CVE-2018-1336: Improper Handling of Overflow vulnerability in tomcat-embed-core (Maven)

What is CVE-2018-1336 About?

This vulnerability involves an improper handling of overflow in the UTF-8 decoder when processing supplementary characters. It can lead to an infinite loop, causing a Denial of Service for the affected server. Exploitation is relatively easy by supplying malicious UTF-8 encoded input.

Affected Software

org.apache.tomcat.embed:tomcat-embed-core
- >7.0.28, <7.0.87
- >9.0.0.M9, <9.0.8
- >8.5.0, <8.5.31
- >8.0.0RC1, <8.0.51

Technical Details

The vulnerability, present in Apache Tomcat versions 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86, stems from an improper handling of overflow conditions within the UTF-8 decoder, specifically when processing supplementary characters (characters outside the basic multilingual plane). When certain malformed or unusually structured supplementary characters are encountered, the decoder enters an infinite loop, consuming all available CPU resources and memory. This unending processing state starves the application of resources, leading to a Denial of Service.

What is the Impact of CVE-2018-1336?

Successful exploitation may allow attackers to disrupt the availability of the affected system or application, causing it to become unresponsive or crash.

What is the Exploitability of CVE-2018-1336?

Exploitation of this vulnerability is of moderate complexity. It can be triggered remotely by sending specially crafted UTF-8 encoded input to the vulnerable Tomcat server. Authentication is generally not required if the input is processed by a public-facing component decoding UTF-8. The prerequisites involve understanding how the UTF-8 decoder handles supplementary characters and constructing input that causes the overflow and subsequent infinite loop. The risk of exploitation is increased in applications that accept untrusted user input which is then decoded by the vulnerable component.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2018-1336?

A Fix by Resolved Security Exists!

Learn how we backport CVE fixes to your open-source libraries effortlessly.

About the Fix from Resolved Security

The patch ensures that when a UTF-8 character requiring four bytes is being processed but the output buffer lacks sufficient space for the surrogate pair, the input buffer position is correctly reset to the start of the character. This prevents consumption of partial multi-byte sequences, which could otherwise cause incorrect decoding and potentially expose Tomcat to denial-of-service or data corruption, thus addressing the root cause of CVE-2018-1336.

Available Upgrade Options

org.apache.tomcat.embed:tomcat-embed-core
- >7.0.28, <7.0.87 → Upgrade to 7.0.87
org.apache.tomcat.embed:tomcat-embed-core
- >8.0.0RC1, <8.0.51 → Upgrade to 8.0.51
org.apache.tomcat.embed:tomcat-embed-core
- >8.5.0, <8.5.31 → Upgrade to 8.5.31
org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.M9, <9.0.8 → Upgrade to 9.0.8

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2018-1336?

Similar Vulnerabilities: CVE-2021-25329 , CVE-2020-13935 , CVE-2019-0232 , CVE-2017-12616 , CVE-2016-8740

CVE-2018-1336 Improper Handling of Overflow vulnerability in tomcat-embed-core (Maven)