Bug 2180856 (CVE-2023-28708)

Summary: CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: VERIFIED --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ben.argyle, csutherl, gcovolo, jclere, kyoshida, mmadzin, peholase, pjindal, rhcs-maint, szappis, trathi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 8.5.86, tomcat 9.0.72, tomcat 10.1.6, tomcat 11.0.0-M3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2181441, 2181442, 2181443, 2181447, 2181448, 2181449, 2181450, 2181451, 2181452, 2181453, 2181454, 2181455, 2181456, 2181457, 2181458, 2181459, 2181460, 2181461, 2182286    
Bug Blocks: 2180858    

Description Sandipan Roy 2023-03-22 12:23:03 UTC 
Apache Tomcat information disclosure CVE-2023-28708

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Affects: 8.5.0 to 8.5.85

https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.86
https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
https://github.com/apache/tomcat/commit/5b72c94e8b2c4ada63a1d91dc527bf4d8fd1f510
Comment 1 TEJ RATHI 2023-03-24 06:29:48 UTC 
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M2
Apache Tomcat 10.1.0-M1 to 10.1.5
Apache Tomcat 9.0.0-M1 to 9.0.71
Apache Tomcat 8.5.0 to 8.5.85

https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
Comment 2 Sandipan Roy 2023-03-24 06:32:06 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-8 [bug 2181441]
Affects: fedora-36 [bug 2181442]
Affects: fedora-37 [bug 2181443]
Comment 7 errata-xmlrpc 2023-09-04 12:16:20 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:4909 https://access.redhat.com/errata/RHSA-2023:4909
Comment 8 errata-xmlrpc 2023-09-04 12:24:18 UTC 
This issue has been addressed in the following products:

  JWS 5.7.4 release

Via RHSA-2023:4910 https://access.redhat.com/errata/RHSA-2023:4910
Comment 9 Ben 2023-10-12 09:56:07 UTC 
This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).
Comment 10 TEJ RATHI 2023-10-25 10:58:06 UTC 
In reply to comment #9:
> This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9
> (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old
> RHEL 8 or 9).

This CVE will be fixed with the release of rhel-8.9 and rhel-9.3. RHEL-8 with tomcat-9.0.62-27.el8_9 and RHEL-9 with tomcat-9.0.62-37.el9_3.
Comment 11 Matus Madzin 2023-10-26 21:38:47 UTC 
This CVE is fixed in builds tomcat-9.0.62-27.el8_9 and RHEL-9 with tomcat-9.0.62-37.el9_3
Comment 12 errata-xmlrpc 2023-11-07 08:19:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6570 https://access.redhat.com/errata/RHSA-2023:6570
Comment 13 errata-xmlrpc 2023-11-14 15:19:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7065 https://access.redhat.com/errata/RHSA-2023:7065