Apache Tomcat – Information Disclosure Vulnerability (CVE-2016-8745)

Questetra does not use the component which is subject to vulnerability.

In Apache Tomcat, the notice “Information disclosure vulnerability (CVE-2016-8745)” was reported.
Although Questetra uses Apache Tomcat, it is not affected by this vulnerability, since Questetra does not use the component (NIO HTTP Connector) which is the subject of this vulnerability.

 

Apache Tomcat Information Disclosure Vulnerability
A bug in the error handling of the send file code for the NIO HTTP
connector resulted in the current Processor object being added to the
Processor cache multiple times. This in turn meant that the same
Processor could be used for concurrent requests. Sharing a Processor can
result in information leakage between requests including, not not
limited to, session ID and the response body.
The bug was first noticed in 8.5.x onwards where it appears the
refactoring of the Connector code for 8.5.x onwards made it more likely
that the bug was observed. Initially it was thought that the 8.5.x
refactoring introduced the bug but further investigation has shown that
the bug is present in all currently supported Tomcat versions.

http://tomcat.10.x6.nabble.com/SECURITY-UPDATE-CVE-2016-8745-Apache-Tomcat-Information-Disclosure-tp5058857.html (Jan 06, 2017)

 

Please pay attention to this vulnerability in case you are using Questetra on your own servers such as the Download Edition (users other than SaaS Edition) and using with modification in the settings of Tomcat.

About Questetra Support

Questetra Support Team - Response within 24 hours
View all posts by Questetra Support

Recommendations
Prev article - 35. Cloud News NTT WEST Launches Internet Fax
Another article - Questetra Support Ver. 10.3: Added Option for Deleting Unnecessary Files upon Generating PDF File

Archive

 RSS