Apache Software Foundation has released new versions of Apache Tomcat to address multiple vulnerabilities which are caused by UTF-8 decoder flaw and tracking of connection closures.
Successful exploitation of the vulnerabilities could lead to information disclosure or denial of services on an affected system.
Administrators of the affected systems should upgrade the Apache Tomcat to address the issues. The updates are available at:
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.90
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.53
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.32
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.10
Users of affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.
https://www.us-cert.gov/ncas/current-activity/2018/07/23/Apache-Releases-Security-Updates-Apache-Tomcat
https://www.hkcert.org/my_url/en/alert/18072401
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.90
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.53
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.32
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.10
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1336
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8037