CVE-2018-1336, CVE-2018-8037: Tomcat High Risk Vulnerability Alert


The Tomcat server is a free open source web application server. It is a lightweight application server. It is widely used in small and medium-sized systems and concurrent access users. It is the first choice for developing and debugging JSP programs.


Tomcat officially released the latest security bulletin in July, which contains two high-risk vulnerabilities, Tomcat Denial of Service Vulnerability (CVE-2018-1336), Information Disclosure Vulnerability (CVE-2018-8037).

Vulnerability Description


  • CVE-2018-1336    Tomcat Denial of Service Vulnerability
  • CVE-2018-8037    Tomcat Information Disclosure Vulnerability

Affected system: 

  • Tomcat 9.0.0.M9 – 9.0.7  
  • Tomcat 8.5.0 – 8.5.30 
  • Tomcat 8.0.0.RC1 – 8.0.51  
  • Tomcat 7.0.28 – 7.0.86


The Tomcat Denial of Service Vulnerability ( CVE-2018-1336) is due to an overflow vulnerability in the UTF-8 decoder. Improper handling of input characters by the decoder can cause it to fall into an infinite loop, causing a denial of service attack.

The Tomcat Information Disclosure Vulnerability (CVE-2018-8037) was created as a bug in the connection tracking mechanism that would allow an attacker to reuse a previous user’s session credentials in a new session connection, causing user information to be compromised.


The Tomcat official has fixed these two vulnerabilities in the July patch, and it is recommended that affected users upgrade the updates as soon as possible to protect them.