| Status: Fully patched DocuShare 7.5 through 8.0 has Apache Tomcat 9.0.106. This is newer than the Apache 9.0.90 release that fixes CVE-2024-38286, so fully patched DocuShare is not affected. Customers that are behind on patches should update to the current patch level. |
Applies To
| DocuShare Version | Guidance |
| DocuShare 7.5 | Not affected when fully patched. Fully patched installations run Apache Tomcat 9.0.106, which is newer than the Apache 9.0.90 fix version. |
| DocuShare 7.6 | Not affected when fully patched. Fully patched installations run Apache Tomcat 9.0.106, which is newer than the Apache 9.0.90 fix version. |
| DocuShare 7.7 | Not affected when fully patched. Fully patched installations run Apache Tomcat 9.0.106, which is newer than the Apache 9.0.90 fix version. |
| DocuShare 8.0 | Not affected when fully patched. Fully patched installations run Apache Tomcat 9.0.106, which is newer than the Apache 9.0.90 fix version. |
Overview
CVE-2024-38286 is an Apache Tomcat denial-of-service issue related to the TLS handshake path. Apache indicates Tomcat 9.0.x releases up to and including 9.0.89 as affected, with the fix delivered in 9.0.90.
Fully patched DocuShare 7.5 through 8.0 ship Apache Tomcat 9.0.106 and this version is newer than the Apache 9.0.90 fix, so fully patched DocuShare is not affected by CVE-2024-38286. The only residual exposure is an installation that is not current on patches, which may still run an earlier Tomcat in the affected range.
What the Vulnerability Requires
This CVE is tied to the TLS handshake path rather than normal non-TLS HTTP request handling.
- Tomcat in an affected version range through 9.0.89 on the 9.0.x branch.
- A TLS-enabled deployment path that allows the vulnerable handshake behavior to be exercised.
- A traffic pattern capable of driving the out-of-memory condition through that TLS handshake path.
DocuShare Assessment
| Assessment Item | Finding |
| Apache fix level | Tomcat 9.0.90 or later |
| DocuShare Tomcat version (fully patched) | DocuShare 7.5-8.0: Apache Tomcat 9.0.106; Apache Tomcat 9.0.117 (both newer than the 9.0.90 fix) |
| HTTPS connector in shipped template | Commented out in the default Tomcat server configuration (server.xml) (default configuration only; not relied upon as the basis for this assessment) |
| Assessment | Not affected for fully patched DocuShare |
What You Should Do
- Ensure your DocuShare installation is fully patched. Fully patched DocuShare runs Apache Tomcat 9.0.106, which is newer than the Apache 9.0.90 fix version and is not affected.
- If your installation is behind on patches, update to the current patch level to ensure you are on the fixed Apache Tomcat version.
- By default, DocuShare does not enable the Tomcat TLS connector (it is commented out in the shipped server template), which further limits exposure to this TLS-handshake issue in a standard deployment.
Contact
For questions about this advisory or to confirm your installation's patch level, contact Xerox DocuShare Support through your normal support channel.