https://bz.apache.org/bugzilla/show_bug.cgi?id=62965
Bug ID: 62965 Summary: Some request will get the response intended for others similar to CVE-2018-8037 Product: Tomcat Connectors Version: 1.2.43 Hardware: Other OS: Linux Status: NEW Severity: major Priority: P2 Component: mod_jk Assignee: dev@tomcat.apache.org Reporter: yo...@oclc.org Target Milestone: --- Tomcat Version: 8.5.34 Apache Version: 2.4.29 mod_jk Version: 1.2.43 java Version: jdk1.8.0_20 Operating System: Red Hat Enterprise Linux Kernel Release: 3.10.0-862.6.3.el7.x86_64 AJP Connector configuration: <Connector port="8009" minProcessors="50" maxProcessors="600" acceptCount="100" debug="0" URIEncoding="UTF-8" enableLookups="false" protocol="org.apache.coyote.ajp.AjpNioProtocol" Issues: Sometimes user can get the response intended for others similar to what is described in CVE-2018-8037. Once the response swapping starts happening, it could be easily reproduced and the situation would deteriorate fast . The server needs to be bounced to resolve the issue. The tomcat access log shows the response size is correct (based on some fixed size response of certain request), but the apache access log shows a large range of different sizes for that same kind request. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org