Bug 1607580 (CVE-2018-8034) - CVE-2018-8034 tomcat: Host name verification missing in WebSocket client
Summary: CVE-2018-8034 tomcat: Host name verification missing in WebSocket client
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-8034
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1658846 1607586 1607587 1608605 1608606 1608609 1608653 1608654 1711341
Blocks: 1607593
TreeView+ depends on / blocked
 
Reported: 2018-07-23 19:15 UTC by Pedro Sampaio
Modified: 2019-09-29 14:45 UTC (History)
80 users (show)

Fixed In Version: tomcat 8.0.53, tomcat 8.5.32, tomcat 9.0.10, tomcat 7.0.90
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:33:56 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0130 None None None 2019-01-22 13:36:40 UTC
Red Hat Product Errata RHSA-2019:0131 None None None 2019-01-22 13:41:21 UTC
Red Hat Product Errata RHSA-2019:0450 None None None 2019-03-04 17:35:15 UTC
Red Hat Product Errata RHSA-2019:0451 None None None 2019-03-04 17:36:01 UTC
Red Hat Product Errata RHSA-2019:1159 None None None 2019-05-13 17:01:18 UTC
Red Hat Product Errata RHSA-2019:1160 None None None 2019-05-13 17:06:57 UTC
Red Hat Product Errata RHSA-2019:1161 None None None 2019-05-13 17:04:09 UTC
Red Hat Product Errata RHSA-2019:1162 None None None 2019-05-13 17:24:53 UTC
Red Hat Product Errata RHSA-2019:1529 None None None 2019-06-18 17:20:57 UTC
Red Hat Product Errata RHSA-2019:2205 None None None 2019-08-06 12:28:00 UTC

Description Pedro Sampaio 2018-07-23 19:15:58 UTC
Flaw affecting tomcat 8.0.0.RC1 to 8.0.52 and 9.0.0.M1 to 9.0.9 . The host name verification when using TLS with the WebSocket client was not enabled by default.

Upstream patch:

http://svn.apache.org/viewvc?view=revision&revision=1833757
http://svn.apache.org/viewvc?view=rev&rev=1833759

References:

https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-9.html

Comment 1 Pedro Sampaio 2018-07-23 19:25:42 UTC
Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 1607587]
Affects: fedora-all [bug 1607586]

Comment 2 Timothy Walsh 2018-07-24 09:50:40 UTC
Tomcat 7.0.35 to 7.0.88.

Comment 10 Chess Hazlett 2018-08-16 21:21:48 UTC
Statement:

Tomcat 6, and Red Hat products shipping it, are not affected by this CVE. Tomcat 7, 8, and 9, as well as Red Hat Products shipping them, are affected. Affected products, including Red Hat JBoss Web Server 3 and 5, Enterprise Application Server 6, and Fuse 7, may provide fixes for this issue in a future release.

Comment 12 errata-xmlrpc 2019-01-22 13:36:35 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2019:0130 https://access.redhat.com/errata/RHSA-2019:0130

Comment 13 errata-xmlrpc 2019-01-22 13:41:19 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6
  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2019:0131 https://access.redhat.com/errata/RHSA-2019:0131

Comment 14 errata-xmlrpc 2019-03-04 17:35:13 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2019:0450 https://access.redhat.com/errata/RHSA-2019:0450

Comment 15 errata-xmlrpc 2019-03-04 17:35:59 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.0 on RHEL 6
  Red Hat JBoss Web Server 5.0 on RHEL 7

Via RHSA-2019:0451 https://access.redhat.com/errata/RHSA-2019:0451

Comment 17 errata-xmlrpc 2019-05-13 17:01:15 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2019:1159 https://access.redhat.com/errata/RHSA-2019:1159

Comment 18 errata-xmlrpc 2019-05-13 17:04:06 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2019:1161 https://access.redhat.com/errata/RHSA-2019:1161

Comment 19 errata-xmlrpc 2019-05-13 17:06:54 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2019:1160 https://access.redhat.com/errata/RHSA-2019:1160

Comment 20 errata-xmlrpc 2019-05-13 17:24:51 UTC
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2019:1162 https://access.redhat.com/errata/RHSA-2019:1162

Comment 21 errata-xmlrpc 2019-06-18 17:20:54 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1529 https://access.redhat.com/errata/RHSA-2019:1529

Comment 22 errata-xmlrpc 2019-08-06 12:27:57 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2205 https://access.redhat.com/errata/RHSA-2019:2205


Note You need to log in before you can comment on or make changes to this bug.