1579611 – (CVE-2018-8014) CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins

Bug 1579611 (CVE-2018-8014) - CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins

Summary: CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCreden...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-8014
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1579612 1579613 1579614 1582362 1590182 1711336
Blocks:	1579616
TreeView+	depends on / blocked

Reported:	2018-05-18 03:29 UTC by Sam Fowler
Modified:	2022-03-13 15:00 UTC (History)
CC List:	90 users (show)
Fixed In Version:	tomcat 8.0.53, tomcat 8.5.32, tomcat 9.0.9, tomcat 7.0.89
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-10 10:23:28 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:2469	None	None	None	2018-08-16 15:01:19 UTC
Red Hat Product Errata	RHSA-2018:2470	None	None	None	2018-08-16 14:51:10 UTC
Red Hat Product Errata	RHSA-2018:3768	None	None	None	2018-12-04 16:01:39 UTC
Red Hat Product Errata	RHSA-2019:0450	None	None	None	2019-03-04 17:35:15 UTC
Red Hat Product Errata	RHSA-2019:0451	None	None	None	2019-03-04 17:35:57 UTC
Red Hat Product Errata	RHSA-2019:1529	None	None	None	2019-06-18 17:20:57 UTC
Red Hat Product Errata	RHSA-2019:2205	None	None	None	2019-08-06 12:27:58 UTC

Description Sam Fowler 2018-05-18 03:29:20 UTC

Apache Tomcat through versions 7.0.88, 8.0.52, 8.5.31 and 9.0.8 have defaults settings for the CORS filter that are insecure and enable 'supportsCredentials' for all origins.

Upstream announcement:

https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1@%3Cannounce.tomcat.apache.org%3E

Upstream bug:

https://bz.apache.org/bugzilla/show_bug.cgi?id=62343

Upstream Patches:

http://svn.apache.org/viewvc?view=rev&rev=1831726 / trunk/9.0
http://svn.apache.org/viewvc?view=rev&rev=1831728 / 8.5
http://svn.apache.org/viewvc?view=rev&rev=1831729 / 8.0
http://svn.apache.org/viewvc?view=rev&rev=1831730 / 7.0

External References:

http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.9
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.32
http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.53
http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.89

Comment 1 Sam Fowler 2018-05-18 03:30:16 UTC

Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 1579613]
Affects: fedora-all [bug 1579612]

Comment 9 errata-xmlrpc 2018-08-16 14:50:43 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2018:2470 https://access.redhat.com/errata/RHSA-2018:2470

Comment 10 errata-xmlrpc 2018-08-16 15:00:46 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 7
  Red Hat JBoss Web Server 3 for RHEL 6

Via RHSA-2018:2469 https://access.redhat.com/errata/RHSA-2018:2469

Comment 12 errata-xmlrpc 2018-12-04 16:01:08 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.2

Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768

Comment 17 errata-xmlrpc 2019-03-04 17:35:13 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2019:0450 https://access.redhat.com/errata/RHSA-2019:0450

Comment 18 errata-xmlrpc 2019-03-04 17:35:55 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.0 on RHEL 6
  Red Hat JBoss Web Server 5.0 on RHEL 7

Via RHSA-2019:0451 https://access.redhat.com/errata/RHSA-2019:0451

Comment 20 Joshua Padman 2019-05-15 22:58:36 UTC

This vulnerability is out of security support scope for the following product:
 * Red Hat Enterprise Application Platform 5

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 21 errata-xmlrpc 2019-06-18 17:20:54 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1529 https://access.redhat.com/errata/RHSA-2019:1529

Comment 22 Doran Moppert 2019-07-15 04:11:16 UTC

Mitigation:

When using the CORS filter, it is recommended to configure it explicitly for your environment.  In particular, the combination of `cors.allowed.origins = *` and `cors.support.credentials = True` should be avoided as this  can leave your application vulnerable to cross-site scripting (XSS). For details on configuring CORS filter, please refer to https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter

Comment 23 errata-xmlrpc 2019-08-06 12:27:55 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2205 https://access.redhat.com/errata/RHSA-2019:2205

Note You need to log in before you can comment on or make changes to this bug.

abhgupta
aileenc
alazarot
alee
anstephe
avibelli
bgeorges
bmaxwell
bpowers
cdewolf
chazlett
cmoulliard
coolsvap
csutherl
darran.lofthouse
dbaker
deesharm
dimitris
dmasirka
dosoudil
drieden
etirelli
fgavrilo
gandavar
gvarsami
gzaronik
hhorak
ibek
ikanello
ivan.afonichev
java-sig-commits
jawilson
jbalunas
jclere
jcoleman
jdoyle
jokerman
jolee
jondruse
jorton
jpadman
jpallich
jschatte
jshepherd
jstastny
kconner
krathod
krzysztof.daniel
ksuzumur
kverlaen
ldimaggi
lgao
loleary
lpetrovi
lthon
mbabacek
mizdebsk
mszynkie
myarboro
nwallace
paradhya
pavelp
pgallagh
pgier
pjurak
ppalaga
psakar
pslavice
rhcs-maint
rnetuka
rrajasek
rruss
rstancel
rsvoboda
rsynek
rwagner
rzhang
sdaley
spinder
sthangav
tcunning
theute
tkirby
trankin
trogers
twalsh
vhalbert
vtunka
weli
yozone