https://bz.apache.org/bugzilla/show_bug.cgi?id=62965
Bug ID: 62965
Summary: Some request will get the response intended for others
similar to CVE-2018-8037
Product: Tomcat Connectors
Version: 1.2.43
Hardware: Other
OS: Linux
Status: NEW
Severity: major
Priority: P2
Component: mod_jk
Assignee: dev@tomcat.apache.org
Reporter: yo...@oclc.org
Target Milestone: ---
Tomcat Version: 8.5.34
Apache Version: 2.4.29
mod_jk Version: 1.2.43
java Version: jdk1.8.0_20
Operating System: Red Hat Enterprise Linux
Kernel Release: 3.10.0-862.6.3.el7.x86_64
AJP Connector configuration:
<Connector port="8009"
minProcessors="50"
maxProcessors="600"
acceptCount="100" debug="0"
URIEncoding="UTF-8"
enableLookups="false"
protocol="org.apache.coyote.ajp.AjpNioProtocol"
Issues: Sometimes user can get the response intended for others similar to what
is described in CVE-2018-8037. Once the response swapping starts happening, it
could be easily reproduced and the situation would deteriorate fast . The
server needs to be bounced to resolve the issue. The tomcat access log shows
the response size is correct (based on some fixed size response of certain
request), but the apache access log shows a large range of different sizes for
that same kind request.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
