Apache Tomcat Security Advisory: CVE-2018-1336

Legacy Knowledge Base

Published Sep. 10, 2025

Apache Tomcat Security Advisory: CVE-2018-1336

Written By

Tibor Lipusz

Legacy Article

You are viewing an article from our legacy "FastTrack" publication program, made available for informational purposes. Articles in this program were published without a requirement for independent editing or verification and are provided"as is" without guarantee.

Before using any information from this article, independently verify its suitability for your situation and project.

General Information

CVE-2018-1336 reports that, "an improper handing of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service."

This vulnerability is reported in the following versions:

Apache Tomcat 9.0.0.M9 to 9.0.7
Apache Tomcat 8.5.0 to 8.5.30
Apache Tomcat 8.0.0.RC1 to 8.0.51
Apache Tomcat 7.0.28 to 7.0.86

Resolution

Liferay Subscription Services recommends customers using any of the affected versions to apply one of the following mitigations:

Upgrade to Apache Tomcat 9.0.7 or later.
Upgrade to Apache Tomcat 8.5.32 or later.
Upgrade to Apache Tomcat 8.0.52 or later.
Upgrade to Apache Tomcat 7.0.90 or later.

Additional Information

Future Service Pack releases for Liferay DXP will be bundled with a newer Tomcat version:

DXP 7.1: Tomcat 9.0.10 or newer
DXP 7.0: Tomcat 8.0.53 or newer.