Bug 1607580 – CVE-2018-8034 tomcat: host name verification missing in WebSocket client

Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.

Bug 1607580 - (CVE-2018-8034) CVE-2018-8034 tomcat: host name verification missing in WebSocket client

Summary:	CVE-2018-8034 tomcat: host name verification missing in WebSocket client

Status:	NEW

Aliases:	CVE-2018-8034

Product:	Security Response
Classification:	Other
Component:	vulnerability (Show other bugs)
Sub Component:
Version:	unspecified
Hardware:	All Linux

Priority	low Severity low
Target Milestone:	---
Target Release:	---
Assigned To:	Red Hat Product Security
QA Contact:
Docs Contact:

URL:
Whiteboard:	impact=low,public=20180722,reported=2...
Keywords:	Security

Depends On:	1607587 1608609 1608653 1608654 1607586 1608605 1608606
Blocks:	1607593
	Show dependency tree / graph

Reported:	2018-07-23 15:15 EDT by Pedro Sampaio
Modified:	2018-10-19 17:52 EDT (History)
CC List:	82 users (show)

See Also:
Fixed In Version:	tomcat 8.0.53, tomcat 8.5.32, tomcat 9.0.10, tomcat 7.0.90
Doc Type:	If docs needed, set a value
Doc Text:
Story Points:	---
Clone Of:
Environment:
Last Closed:
Type:	---
Regression:	---
Mount Type:	---
Documentation:	---
CRM:
Verified Versions:
Category:	---
oVirt Team:	---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Groups: None (edit)

Description Pedro Sampaio 2018-07-23 15:15:58 EDT

Flaw affecting tomcat 8.0.0.RC1 to 8.0.52 and 9.0.0.M1 to 9.0.9 . The host name verification when using TLS with the WebSocket client was not enabled by default.

Upstream patch:

http://svn.apache.org/viewvc?view=revision&revision=1833757
http://svn.apache.org/viewvc?view=rev&rev=1833759

References:

https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-9.html

Comment 1 Pedro Sampaio 2018-07-23 15:25:42 EDT

Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 1607587]
Affects: fedora-all [bug 1607586]

Comment 2 Timothy Walsh 2018-07-24 05:50:40 EDT

Tomcat 7.0.35 to 7.0.88.

Comment 10 Chess Hazlett 2018-08-16 17:21:48 EDT

Statement:

Tomcat 6, and Red Hat products shipping it, are not affected by this CVE. Tomcat 7, 8, and 9, as well as Red Hat Products shipping them, are affected. Affected products, including Red Hat JBoss Web Server 3 and 5, Enterprise Application Server 6, and Fuse 7, may provide fixes for this issue in a future release.

Note You need to log in before you can comment on or make changes to this bug.

aileenc
alazarot
alee
anstephe
apintea
avibelli
bgeorges
bmaxwell
cdewolf
chazlett
cmoulliard
coolsvap
csutherl
darran.lofthouse
dimitris
dosoudil
drieden
etirelli
fgavrilo
gvarsami
gzaronik
hghasemb
hhorak
ibek
ikanello
ivan.afonichev
java-sig-commits
jawilson
jbalunas
jclere
jcoleman
jdoyle
jolee
jondruse
jorton
jpallich
jschatte
jshepherd
jstastny
kconner
krathod
krzysztof.daniel
ksuzumur
kverlaen
ldimaggi
lgao
loleary
lpetrovi
lthon
mbabacek
mizdebsk
mszynkie
myarboro
nwallace
paradhya
pgallagh
pgier
pjurak
ppalaga
psakar
pslavice
pszubiak
rnetuka
rrajasek
rruss
rstancel
rsvoboda
rsynek
rwagner
rzhang
sdaley
spinder
sstavrev
tcunning
theute
tkirby
trogers
twalsh
vhalbert
vtunka
weli
yozone