomcat 7.0.61 cpe:/a:apache:tomcat:7.0.61
Apache Tomcat 7.0.62 cpe:/a:apache:tomcat:7.0.62
Apache Tomcat 7.0.63 cpe:/a:apache:tomcat:7.0.63
Apache Tomcat 7.0.64 cpe:/a:apache:tomcat:7.0.64
Apache Tomcat 7.0.65 cpe:/a:apache:tomcat:7.0.65
Apache Tomcat 7.0.66 cpe:/a:apache:tomcat:7.0.66
Apache Tomcat 7.0.67 cpe:/a:apache:tomcat:7.0.67
Apache Tomcat 7.0.68 cpe:/a:apache:tomcat:7.0.68
Apache Tomcat 7.0.69 cpe:/a:apache:tomcat:7.0.69
Apache Tomcat 7.0.70 cpe:/a:apache:tomcat:7.0.70
Apache Tomcat 7.0.71 cpe:/a:apache:tomcat:7.0.71
Apache Tomcat 7.0.72 cpe:/a:apache:tomcat:7.0.72
Apache Tomcat 7.0.73 cpe:/a:apache:tomcat:7.0.73
Apache Tomcat 7.0.74 cpe:/a:apache:tomcat:7.0.74
Apache Tomcat 7.0.75 cpe:/a:apache:tomcat:7.0.75
Apache Tomcat 7.0.76 cpe:/a:apache:tomcat:7.0.76
Apache Tomcat 7.0.77 cpe:/a:apache:tomcat:7.0.77
Apache Tomcat 7.0.78 cpe:/a:apache:tomcat:7.0.78
Apache Tomcat 7.0.79 cpe:/a:apache:tomcat:7.0.79
Apache Tomcat 7.0.80 cpe:/a:apache:tomcat:7.0.80
Apache Tomcat 7.0.81 cpe:/a:apache:tomcat:7.0.81
Apache Tomcat 7.0.82 cpe:/a:apache:tomcat:7.0.82
Apache Tomcat 7.0.83 cpe:/a:apache:tomcat:7.0.83
Apache Tomcat 7.0.84 cpe:/a:apache:tomcat:7.0.84
Apache Tomcat 7.0.85 cpe:/a:apache:tomcat:7.0.85
Apache Tomcat 8.0.0 cpe:/a:apache:tomcat:8.0.0:rc1
Apache Tomcat 8.0.0 cpe:/a:apache:tomcat:8.0.0:rc10
Apache Tomcat 8.0.0 cpe:/a:apache:tomcat:8.0.0:rc2
Apache Tomcat 8.0.0 cpe:/a:apache:tomcat:8.0.0:rc3
Apache Tomcat 8.0.0 cpe:/a:apache:tomcat:8.0.0:rc4
Apache Tomcat 8.0.0 cpe:/a:apache:tomcat:8.0.0:rc5
Apache Tomcat 8.0.0 cpe:/a:apache:tomcat:8.0.0:rc6
Apache Tomcat 8.0.0 cpe:/a:apache:tomcat:8.0.0:rc7
Apache Tomcat 8.0.0 cpe:/a:apache:tomcat:8.0.0:rc8
Apache Tomcat 8.0.0 cpe:/a:apache:tomcat:8.0.0:rc9
Apache Tomcat 8.0.1 cpe:/a:apache:tomcat:8.0.1
Apache Tomcat 8.0.2 cpe:/a:apache:tomcat:8.0.2
Apache Tomcat 8.0.4 cpe:/a:apache:tomcat:8.0.4
Apache Tomcat 8.0.6 cpe:/a:apache:tomcat:8.0.6
Apache Tomcat 8.0.7 cpe:/a:apache:tomcat:8.0.7
Apache Tomcat 8.0.9 cpe:/a:apache:tomcat:8.0.9
Apache Tomcat 8.0.10 cpe:/a:apache:tomcat:8.0.10
Apache Tomcat 8.0.11 cpe:/a:apache:tomcat:8.0.11
Apache Tomcat 8.0.12 cpe:/a:apache:tomcat:8.0.12
Apache Tomcat 8.0.13 cpe:/a:apache:tomcat:8.0.13
Apache Tomcat 8.0.14 cpe:/a:apache:tomcat:8.0.14
Apache Tomcat 8.0.15 cpe:/a:apache:tomcat:8.0.15
Apache Tomcat 8.0.16 cpe:/a:apache:tomcat:8.0.16
Apache Tomcat 8.0.17 cpe:/a:apache:tomcat:8.0.17
Apache Tomcat 8.0.18 cpe:/a:apache:tomcat:8.0.18
Apache Tomcat 8.0.19 cpe:/a:apache:tomcat:8.0.19
Apache Tomcat 8.0.20 cpe:/a:apache:tomcat:8.0.20
Apache Tomcat 8.0.21 cpe:/a:apache:tomcat:8.0.21
Apache Tomcat 8.0.22 cpe:/a:apache:tomcat:8.0.22
Apache Tomcat 8.0.23 cpe:/a:apache:tomcat:8.0.23
Apache Tomcat 8.0.24 cpe:/a:apache:tomcat:8.0.24
Apache Tomcat 8.0.25 cpe:/a:apache:tomcat:8.0.25
Apache Tomcat 8.0.26 cpe:/a:apache:tomcat:8.0.26
Apache Tomcat 8.0.27 cpe:/a:apache:tomcat:8.0.27
Apache Tomcat 8.0.28 cpe:/a:apache:tomcat:8.0.28
Apache Tomcat 8.0.29 cpe:/a:apache:tomcat:8.0.29
Apache Tomcat 8.0.30 cpe:/a:apache:tomcat:8.0.30
Apache Tomcat 8.0.31 cpe:/a:apache:tomcat:8.0.31
Apache Tomcat 8.0.32 cpe:/a:apache:tomcat:8.0.32
Apache Tomcat 8.0.33 cpe:/a:apache:tomcat:8.0.33
Apache Tomcat 8.0.34 cpe:/a:apache:tomcat:8.0.34
Apache Tomcat 8.0.35 cpe:/a:apache:tomcat:8.0.35
Apache Tomcat 8.0.36 cpe:/a:apache:tomcat:8.0.36
Apache Tomcat 8.0.37 cpe:/a:apache:tomcat:8.0.37
Apache Tomcat 8.0.38 cpe:/a:apache:tomcat:8.0.38
Apache Tomcat 8.0.39 cpe:/a:apache:tomcat:8.0.39
Apache Tomcat 8.0.40 cpe:/a:apache:tomcat:8.0.40
Apache Tomcat 8.0.41 cpe:/a:apache:tomcat:8.0.41
Apache Tomcat 8.0.42 cpe:/a:apache:tomcat:8.0.42
Apache Tomcat 8.0.43 cpe:/a:apache:tomcat:8.0.43
Apache Tomcat 8.0.44 cpe:/a:apache:tomcat:8.0.44
Apache Tomcat 8.0.47 cpe:/a:apache:tomcat:8.0.47
Apache Tomcat 8.0.48 cpe:/a:apache:tomcat:8.0.48
Apache Tomcat 8.0.49 cpe:/a:apache:tomcat:8.0.49
Apache Tomcat 8.5.0 cpe:/a:apache:tomcat:8.5.0
Apache Tomcat 8.5.1 cpe:/a:apache:tomcat:8.5.1
Apache Tomcat 8.5.2 cpe:/a:apache:tomcat:8.5.2
Apache Tomcat 8.5.3 cpe:/a:apache:tomcat:8.5.3
Apache Tomcat 8.5.4 cpe:/a:apache:tomcat:8.5.4
Apache Tomcat 8.5.5 cpe:/a:apache:tomcat:8.5.5
Apache Tomcat 8.5.6 cpe:/a:apache:tomcat:8.5.6
Apache Tomcat 8.5.7 cpe:/a:apache:tomcat:8.5.7
Apache Tomcat 8.5.8 cpe:/a:apache:tomcat:8.5.8
Apache Tomcat 8.5.9 cpe:/a:apache:tomcat:8.5.9
Apache Tomcat 8.5.10 cpe:/a:apache:tomcat:8.5.10
Apache Tomcat 8.5.11 cpe:/a:apache:tomcat:8.5.11
Apache Tomcat 8.5.12 cpe:/a:apache:tomcat:8.5.12
Apache Tomcat 8.5.13 cpe:/a:apache:tomcat:8.5.13
Apache Tomcat 8.5.14 cpe:/a:apache:tomcat:8.5.14
Apache Tomcat 8.5.15 cpe:/a:apache:tomcat:8.5.15
Apache Tomcat 8.5.23 cpe:/a:apache:tomcat:8.5.23
Apache Tomcat 8.5.24 cpe:/a:apache:tomcat:8.5.24
Apache Tomcat 8.5.27 cpe:/a:apache:tomcat:8.5.27
Apache Tomcat 8.5.28 cpe:/a:apache:tomcat:8.5.28
Apache Tomcat 8.5.29 cpe:/a:apache:tomcat:8.5.29
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m10
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m11
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m12
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m13
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m14
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m15
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m16
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m17
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m18
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m19
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m20
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m21
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m22
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m23
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m24
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m25
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m26
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m27
Apache Tomcat 9.0.0 cpe:/a:apache:tomcat:9.0.0:m9
Apache Tomcat 9.0.1 cpe:/a:apache:tomcat:9.0.1
Apache Tomcat 9.0.2 cpe:/a:apache:tomcat:9.0.2
Apache Tomcat 9.0.3 cpe:/a:apache:tomcat:9.0.3
Apache Tomcat 9.0.4 cpe:/a:apache:tomcat:9.0.4
Apache Tomcat 9.0.5 cpe:/a:apache:tomcat:9.0.5
Apache Tomcat 9.0.6 cpe:/a:apache:tomcat:9.0.6
Apache Tomcat 9.0.7 cpe:/a:apache:tomcat:9.0.7
Redhat Jboss Enterprise Application Platform 6.0.0 cpe:/a:redhat:jboss_enterprise_application_platform:6.0.0
Redhat Jboss Enterprise Application Platform 6.4.0 cpe:/a:redhat:jboss_enterprise_application_platform:6.4.0
Redhat Jboss Enterprise Web Server 3.0.0 cpe:/a:redhat:jboss_enterprise_web_server:3.0.0
Redhat Jboss Enterprise Web Server 5.0.0 cpe:/a:redhat:jboss_enterprise_web_server:5.0.0
Canonical Ubuntu Linux 14.04 cpe:/o:canonical:ubuntu_linux:14.04::~~lts~~~
Canonical Ubuntu Linux 16.04 cpe:/o:canonical:ubuntu_linux:16.04::~~lts~~~
Debian Debian Linux 8.0 cpe:/o:debian:debian_linux:8.0
Debian Debian Linux 9.0 cpe:/o:debian:debian_linux:9.0
Redhat Enterprise Linux Desktop 7.0 cpe:/o:redhat:enterprise_linux_desktop:7.0
Redhat Enterprise Linux Server 7.0 cpe:/o:redhat:enterprise_linux_server:7.0
Redhat Enterprise Linux Workstation 7.0 cpe:/o:redhat:enterprise_linux_workstation:7.0
  1. Canonical (1) Search CVE
    1. Ubuntu Linux (2) Search CVE
      1. 14.04
      2. 16.04
  2. Debian (1) Search CVE
    1. Debian Linux (2) Search CVE
      1. 8.0
      2. 9.0
  3. Apache (1) Search CVE
    1. Tomcat (130) Search CVE
      1. 7.0.28
      2. 7.0.29
      3. 7.0.30
      4. 7.0.31
      5. 7.0.32
      6. 7.0.33
      7. 7.0.34
      8. 7.0.35
      9. 7.0.36
      10. 7.0.37
      11. 7.0.38
      12. 7.0.39
      13. 7.0.40
      14. 7.0.41
      15. 7.0.42
      16. 7.0.43
      17. 7.0.44
      18. 7.0.45
      19. 7.0.46
      20. 7.0.47
      21. 7.0.48
      22. 7.0.49
      23. 7.0.50
      24. 7.0.51
      25. 7.0.54
      26. 7.0.55
      27. 7.0.56
      28. 7.0.57
      29. 7.0.58
      30. 7.0.59
      31. 7.0.60
      32. 7.0.61
      33. 7.0.62
      34. 7.0.63
      35. 7.0.64
      36. 7.0.65
      37. 7.0.66
      38. 7.0.67
      39. 7.0.68
      40. 7.0.69
      41. 7.0.70
      42. 7.0.71
      43. 7.0.72
      44. 7.0.73
      45. 7.0.74
      46. 7.0.75
      47. 7.0.76
      48. 7.0.77
      49. 7.0.78
      50. 7.0.79
      51. 7.0.80
      52. 7.0.81
      53. 7.0.82
      54. 7.0.83
      55. 7.0.84
      56. 7.0.85
      57. 8.0.0
      58. 8.0.1
      59. 8.0.2
      60. 8.0.4
      61. 8.0.6
      62. 8.0.7
      63. 8.0.9
      64. 8.0.10
      65. 8.0.11
      66. 8.0.12
      67. 8.0.13
      68. 8.0.14
      69. 8.0.15
      70. 8.0.16
      71. 8.0.17
      72. 8.0.18
      73. 8.0.19
      74. 8.0.20
      75. 8.0.21
      76. 8.0.22
      77. 8.0.23
      78. 8.0.24
      79. 8.0.25
      80. 8.0.26
      81. 8.0.27
      82. 8.0.28
      83. 8.0.29
      84. 8.0.30
      85. 8.0.31
      86. 8.0.32
      87. 8.0.33
      88. 8.0.34
      89. 8.0.35
      90. 8.0.36
      91. 8.0.37
      92. 8.0.38
      93. 8.0.39
      94. 8.0.40
      95. 8.0.41
      96. 8.0.42
      97. 8.0.43
      98. 8.0.44
      99. 8.0.47
      100. 8.0.48
      101. 8.0.49
      102. 8.5.0
      103. 8.5.1
      104. 8.5.2
      105. 8.5.3
      106. 8.5.4
      107. 8.5.5
      108. 8.5.6
      109. 8.5.7
      110. 8.5.8
      111. 8.5.9
      112. 8.5.10
      113. 8.5.11
      114. 8.5.12
      115. 8.5.13
      116. 8.5.14
      117. 8.5.15
      118. 8.5.23
      119. 8.5.24
      120. 8.5.27
      121. 8.5.28
      122. 8.5.29
      123. 9.0.0
      124. 9.0.1
      125. 9.0.2
      126. 9.0.3
      127. 9.0.4
      128. 9.0.5
      129. 9.0.6
      130. 9.0.7
  4. Redhat (5) Search CVE
    1. Jboss Enterprise Application Platform (2) Search CVE
      1. 6.0.0
      2. 6.4.0
    2. Jboss Enterprise Web Server (2) Search CVE
      1. 3.0.0
      2. 5.0.0
    3. Enterprise Linux Workstation (1) Search CVE
      1. 7.0
    4. Enterprise Linux Desktop (1) Search CVE
      1. 7.0
    5. Enterprise Linux Server (1) Search CVE
      1. 7.0

CWE

ID Name Description Links
CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion') The software does not properly restrict the size or amount of resources that are requested or influenced by an actor, which can be used to consume more resources than intended. CVE

References

Source Link
MLIST https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3E
MLIST https://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3E
MLIST http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722090435.GA60759%40minotaur.apache.org%3E
UBUNTU https://usn.ubuntu.com/3723-1/
BID http://www.securityfocus.com/bid/104898
SECTRACK http://www.securitytracker.com/id/1041375
REDHAT https://access.redhat.com/errata/RHEA-2018:2189
REDHAT https://access.redhat.com/errata/RHEA-2018:2188
CONFIRM https://security.netapp.com/advisory/ntap-20180817-0001/
DEBIAN https://www.debian.org/security/2018/dsa-4281
REDHAT https://access.redhat.com/errata/RHSA-2018:2700
REDHAT https://access.redhat.com/errata/RHSA-2018:2701
REDHAT https://access.redhat.com/errata/RHSA-2018:2741
REDHAT https://access.redhat.com/errata/RHSA-2018:2740
REDHAT https://access.redhat.com/errata/RHSA-2018:2742
REDHAT https://access.redhat.com/errata/RHSA-2018:2743
MLIST https://lists.debian.org/debian-lts-announce/2018/09/msg00001.html
REDHAT https://access.redhat.com/errata/RHSA-2018:2930
REDHAT https://access.redhat.com/errata/RHSA-2018:2921
REDHAT https://access.redhat.com/errata/RHSA-2018:2939
REDHAT https://access.redhat.com/errata/RHSA-2018:2945
REDHAT https://access.redhat.com/errata/RHSA-2018:3768

History of changes

Date Event
2019-04-15 16:31
2019-03-25 11:35
2019-03-21 16:00
2018-12-05 11:29
2018-10-18 10:29
2018-10-17 10:29
2018-10-09 19:17
2018-09-25 10:29
2018-09-13 10:29
2018-09-03 10:29
2018-08-29 10:29
2018-08-18 10:29
2018-08-08 01:29
2018-08-04 01:29
2018-08-02 14:29

New CVE