Bug 2180856 (CVE-2023-28708)

Summary: CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure
Product: [Other] Security Response Reporter: Sandipan Roy <saroy>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: csutherl, huwang, jclere, kyoshida, mmadzin, peholase, pjindal, rhcs-maint, szappis
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: tomcat 8.5.86, tomcat 9.0.72, tomcat 10.1.6, tomcat 11.0.0-M3 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2181443, 2181448, 2181455, 2181459, 2181461, 2181441, 2181442, 2181447, 2181449, 2181450, 2181451, 2181452, 2181453, 2181454, 2181456, 2181457, 2181458, 2181460, 2182286    
Bug Blocks: 2180858    

Description Sandipan Roy 2023-03-22 12:23:03 UTC 
Apache Tomcat information disclosure CVE-2023-28708

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Affects: 8.5.0 to 8.5.85

https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.86
https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
https://github.com/apache/tomcat/commit/5b72c94e8b2c4ada63a1d91dc527bf4d8fd1f510
Comment 1 TEJ RATHI 2023-03-24 06:29:48 UTC 
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M2
Apache Tomcat 10.1.0-M1 to 10.1.5
Apache Tomcat 9.0.0-M1 to 9.0.71
Apache Tomcat 8.5.0 to 8.5.85

https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
Comment 2 Sandipan Roy 2023-03-24 06:32:06 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-8 [bug 2181441]
Affects: fedora-36 [bug 2181442]
Affects: fedora-37 [bug 2181443]