CVE-2018-8034
Host Name Verification Bypass vulnerability in tomcat-embed-core (Maven)

Host Name Verification Bypass No known exploit

What is CVE-2018-8034 About?

This vulnerability in Apache Tomcat versions 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88, is a host name verification bypass in its WebSocket client when using TLS. The missing verification could allow an attacker to perform man-in-the-middle attacks. Exploitation requires the attacker to intercept and modify network traffic.

Affected Software

  • org.apache.tomcat.embed:tomcat-embed-core
    • >8.5.0, <8.5.32
    • >7.0.35, <7.0.90
    • >8.0.0, <8.0.53
    • >9.0.0, <9.0.10

Technical Details

Apache Tomcat's WebSocket client, in the specified vulnerable versions, failed to perform proper host name verification when establishing a TLS connection. This means that if the client connected to a server whose certificate validly signed for a different hostname, or if an attacker presented a certificate for an arbitrary hostname, the client would still establish the TLS connection without warning. An attacker capable of intercepting network traffic (e.g., via DNS poisoning, ARP spoofing, or control over a network path) could perform a man-in-the-middle (MITM) attack. They could then impersonate the legitimate WebSocket server, intercepting or altering communications between the client and the server, despite the use of TLS encryption, because the identity of the server was not properly validated against its hostname.

What is the Impact of CVE-2018-8034?

Successful exploitation may allow attackers to perform man-in-the-middle (MITM) attacks, intercepting or altering sensitive communications over TLS connections.

What is the Exploitability of CVE-2018-8034?

Exploitation requires an attacker to be in a man-in-the-middle position between the Tomcat WebSocket client and its intended server, and to present a valid but possibly mismatched TLS certificate. The complexity is moderate, involving network-level manipulation and certificate issuance/acquisition. No authentication or specific application privileges are typically required on the victim's end, as the vulnerability resides in the client's TLS handshake verification. This is a network-based, remote vulnerability. The likelihood of exploitation is higher in environments where an attacker can easily manipulate network traffic or obtain trusted certificates for their attack infrastructure.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2018-8034?

Available Upgrade Options

  • org.apache.tomcat.embed:tomcat-embed-core
    • >7.0.35, <7.0.90 → Upgrade to 7.0.90
  • org.apache.tomcat.embed:tomcat-embed-core
    • >8.0.0, <8.0.53 → Upgrade to 8.0.53
  • org.apache.tomcat.embed:tomcat-embed-core
    • >8.5.0, <8.5.32 → Upgrade to 8.5.32
  • org.apache.tomcat.embed:tomcat-embed-core
    • >9.0.0, <9.0.10 → Upgrade to 9.0.10

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2018-8034?

Similar Vulnerabilities: CVE-2014-0099 , CVE-2014-3577 , CVE-2017-1000216 , CVE-2019-10086 , CVE-2020-13935

All Rights reserved 2025
Privacy Policy