Description

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Mitigation

If SSL is necessary, we recommend upgrading to a version of this component that is not vulnerable to this specific issue.

Related links:

• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-8034

• http://tomcat.apache.org/security-7.html

• http://tomcat.apache.org/security-8.html

• http://tomcat.apache.org/security-9.html