Red Hat Bugzilla – Bug 1579611
CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins
Last modified: 2018-10-24 12:41:11 EDT
Apache Tomcat through versions 7.0.88, 8.0.52, 8.5.31 and 9.0.8 have defaults settings for the CORS filter that are insecure and enable 'supportsCredentials' for all origins. Upstream announcement: https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593800cae3fb629192b1@%3Cannounce.tomcat.apache.org%3E Upstream bug: https://bz.apache.org/bugzilla/show_bug.cgi?id=62343 Upstream Patches: http://svn.apache.org/viewvc?view=rev&rev=1831726 / trunk/9.0 http://svn.apache.org/viewvc?view=rev&rev=1831728 / 8.5 http://svn.apache.org/viewvc?view=rev&rev=1831729 / 8.0 http://svn.apache.org/viewvc?view=rev&rev=1831730 / 7.0 External References: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.9 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.32 http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.53 http://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.89
Created tomcat tracking bugs for this issue: Affects: epel-all [bug 1579613] Affects: fedora-all [bug 1579612]
This issue has been addressed in the following products: Red Hat JBoss Web Server Via RHSA-2018:2470 https://access.redhat.com/errata/RHSA-2018:2470
This issue has been addressed in the following products: Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6 Via RHSA-2018:2469 https://access.redhat.com/errata/RHSA-2018:2469