The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances. Affected versions: 7.0.41 to 7.0.78, 8.0.0.RC1 to 8.0.44, 8.5.0 to 8.5.15 Upstream patches: Tomcat 7: https://svn.apache.org/viewvc?view=revision&revision=1795816 Tomcat 8.0.x: https://svn.apache.org/viewvc?view=revision&revision=1795815 Tomcat 8.5.x: https://svn.apache.org/viewvc?view=revision&revision=1795814 External References: https://tomcat.apache.org/security-7.html https://tomcat.apache.org/security-8.html
Created jbossweb tracking bugs for this issue: Affects: openshift-1 [bug 1480619] Created tomcat tracking bugs for this issue: Affects: epel-6 [bug 1480621] Affects: fedora-all [bug 1480620]
EAP 6 doesn't not contain the vulnerable CORSFilter. Any products based on EAP 6 would not be affected, unless they add the CORSFilter in their layered code. Marking JON-3 as NOTAFFECTED
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:3081 https://access.redhat.com/errata/RHSA-2017:3081