Bug 1607580 (CVE-2018-8034) - CVE-2018-8034 tomcat: Host name verification missing in WebSocket client
Summary: CVE-2018-8034 tomcat: Host name verification missing in WebSocket client
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-8034
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1607586 1607587 1608605 1608606 1608609 1608653 1608654 1658846 1711341
Blocks: 1607593
TreeView+ depends on / blocked
 
Reported: 2018-07-23 19:15 UTC by Pedro Sampaio
Modified: 2022-03-13 15:16 UTC (History)
80 users (show)

Fixed In Version: tomcat 8.0.53, tomcat 8.5.32, tomcat 9.0.10, tomcat 7.0.90
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-10 10:33:56 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:0130 0 None None None 2019-01-22 13:36:40 UTC
Red Hat Product Errata RHSA-2019:0131 0 None None None 2019-01-22 13:41:21 UTC
Red Hat Product Errata RHSA-2019:0450 0 None None None 2019-03-04 17:35:15 UTC
Red Hat Product Errata RHSA-2019:0451 0 None None None 2019-03-04 17:36:01 UTC
Red Hat Product Errata RHSA-2019:1159 0 None None None 2019-05-13 17:01:18 UTC
Red Hat Product Errata RHSA-2019:1160 0 None None None 2019-05-13 17:06:57 UTC
Red Hat Product Errata RHSA-2019:1161 0 None None None 2019-05-13 17:04:09 UTC
Red Hat Product Errata RHSA-2019:1162 0 None None None 2019-05-13 17:24:53 UTC
Red Hat Product Errata RHSA-2019:1529 0 None None None 2019-06-18 17:20:57 UTC
Red Hat Product Errata RHSA-2019:2205 0 None None None 2019-08-06 12:28:00 UTC
Red Hat Product Errata RHSA-2019:3892 0 None None None 2019-11-14 21:18:02 UTC

Description Pedro Sampaio 2018-07-23 19:15:58 UTC 
Flaw affecting tomcat 8.0.0.RC1 to 8.0.52 and 9.0.0.M1 to 9.0.9 . The host name verification when using TLS with the WebSocket client was not enabled by default.

Upstream patch:

http://svn.apache.org/viewvc?view=revision&revision=1833757
http://svn.apache.org/viewvc?view=rev&rev=1833759

References:

https://tomcat.apache.org/security-8.html
https://tomcat.apache.org/security-9.html
Comment 1 Pedro Sampaio 2018-07-23 19:25:42 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-all [bug 1607587]
Affects: fedora-all [bug 1607586]
Comment 2 Timothy Walsh 2018-07-24 09:50:40 UTC 
Tomcat 7.0.35 to 7.0.88.
Comment 10 Chess Hazlett 2018-08-16 21:21:48 UTC 
Statement:

Tomcat 6, and Red Hat products shipping it, are not affected by this CVE. Tomcat 7, 8, and 9, as well as Red Hat Products shipping them, are affected. Affected products, including Red Hat JBoss Web Server 3 and 5, Enterprise Application Server 6, and Fuse 7, may provide fixes for this issue in a future release.
Comment 12 errata-xmlrpc 2019-01-22 13:36:35 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2019:0130 https://access.redhat.com/errata/RHSA-2019:0130
Comment 13 errata-xmlrpc 2019-01-22 13:41:19 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 3 for RHEL 6
  Red Hat JBoss Web Server 3 for RHEL 7

Via RHSA-2019:0131 https://access.redhat.com/errata/RHSA-2019:0131
Comment 14 errata-xmlrpc 2019-03-04 17:35:13 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server

Via RHSA-2019:0450 https://access.redhat.com/errata/RHSA-2019:0450
Comment 15 errata-xmlrpc 2019-03-04 17:35:59 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.0 on RHEL 6
  Red Hat JBoss Web Server 5.0 on RHEL 7

Via RHSA-2019:0451 https://access.redhat.com/errata/RHSA-2019:0451
Comment 17 errata-xmlrpc 2019-05-13 17:01:15 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 5

Via RHSA-2019:1159 https://access.redhat.com/errata/RHSA-2019:1159
Comment 18 errata-xmlrpc 2019-05-13 17:04:06 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 7

Via RHSA-2019:1161 https://access.redhat.com/errata/RHSA-2019:1161
Comment 19 errata-xmlrpc 2019-05-13 17:06:54 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 6.4 for RHEL 6

Via RHSA-2019:1160 https://access.redhat.com/errata/RHSA-2019:1160
Comment 20 errata-xmlrpc 2019-05-13 17:24:51 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2019:1162 https://access.redhat.com/errata/RHSA-2019:1162
Comment 21 errata-xmlrpc 2019-06-18 17:20:54 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2019:1529 https://access.redhat.com/errata/RHSA-2019:1529
Comment 22 errata-xmlrpc 2019-08-06 12:27:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2019:2205 https://access.redhat.com/errata/RHSA-2019:2205
Comment 23 errata-xmlrpc 2019-11-14 21:17:59 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.5.0

Via RHSA-2019:3892 https://access.redhat.com/errata/RHSA-2019:3892
Note You need to log in before you can comment on or make changes to this bug.