Bug 1579611 (CVE-2018-8014)
Summary: | CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abhgupta, aileenc, alazarot, alee, anstephe, avibelli, bgeorges, bmaxwell, bpowers, cdewolf, chazlett, cmoulliard, coolsvap, csutherl, darran.lofthouse, dbaker, deesharm, dimitris, dmasirka, dosoudil, drieden, etirelli, fgavrilo, gandavar, gvarsami, gzaronik, hhorak, ibek, ikanello, ivan.afonichev, java-sig-commits, jawilson, jbalunas, jclere, jcoleman, jdoyle, jokerman, jolee, jondruse, jorton, jpadman, jpallich, jschatte, jshepherd, jstastny, kconner, krathod, krzysztof.daniel, ksuzumur, kverlaen, ldimaggi, lgao, loleary, lpetrovi, lthon, mbabacek, mizdebsk, mszynkie, myarboro, nwallace, paradhya, pavelp, pgallagh, pgier, pjurak, ppalaga, psakar, pslavice, rhcs-maint, rnetuka, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, rzhang, sdaley, spinder, sthangav, tcunning, theute, tkirby, trankin, trogers, twalsh, vhalbert, vtunka, weli, yozone |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | tomcat 8.0.53, tomcat 8.5.32, tomcat 9.0.9, tomcat 7.0.89 | Doc Type: | If docs needed, set a value |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-06-10 10:23:28 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1579612, 1579613, 1579614, 1582362, 1590182, 1711336 | ||
Bug Blocks: | 1579616 |
Description
Sam Fowler
2018-05-18 03:29:20 UTC
Created tomcat tracking bugs for this issue: Affects: epel-all [bug 1579613] Affects: fedora-all [bug 1579612] This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2018:2470 https://access.redhat.com/errata/RHSA-2018:2470 This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2018:2469 https://access.redhat.com/errata/RHSA-2018:2469 This issue has been addressed in the following products: Red Hat Fuse 7.2 Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768 This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2019:0450 https://access.redhat.com/errata/RHSA-2019:0450 This issue has been addressed in the following products: Red Hat JBoss Web Server 5.0 on RHEL 6 Red Hat JBoss Web Server 5.0 on RHEL 7 Via RHSA-2019:0451 https://access.redhat.com/errata/RHSA-2019:0451 This vulnerability is out of security support scope for the following product: * Red Hat Enterprise Application Platform 5 Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2019:1529 https://access.redhat.com/errata/RHSA-2019:1529 Mitigation: When using the CORS filter, it is recommended to configure it explicitly for your environment. In particular, the combination of `cors.allowed.origins = *` and `cors.support.credentials = True` should be avoided as this can leave your application vulnerable to cross-site scripting (XSS). For details on configuring CORS filter, please refer to https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2019:2205 https://access.redhat.com/errata/RHSA-2019:2205 |