tenable:121124 · Apache Tomcat 8.0.0.RC1 < 8.0.52

01 · The Real Story

This is a traffic jam in Tomcat’s UTF-8 parser, not a burglar with keys to the building

Plugin tenable:121124 maps to CVE-2018-1336. In Apache Tomcat, malformed UTF-8 with supplementary characters can trigger an infinite loop in the decoder and hang request processing. For this specific Nessus plugin, the affected upstream train is Tomcat 8.0.0.RC1 through 8.0.51, fixed in 8.0.52; the broader CVE also affects 7.0.28-7.0.86, 8.5.0-8.5.30, and 9.0.0.M9-9.0.7.

The raw vendor/NVD CVSS 3.1 score of 7.5 HIGH overstates enterprise urgency because it scores the bug as a clean unauthenticated network hit with high availability impact, but ignores the real-world fact that this is still DoS only. No code execution, no auth bypass, no data theft, no persistence. If the request path is fronted by proxies or input normalization, exploitation gets even less reliable. For a 10,000-host patch queue, this belongs below remote code execution and auth bypass flaws.

"Unauthenticated network DoS, yes—but this is a narrow availability hit, not a foothold or data-loss event"

02 · The Attack Path

4 steps from start to impact.

STEP 01

Reach an exposed Tomcat HTTP endpoint

The attacker first needs a Tomcat-backed application reachable over HTTP/S. Commodity tooling like curl or hurl is sufficient because no authentication or session state is required. Internet-facing apps are the main concern; internal-only Tomcat nodes turn this into post-compromise nuisance rather than initial-access material.

Conditions required:

A Tomcat 8.0.x instance older than 8.0.52 is reachable
The request reaches Tomcat rather than being terminated or rewritten upstream

Where this breaks in practice:

Many enterprises front Tomcat with Apache httpd, NGINX, F5, CDNs, or WAFs that normalize or reject malformed input
Some Tomcat instances are internal application tiers, not Internet-facing services

Detection/coverage: Standard external scanners mostly identify this by version, not by safe exploit. Nessus explicitly says it relied on self-reported versioning rather than active testing.

STEP 02

Send malformed UTF-8 that hits the vulnerable decoder

A crafted request must contain the right malformed UTF-8 supplementary character sequence so Tomcat's decoder enters an infinite loop. This is not a memory corruption or gadget-chain problem; it is parser abuse. The attacker can generate the payload with raw HTTP tooling rather than exploit frameworks.

Conditions required:

The application path or connector causes Tomcat to decode the attacker-controlled bytes as UTF-8
Input is not rejected earlier by the reverse proxy, framework, or application validation

Where this breaks in practice:

Malformed UTF-8 often gets blocked or normalized before it reaches Tomcat
App-layer validation may drop bad requests before thread starvation becomes meaningful

Detection/coverage: Look for bursts of malformed request bytes, 400/500 anomalies, and proxy/WAF logs showing invalid UTF-8 handling.

STEP 03

Pin worker threads in the loop

Once the vulnerable code path is exercised, the decoder can loop indefinitely and tie up request-processing capacity. Repeating the request across multiple connections can consume available Tomcat worker threads and degrade service. This is classic application-layer resource exhaustion, not system takeover.

Conditions required:

The process has enough exposed concurrency for repeated requests to matter
The attacker can sustain multiple requests or connections

Where this breaks in practice:

Connection limits, request throttling, autoscaling, and upstream load balancers reduce impact
Operations teams often recover quickly via service restart or node rotation

Detection/coverage: Watch Tomcat thread pools, JVM CPU utilization, request queue depth, and sudden drops in successful responses.

STEP 04

Cause partial or full application outage

The end state is reduced availability for the affected app or node. In clustered deployments the blast radius is usually a pool member or service tier, not the whole enterprise, unless all nodes share the same vulnerable path and have no protective front end. There is no privilege gain after impact.

Conditions required:

Enough vulnerable nodes are directly reachable or identically exposed
No rapid failover or restart policy restores service

Where this breaks in practice:

Clustered app tiers, load balancers, and health checks contain outages to single nodes
SRE playbooks for unresponsive JVMs are mature in most enterprises

Detection/coverage: Synthetic monitoring, load balancer health-check failures, and JVM restarts will usually surface this faster than endpoint controls.

03 · Intelligence Metadata

The supporting signals.

In-the-wild status	No solid active exploitation signal found. I did not find a CISA KEV listing, and Tenable's CVE/plugin pages state no known exploits are available.
Public PoC availability	Low-confidence / weak signal. I found no authoritative Exploit-DB-style reference tied to this bug. In practice this is a malformed-request DoS, so a custom `curl`/raw-socket payload is enough even without a named public exploit.
EPSS	Tenable shows EPSS 0.15005. Third-party mirrors place that around the 94th-95th percentile, which says 'Internet-exploitable bug class gets probed,' not 'drop-everything RCE.'
KEV status	Not listed in CISA KEV based on the current catalog/mirror sources I checked. No KEV date because there is no KEV entry.
CVSS vector	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H` = unauthenticated network trigger with availability-only impact. That's exactly why raw CVSS lands high while operational urgency should be lower.
Affected versions	Upstream affected for this plugin: Apache Tomcat 8.0.0.RC1 to 8.0.51. Broader CVE scope also includes 7.0.28-7.0.86, 8.5.0-8.5.30, and 9.0.0.M9-9.0.7.
Fixed versions	Upstream fix for the plugin scope is 8.0.52. Examples of distro backports: Debian stretch `tomcat8` fixed in `8.5.14-1+deb9u3`; Ubuntu 18.04 `tomcat8` fixed in `8.5.39-1ubuntu1~18.04.1`; Ubuntu 16.04 `tomcat8` fixed in `8.0.32-1ubuntu1.7`.
Scanner / detection reality	Nessus plugin 121124 is version-based only and explicitly says it did not test exploitability. Treat findings carefully on packaged/backported Linux builds.
Exposure data	Tomcat is broadly fingerprintable on the public Internet; Censys has published guidance for finding Tomcat, and BitSight's public footprint view reports 41,946 observations tied to this CVE over a rolling 30-day window. That supports wide presence, not necessarily high weaponization.
Disclosure / reporter	Apache says the issue was reported publicly on 2018-04-06 and formally announced on 2018-07-22; NVD published on 2018-08-02. Apache does not name a reporter on the security page.

04 · The Call

noisgate verdict.

Final Verdict

= UNCHANGED to MEDIUM (5.6/10)

The decisive downgrade factor is impact type: this bug is a parser-level availability-only failure, not a foothold. Even though the trigger is unauthenticated and remote, the outcome is thread/CPU starvation on the targeted app tier, which most enterprise architectures can contain and recover from much faster than a compromise event.

HIGH Affected version range and fixed version mapping for upstream Tomcat 8.0.x

MEDIUM Assessment that real-world exploitation prevalence is low relative to CVSS

Why this verdict

Start from 7.5 HIGH: unauthenticated remote requests can trigger it over the network with low complexity, so the baseline score is not crazy on paper
Downgrade for impact: the bug buys the attacker only denial of service—no code execution, no data exposure, no privilege gain, no persistence
Downgrade for attacker path friction: the malformed UTF-8 must survive reverse proxies, WAFs, and app validation to hit Tomcat's decoder; that narrows reliable reach in modern deployments
Keep it above LOW: public-facing Tomcat is common enough that exposed nodes can still be knocked over if they are directly reachable and unprotected

Why not higher?

This is not a compromise primitive. There is no post-exploitation value, no lateral movement assist, and no credential or data exposure. A DoS-only issue should not compete with remote code execution, auth bypass, or deserialization bugs for the top of your patch queue.

Why not lower?

I would not bury it as backlog hygiene because the trigger is remote and unauthenticated, and Internet-facing Tomcat remains common. If you have brittle customer-facing apps with thin thread pools and no protective proxy layer, this can still produce a very visible outage.

05 · Compensating Control

What to do — in priority order.

Front Tomcat with strict request normalization — Terminate HTTP at a reverse proxy or WAF that rejects malformed UTF-8 before it reaches the Tomcat connector. For a MEDIUM finding there is no mitigation SLA — go straight to the 365-day remediation window, but do this sooner on public apps if you already run a shared edge stack.
Rate-limit abusive request patterns — Apply per-IP and per-path throttling at the load balancer, reverse proxy, or API gateway to reduce repeated parser-trigger attempts from consuming worker threads. For MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window; fold this into normal edge-hardening work rather than emergency change control.
Validate package provenance before patching — If the asset runs distro-packaged Tomcat, verify backported package versions instead of trusting the upstream-looking banner string. For MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window; the main goal is to avoid false-positive churn on already-fixed Linux packages.
Monitor JVM and thread-pool exhaustion — Alert on sudden Tomcat worker depletion, elevated CPU, health-check failures, and repeated malformed-request responses so ops catches availability attacks early. For MEDIUM, there is no mitigation SLA — go straight to the 365-day remediation window; use this as resilience tuning, not a fire drill.

What doesn't work

MFA or stronger app authentication: this bug is unauthenticated and triggers before login matters
EDR alone: endpoint tooling may tell you the JVM is hot, but it does not stop malformed HTTP from reaching the parser
Hiding the Server banner: it reduces easy fingerprinting a bit, but it does nothing to remove the vulnerable code path
TLS by itself: encrypting the request does not change whether the malformed UTF-8 reaches Tomcat after decryption

06 · Verification

Crowdsourced verification payload.

Run this on the target Tomcat host as a local shell check, not from your scanner. Invoke it as bash check-cve-2018-1336.sh /opt/tomcat and it needs only read access to the Tomcat install tree; no root is required unless file permissions are locked down.

noisgate-verify.sh

BASHREAD-ONLYSAFE

#!/usr/bin/env bash
# check-cve-2018-1336.sh
# Determine whether an Apache Tomcat 8.0.x installation is vulnerable to CVE-2018-1336
# for the Nessus plugin scope: 8.0.0.RC1 through 8.0.51.
#
# Exit codes:
#   0 = PATCHED
#   1 = VULNERABLE
#   2 = UNKNOWN

set -u

TARGET="${1:-}"
if [[ -z "$TARGET" ]]; then
  echo "UNKNOWN: usage: $0 /path/to/tomcat"
  exit 2
fi

if [[ ! -d "$TARGET" ]]; then
  echo "UNKNOWN: path not found: $TARGET"
  exit 2
fi

VERSION=""

# Try RELEASE-NOTES first
if [[ -r "$TARGET/RELEASE-NOTES" ]]; then
  VERSION=$(grep -Eom1 'Apache Tomcat Version [0-9]+\.[0-9]+\.[0-9]+([.-]RC[0-9]+)?' "$TARGET/RELEASE-NOTES" | awk '{print $4}')
fi

# Fallback to serverinfo.sh if present
if [[ -z "$VERSION" && -x "$TARGET/bin/version.sh" ]]; then
  VERSION=$(
    "$TARGET/bin/version.sh" 2>/dev/null | sed -n 's/^Server version:[[:space:]]*Apache Tomcat\///p' | head -n1
  )
fi

if [[ -z "$VERSION" ]]; then
  echo "UNKNOWN: could not determine Tomcat version from $TARGET"
  exit 2
fi

# Normalize common RC formats
VERSION="${VERSION//-RC/.RC}"

# This script is intentionally scoped to Tomcat 8.0.x because the Nessus plugin title is:
# Apache Tomcat 8.0.0.RC1 < 8.0.52
if [[ ! "$VERSION" =~ ^8\.0\. ]]; then
  echo "UNKNOWN: detected version $VERSION, outside plugin 121124 scope (Tomcat 8.0.x only)"
  exit 2
fi

# Handle release candidates explicitly
if [[ "$VERSION" =~ ^8\.0\.0\.RC[0-9]+$ ]]; then
  echo "VULNERABLE: detected version $VERSION (within 8.0.0.RC1-8.0.51)"
  exit 1
fi

# Handle GA versions 8.0.N
PATCH=$(echo "$VERSION" | sed -n 's/^8\.0\.\([0-9]\+\)$/\1/p')
if [[ -z "$PATCH" ]]; then
  echo "UNKNOWN: unrecognized Tomcat 8.0 version format: $VERSION"
  exit 2
fi

if (( PATCH < 52 )); then
  echo "VULNERABLE: detected version $VERSION (fixed in 8.0.52+)"
  exit 1
else
  echo "PATCHED: detected version $VERSION"
  exit 0
fi

07 · Bottom Line

If you remember one thing.

TL;DR

Monday morning, separate Internet-facing Tomcat from internal app tiers, then validate whether these are true upstream 8.0.x installs or distro-backported packages that Nessus may have overcalled. Because this is MEDIUM, there is no noisgate mitigation SLA — go straight to the 365-day remediation window; schedule the actual vendor/package upgrade within the noisgate remediation SLA of 365 days, but pull externally exposed, customer-facing Tomcat nodes forward in your normal maintenance queue so they do not sit untouched for the full year.

Sources

Peer Review

What defenders are saying.

Submit a review attribution: handle + country only

0 flags selected · stored anonymously

Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.