Bug 1607580 (CVE-2018-8034)

Summary: CVE-2018-8034 tomcat: Host name verification missing in WebSocket client
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: aileenc, alazarot, alee, anstephe, avibelli, bgeorges, bmaxwell, cdewolf, chazlett, cmoulliard, coolsvap, csutherl, darran.lofthouse, dimitris, dosoudil, drieden, etirelli, fgavrilo, gvarsami, gzaronik, hhorak, ibek, ikanello, ivan.afonichev, java-sig-commits, jawilson, jbalunas, jclere, jcoleman, jdoyle, jolee, jondruse, jorton, jpallich, jschatte, jshepherd, jstastny, kconner, krathod, krzysztof.daniel, ksuzumur, kverlaen, ldimaggi, lgao, loleary, lpetrovi, lthon, mbabacek, mizdebsk, mszynkie, myarboro, nwallace, paradhya, pgallagh, pgier, pjurak, ppalaga, psakar, pslavice, rhcs-maint, rnetuka, rrajasek, rruss, rstancel, rsvoboda, rsynek, rwagner, rzhang, sdaley, spinder, sstavrev, tcunning, theute, tkirby, trogers, twalsh, vhalbert, vtunka, weli, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 8.0.53, tomcat 8.5.32, tomcat 9.0.10, tomcat 7.0.90 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:33:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1607586, 1607587, 1608605, 1608606, 1608609, 1608653, 1608654, 1658846, 1711341    
Bug Blocks: 1607593    

Description Pedro Sampaio 2018-07-23 19:15:58 UTC 
Flaw affecting tomcat 8.0.0.RC1 to 8.0.52 and 9.0.0.M1 to 9.0.9 . The host name verification when using TLS with the WebSocket client was not enabled by default.

Upstream patch:

http://svn.apache.org/viewvc?view=revision&revision=1833757
http://svn.apache.org/viewvc?view=rev&rev=1833759

References:

https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-9.html
Comment 1 Pedro Sampaio 2018-07-23 19:25:42 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 1607587]
Affects: fedora-all [bug 1607586]
Comment 2 Timothy Walsh 2018-07-24 09:50:40 UTC 
Tomcat 7.0.35 to 7.0.88.
Comment 10 Chess Hazlett 2018-08-16 21:21:48 UTC 
Statement:

Tomcat 6, and Red Hat products shipping it, are not affected by this CVE. Tomcat 7, 8, and 9, as well as Red Hat Products shipping them, are affected. Affected products, including Red Hat JBoss Web Server 3 and 5, Enterprise Application Server 6, and Fuse 7, may provide fixes for this issue in a future release.
Comment 12 errata-xmlrpc 2019-01-22 13:36:35 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2019:0130 https://access.redhat.com/errata/RHSA-2019:0130
Comment 13 errata-xmlrpc 2019-01-22 13:41:19 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6
  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2019:0131 https://access.redhat.com/errata/RHSA-2019:0131
Comment 14 errata-xmlrpc 2019-03-04 17:35:13 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2019:0450 https://access.redhat.com/errata/RHSA-2019:0450
Comment 15 errata-xmlrpc 2019-03-04 17:35:59 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.0 on RHEL 6
  Red Hat JBoss Web Server 5.0 on RHEL 7

Via RHSA-2019:0451 https://access.redhat.com/errata/RHSA-2019:0451
Comment 17 errata-xmlrpc 2019-05-13 17:01:15 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2019:1159 https://access.redhat.com/errata/RHSA-2019:1159
Comment 18 errata-xmlrpc 2019-05-13 17:04:06 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2019:1161 https://access.redhat.com/errata/RHSA-2019:1161
Comment 19 errata-xmlrpc 2019-05-13 17:06:54 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2019:1160 https://access.redhat.com/errata/RHSA-2019:1160
Comment 20 errata-xmlrpc 2019-05-13 17:24:51 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2019:1162 https://access.redhat.com/errata/RHSA-2019:1162
Comment 21 errata-xmlrpc 2019-06-18 17:20:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1529 https://access.redhat.com/errata/RHSA-2019:1529
Comment 22 errata-xmlrpc 2019-08-06 12:27:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2205 https://access.redhat.com/errata/RHSA-2019:2205
Comment 23 errata-xmlrpc 2019-11-14 21:17:59 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.5.0

Via RHSA-2019:3892 https://access.redhat.com/errata/RHSA-2019:3892