[ https://issues.apache.org/jira/browse/KYLIN-3553?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peng Xing resolved KYLIN-3553. ------------------------------ Resolution: Fixed > Tomcat Security Vulnerability Alert. The version of the tomcat for kylin > should upgrade to 7.0.90. > -------------------------------------------------------------------------------------------------- > > Key: KYLIN-3553 > URL: https://issues.apache.org/jira/browse/KYLIN-3553 > Project: Kylin > Issue Type: Bug > Components: Security > Affects Versions: v2.4.0 > Reporter: Peng Xing > Assignee: Peng Xing > Priority: Major > Fix For: v2.5.0 > > > [SECURITY] CVE-2018-1336 > Severity: High > Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.7, 8.5.0 to 8.5.30, > 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. > Description: An improper handing of overflow in the UTF-8 decoder with > supplementary characters can lead to an infinite loop in the decoder causing > a Denial of Service. > CVE-2018-8014 > Description: The defaults settings for the CORS filter provided in Apache > Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to > 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is > expected that users of the CORS filter will have configured it appropriately > for their environment rather than using it in the default configuration. > Therefore, it is expected that most users will not be impacted by this issue. > CVE-2018-8034 > Description: The host name verification when using TLS with the WebSocket > client was missing. It is now enabled by default. > Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, > 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88. -- This message was sent by Atlassian JIRA (v7.6.3#76005)