High severity7.5NVD Advisory· Published Aug 10, 2017· Updated May 13, 2026
CVE-2016-8745
CVE-2016-8745
Description
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.tomcat:tomcat-utilMaven | >= 9.0.0.M1, < 9.0.0.M14 | 9.0.0.M14 |
org.apache.tomcat:tomcat-utilMaven | >= 8.5.0, < 8.5.9 | 8.5.9 |
org.apache.tomcat:tomcat-utilMaven | >= 8.0.0-RC1, < 8.0.41 | 8.0.41 |
org.apache.tomcat:tomcat-utilMaven | >= 7.0.0, < 7.0.75 | 7.0.75 |
org.apache.tomcat:tomcat-utilMaven | >= 6.0.16, < 6.0.50 | 6.0.50 |
Affected products
1- Apache Software Foundation/Apache Tomcatv5Range: 9.0.0.M1 to 9.0.0.M13
Patches
4143bb466cf96Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60409
2 files changed · +10 −2
java/org/apache/tomcat/util/net/NioEndpoint.java+6 −2 modified@@ -1413,11 +1413,15 @@ public SendfileState processSendfile(SelectionKey sk, KeyAttachment attachment, } }catch ( IOException x ) { if ( log.isDebugEnabled() ) log.debug("Unable to complete sendfile request:", x); - cancelledKey(sk,SocketStatus.ERROR,false); + if (!calledByProcessor) { + cancelledKey(sk,SocketStatus.ERROR,false); + } return SendfileState.ERROR; }catch ( Throwable t ) { log.error("",t); - cancelledKey(sk, SocketStatus.ERROR, false); + if (!calledByProcessor) { + cancelledKey(sk, SocketStatus.ERROR, false); + } return SendfileState.ERROR; } }
webapps/docs/changelog.xml+4 −0 modified@@ -125,6 +125,10 @@ when configured with an address of <code>0.0.0.0</code> or <code>::</code>. (markt) </fix> + <fix> + <bug>60409</bug>: When unable to complete sendfile request, ensure the + Processor will be added to the cache only once. (markt/violetagg) + </fix> </changelog> </subsection> <subsection name="Jasper">
3dd2fec73e0dFix https://bz.apache.org/bugzilla/show_bug.cgi?id=60409
2 files changed · +10 −2
java/org/apache/tomcat/util/net/NioEndpoint.java+6 −2 modified@@ -1245,11 +1245,15 @@ public SendfileState processSendfile(SelectionKey sk, KeyAttachment attachment, } }catch ( IOException x ) { if ( log.isDebugEnabled() ) log.debug("Unable to complete sendfile request:", x); - cancelledKey(sk,SocketStatus.ERROR); + if (!calledByProcessor) { + cancelledKey(sk,SocketStatus.ERROR); + } return SendfileState.ERROR; }catch ( Throwable t ) { log.error("",t); - cancelledKey(sk, SocketStatus.ERROR); + if (!calledByProcessor) { + cancelledKey(sk, SocketStatus.ERROR); + } return SendfileState.ERROR; } }
webapps/docs/changelog.xml+4 −0 modified@@ -140,6 +140,10 @@ when configured with an address of <code>0.0.0.0</code> or <code>::</code>. (markt) </fix> + <fix> + <bug>60409</bug>: When unable to complete sendfile request, ensure the + Processor will be added to the cache only once. (markt/violetagg) + </fix> </changelog> </subsection> <subsection name="Jasper">
16a57bc885e2Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=60409
3 files changed · +4 −7
java/org/apache/tomcat/util/net/NioEndpoint.java+0 −5 modified@@ -888,7 +888,6 @@ public SendfileState processSendfile(SelectionKey sk, NioSocketWrapper socketWra // Setup the file channel File f = new File(sd.fileName); if (!f.exists()) { - cancelledKey(sk); return SendfileState.ERROR; } @SuppressWarnings("resource") // Closed when channel is closed @@ -962,16 +961,12 @@ public SendfileState processSendfile(SelectionKey sk, NioSocketWrapper socketWra if (log.isDebugEnabled()) log.debug("Unable to complete sendfile request:", x); if (!calledByProcessor && sc != null) { close(sc, sk); - } else { - cancelledKey(sk); } return SendfileState.ERROR; } catch (Throwable t) { log.error("", t); if (!calledByProcessor && sc != null) { close(sc, sk); - } else { - cancelledKey(sk); } return SendfileState.ERROR; }
test/org/apache/catalina/connector/TestSendFile.java+0 −2 modified@@ -39,7 +39,6 @@ import static org.junit.Assert.assertEquals; import static org.junit.Assert.fail; -import org.junit.Ignore; import org.junit.Test; import org.apache.catalina.Context; @@ -157,7 +156,6 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) } - @Ignore @Test public void testBug60409() throws Exception { Tomcat tomcat = getTomcatInstance();
webapps/docs/changelog.xml+4 −0 modified@@ -140,6 +140,10 @@ removing closed streams from the priority tree to ensure that the tree does not grow too large. (markt) </fix> + <fix> + <bug>60409</bug>: When unable to complete sendfile request, ensure the + Processor will be added to the cache only once. (markt/violetagg) + </fix> </changelog> </subsection> <subsection name="Web applications">
cbc9b18a845dFix https://bz.apache.org/bugzilla/show_bug.cgi?id=60409
3 files changed · +4 −7
java/org/apache/tomcat/util/net/NioEndpoint.java+0 −5 modified@@ -888,7 +888,6 @@ public SendfileState processSendfile(SelectionKey sk, NioSocketWrapper socketWra // Setup the file channel File f = new File(sd.fileName); if (!f.exists()) { - cancelledKey(sk); return SendfileState.ERROR; } @SuppressWarnings("resource") // Closed when channel is closed @@ -962,16 +961,12 @@ public SendfileState processSendfile(SelectionKey sk, NioSocketWrapper socketWra if (log.isDebugEnabled()) log.debug("Unable to complete sendfile request:", x); if (!calledByProcessor && sc != null) { close(sc, sk); - } else { - cancelledKey(sk); } return SendfileState.ERROR; } catch (Throwable t) { log.error("", t); if (!calledByProcessor && sc != null) { close(sc, sk); - } else { - cancelledKey(sk); } return SendfileState.ERROR; }
test/org/apache/catalina/connector/TestSendFile.java+0 −2 modified@@ -39,7 +39,6 @@ import static org.junit.Assert.assertEquals; import org.junit.Assert; -import org.junit.Ignore; import org.junit.Test; import org.apache.catalina.Context; @@ -157,7 +156,6 @@ protected void doGet(HttpServletRequest req, HttpServletResponse resp) } - @Ignore @Test public void testBug60409() throws Exception { Tomcat tomcat = getTomcatInstance();
webapps/docs/changelog.xml+4 −0 modified@@ -167,6 +167,10 @@ removing closed streams from the priority tree to ensure that the tree does not grow too large. (markt) </fix> + <fix> + <bug>60409</bug>: When unable to complete sendfile request, ensure the + Processor will be added to the cache only once. (markt/violetagg) + </fix> </changelog> </subsection> <subsection name="Web applications">
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
56- www.securityfocus.com/bid/94828nvdThird Party AdvisoryVDB Entry
- www.securitytracker.com/id/1037432nvdThird Party AdvisoryVDB Entry
- github.com/advisories/GHSA-w3j5-q8f2-3cqqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-8745ghsaADVISORY
- security.gentoo.org/glsa/201705-09nvdThird Party AdvisoryVDB EntryWEB
- rhn.redhat.com/errata/RHSA-2017-0457.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2017-0527.htmlnvdWEB
- www.debian.org/security/2017/dsa-3754nvdWEB
- www.debian.org/security/2017/dsa-3755nvdWEB
- www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.htmlnvdWEB
- www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.htmlnvdWEB
- access.redhat.com/errata/RHSA-2017:0455nvdWEB
- access.redhat.com/errata/RHSA-2017:0456nvdWEB
- access.redhat.com/errata/RHSA-2017:0935nvdWEB
- github.com/apache/tomcat/commit/143bb466cf96a89e791b7db5626055ea819dad89ghsaWEB
- github.com/apache/tomcat/commit/16a57bc885e212839f1d717b94b01d154a36943aghsaWEB
- github.com/apache/tomcat/commit/cbc9b18a845d3c8c053ac293dffda6c6c19dd92bghsaWEB
- github.com/apache/tomcat80/commit/3dd2fec73e0de1edc1d3eb1c52a01255fdfc84e7ghsaWEB
- lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/37220405a377c0182d2afdbc36461c4783b2930fbeae3a17f1333113@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/39ae1f0bd5867c15755a6f959b271ade1aea04ccdc3b2e639dcd903b@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/4113c05d37f37c12b8033205684f04033c5f7a9bae117d4af23b32b4%40%3Cannounce.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/4113c05d37f37c12b8033205684f04033c5f7a9bae117d4af23b32b4@%3Cannounce.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/b84ad1258a89de5c9c853c7f2d3ad77e5b8b2930be9e132d5cef6b95@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/b8a1bf18155b552dcf9a928ba808cbadad84c236d85eab3033662cfb@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r03c597a64de790ba42c167efacfa23300c3d6c9fe589ab87fe02859c@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r587e50b86c1a96ee301f751d50294072d142fd6dc08a8987ae9f3a9b@%3Cdev.tomcat.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c%40%3Cdev.tomcat.apache.org%3EnvdWEB
- lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20180607-0002ghsaWEB
- web.archive.org/web/20200227165932/http://www.securityfocus.com/bid/94828ghsaWEB
- web.archive.org/web/20200517114357/http://www.securitytracker.com/id/1037432ghsaWEB
- security.netapp.com/advisory/ntap-20180607-0002/nvd
News mentions
0No linked articles in our index yet.