CVE-2018-8037: Race Condition vulnerability in org.apache.tomcat.embed:tomcat-embed-core

What is CVE-2018-8037 About?

This vulnerability is a race condition in Apache Tomcat where an asynchronous request completion timing can lead to a user receiving a response intended for another user, potentially exposing sensitive information. It also involves an issue in NIO/NIO2 connectors failing to track connection closures in a similar scenario, further contributing to data leakage. Exploitation appears to be moderate, relying on specific timing conditions.

Affected Software

org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.M9, <9.0.10
- >8.5.5, <8.5.32

Technical Details

The vulnerability arises from a race condition between an application completing an asynchronous request and the container triggering an async timeout. When these events occur concurrently, the system can mishandle the response, directing it to the wrong user. Additionally, a defect in the NIO and NIO2 connectors means that connection closure is not correctly managed if an async request finishes and times out simultaneously. This combination of factors allows responses intended for one user to be inadvertently sent to another, enabling information disclosure. The root cause is the incorrect state management during simultaneous asynchronous completion and timeout events.

What is the Impact of CVE-2018-8037?

Successful exploitation may allow attackers to gain unauthorized access to sensitive information, leading to privacy breaches or competitive disadvantages.

What is the Exploitability of CVE-2018-8037?

Exploitation of this race condition vulnerability likely requires precise timing and may be considered moderately complex. There are no explicit authentication or privilege requirements mentioned, suggesting it could be exploitable by an unauthenticated remote attacker if they can trigger the specific race condition. The vulnerability is network-accessible, making it a remote exploitation vector. The primary risk factor increasing likelihood revolves around the attacker's ability to reliably induce and win the race condition between async request completion and container timeout, which could depend on server load and network latency.

What are the Known Public Exploits?

PoC Author	Link	Commentary
No known exploits

What are the Available Fixes for CVE-2018-8037?

A Fix by Resolved Security Exists!

Learn more how to fix vulnerabilities in open source dependencies seamlessly

About the Fix from Resolved Security

The patch introduces a generation counter to track the "generation" of asynchronous processing for a request; this counter increments every time async processing starts. This prevents timeout events from a previous async generation from being processed after a new generation has begun, thereby eliminating the possibility of response mix-ups described in CVE-2018-8037. By ensuring timeouts are matched to the correct async generation, it closes the vulnerability that could allow an attacker to cause information leakage between requests.

Available Upgrade Options

org.apache.tomcat.embed:tomcat-embed-core
- >8.5.5, <8.5.32 → Upgrade to 8.5.32
org.apache.tomcat.embed:tomcat-embed-core
- >9.0.0.M9, <9.0.10 → Upgrade to 9.0.10

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2018-8037?

Similar Vulnerabilities: CVE-2019-17560 , CVE-2011-0624 , CVE-2012-4217 , CVE-2014-0096 , CVE-2021-30623

CVE-2018-8037 Race Condition vulnerability in org.apache.tomcat.embed:tomcat-embed-core