VYPR
← All advisories
High severityNVD Advisory· Published Aug 1, 2018· Updated Oct 21, 2024

CVE-2018-8034

CVE-2018-8034

Description

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Apache Tomcat WebSocket client TLS host name verification was missing, enabling man-in-the-middle attacks; fixed in 9.0.10, 8.5.32, 8.0.53, 7.0.89.

Vulnerability

The Apache Tomcat WebSocket client, when configured to use TLS, did not perform host name verification against the server certificate. This affects Tomcat versions 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88 [1][2][3][4]. The missing check allowed any valid certificate presented by a server to be accepted, even if the common name (CN) or subject alternative names (SANs) did not match the intended host name.

Exploitation

An attacker positioned between the Tomcat WebSocket client and the legitimate server (a man-in-the-middle) could present a TLS certificate issued by a trusted certificate authority for any domain. If the client trusts the root CA that signed the attacker's certificate, the TLS handshake succeeds without host name verification, and the attacker can then intercept or modify WebSocket traffic. No prior authentication or special user interaction beyond establishing a TLS WebSocket connection is required.

Impact

Successful exploitation permits a man-in-the-middle to read, modify, or inject data into the WebSocket communication stream. This breaks the confidentiality and integrity guarantees that TLS is meant to provide, potentially exposing sensitive application data or allowing command injection if the WebSocket channel carries control messages.

Mitigation

The host name verification is now enabled by default. Fixed versions are Apache Tomcat 9.0.10, 8.5.32, 8.0.53, and 7.0.89 [1][2][3][4]. Users unable to upgrade immediately can configure a custom SSLContext with a host name verifier, but upgrading is the recommended approach.

References
  1. https://access.redhat.com/errata/RHSA-2019:1160
  2. https://access.redhat.com/errata/RHSA-2019:1161
  3. https://access.redhat.com/errata/RHSA-2019:1159
  4. https://access.redhat.com/errata/RHSA-2019:1529

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 9.0.0, < 9.0.109.0.10
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 8.5.0, < 8.5.328.5.32
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 8.0.0, < 8.0.538.0.53
org.apache.tomcat.embed:tomcat-embed-coreMaven
>= 7.0.35, < 7.0.907.0.90

Affected products

35

Patches

2
2c522795166c

Enable host name verification for secure WebSocket client connections by default.

https://github.com/apache/tomcatMark ThomasJun 18, 2018via ghsa
commit
3 files changed · +31 7
  • java/org/apache/tomcat/websocket/WsWebSocketContainer.java+12 3 modified
    @@ -53,6 +53,7 @@
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLParameters;
 import javax.net.ssl.TrustManagerFactory;
 import javax.websocket.ClientEndpoint;
 import javax.websocket.ClientEndpointConfig;
@@ -369,7 +370,7 @@ private Session connectToServerRecursive(Endpoint endpoint,
             // Regardless of whether a non-secure wrapper was created for a
             // proxy CONNECT, need to use TLS from this point on so wrap the
             // original AsynchronousSocketChannel
-            SSLEngine sslEngine = createSSLEngine(userProperties);
+            SSLEngine sslEngine = createSSLEngine(userProperties, host, port);
             channel = new AsyncChannelWrapperSecure(socketChannel, sslEngine);
         } else if (channel == null) {
             // Only need to wrap as this point if it wasn't wrapped to process a
@@ -931,7 +932,7 @@ private String readLine(ByteBuffer response) {
     }
 
 
-    private SSLEngine createSSLEngine(Map<String,Object> userProperties)
+    private SSLEngine createSSLEngine(Map<String,Object> userProperties, String host, int port)
             throws DeploymentException {
 
         try {
@@ -979,7 +980,7 @@ private SSLEngine createSSLEngine(Map<String,Object> userProperties)
                 }
             }
 
-            SSLEngine engine = sslContext.createSSLEngine();
+            SSLEngine engine = sslContext.createSSLEngine(host, port);
 
             String sslProtocolsValue =
                     (String) userProperties.get(SSL_PROTOCOLS_PROPERTY);
@@ -989,6 +990,14 @@ private SSLEngine createSSLEngine(Map<String,Object> userProperties)
 
             engine.setUseClientMode(true);
 
+            // Enable host verification
+            // Start with current settings (returns a copy)
+            SSLParameters sslParams = engine.getSSLParameters();
+            // Use HTTPS since WebSocket starts over HTTP(S)
+            sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+            // Write the parameters back
+            engine.setSSLParameters(sslParams);
+
             return engine;
         } catch (Exception e) {
             throw new DeploymentException(sm.getString(
  • webapps/docs/changelog.xml+4 0 modified
    @@ -164,6 +164,10 @@
         <code>DecodeException</code> instead of throwing
         <code>ArrayIndexOutOfBoundsException</code>. (kfujino)
       </fix>
+      <fix>
+        Enable host name verification when using TLS with the WebSocket client.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Web applications">
  • webapps/docs/web-socket-howto.xml+15 4 modified
    @@ -148,10 +148,21 @@ implement its own timeout mechanism to handle these cases.</p>
      <li><code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code></li>
    </ul>
    <p>The default truststore password is <code>changeit</code>.</p>
-   <p>If the <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> property is
-      set then the <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE</code> and
-      <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code> properties
-      will be ignored.</p>
+
+<p>If the <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> property is
+   set then the <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE</code> and
+   <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code> properties
+   will be ignored.</p>
+
+<p>For secure server end points, host name verification is enabled by default.
+   To bypass this verification (not recommended), it is necessary to provide a
+   custom <code>SSLContext</code> via the
+   <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> user property. The
+   custom <code>SSLContext</code> must be configured with a custom
+   <code>TrustManager</code> that extends
+   <code>javax.net.ssl.X509ExtendedTrustManager</code>. The desired verification
+   (or lack of verification) can then be controlled by appropriate
+   implementations of the individual abstract methods.</p>
 
 <p>When using the WebSocket client to connect to server endpoints, the number of
    HTTP redirects that the client will follow is controlled by the
2835bb4e030c

Enable host name verification for secure WebSocket client connections by

https://github.com/apache/tomcatMark ThomasJun 18, 2018via ghsa
commit
3 files changed · +31 7
  • java/org/apache/tomcat/websocket/WsWebSocketContainer.java+12 3 modified
    @@ -52,6 +52,7 @@
 import javax.net.ssl.SSLContext;
 import javax.net.ssl.SSLEngine;
 import javax.net.ssl.SSLException;
+import javax.net.ssl.SSLParameters;
 import javax.net.ssl.TrustManagerFactory;
 import javax.websocket.ClientEndpoint;
 import javax.websocket.ClientEndpointConfig;
@@ -328,7 +329,7 @@ private Session connectToServerRecursive(Endpoint endpoint,
             // Regardless of whether a non-secure wrapper was created for a
             // proxy CONNECT, need to use TLS from this point on so wrap the
             // original AsynchronousSocketChannel
-            SSLEngine sslEngine = createSSLEngine(userProperties);
+            SSLEngine sslEngine = createSSLEngine(userProperties, host, port);
             channel = new AsyncChannelWrapperSecure(socketChannel, sslEngine);
         } else if (channel == null) {
             // Only need to wrap as this point if it wasn't wrapped to process a
@@ -866,7 +867,7 @@ private String readLine(ByteBuffer response) {
     }
 
 
-    private SSLEngine createSSLEngine(Map<String,Object> userProperties)
+    private SSLEngine createSSLEngine(Map<String,Object> userProperties, String host, int port)
             throws DeploymentException {
 
         try {
@@ -904,7 +905,7 @@ private SSLEngine createSSLEngine(Map<String,Object> userProperties)
                 }
             }
 
-            SSLEngine engine = sslContext.createSSLEngine();
+            SSLEngine engine = sslContext.createSSLEngine(host, port);
 
             String sslProtocolsValue =
                     (String) userProperties.get(Constants.SSL_PROTOCOLS_PROPERTY);
@@ -914,6 +915,14 @@ private SSLEngine createSSLEngine(Map<String,Object> userProperties)
 
             engine.setUseClientMode(true);
 
+            // Enable host verification
+            // Start with current settings (returns a copy)
+            SSLParameters sslParams = engine.getSSLParameters();
+            // Use HTTPS since WebSocket starts over HTTP(S)
+            sslParams.setEndpointIdentificationAlgorithm("HTTPS");
+            // Write the parameters back
+            engine.setSSLParameters(sslParams);
+
             return engine;
         } catch (Exception e) {
             throw new DeploymentException(sm.getString(
  • webapps/docs/changelog.xml+4 0 modified
    @@ -277,6 +277,10 @@
         Improve the handling of exceptions during TLS handshakes for the
         WebSocket client. (markt)
       </fix>
+      <fix>
+        Enable host name verification when using TLS with the WebSocket client.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Web applications">
  • webapps/docs/web-socket-howto.xml+15 4 modified
    @@ -110,10 +110,21 @@
      <li><code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code></li>
    </ul>
    <p>The default truststore password is <code>changeit</code>.</p>
-   <p>If the <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> property is
-      set then the <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE</code> and
-      <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code> properties
-      will be ignored.</p>
+
+<p>If the <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> property is
+   set then the <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE</code> and
+   <code>org.apache.tomcat.websocket.SSL_TRUSTSTORE_PWD</code> properties
+   will be ignored.</p>
+
+<p>For secure server end points, host name verification is enabled by default.
+   To bypass this verification (not recommended), it is necessary to provide a
+   custom <code>SSLContext</code> via the
+   <code>org.apache.tomcat.websocket.SSL_CONTEXT</code> user property. The
+   custom <code>SSLContext</code> must be configured with a custom
+   <code>TrustManager</code> that extends
+   <code>javax.net.ssl.X509ExtendedTrustManager</code>. The desired verification
+   (or lack of verification) can then be controlled by appropriate
+   implementations of the individual abstract methods.</p>
 
 <p>When using the WebSocket client to connect to server endpoints, the number of
    HTTP redirects that the client will follow is controlled by the

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

67

News mentions

0

No linked articles in our index yet.