Bug 2180856 (CVE-2023-28708) - CVE-2023-28708 tomcat: not including the secure attribute causes information disclosure
Summary: CVE-2023-28708 tomcat: not including the secure attribute causes information ...
Keywords:
Status: VERIFIED
Alias: CVE-2023-28708
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2181441 2181442 2181443 2181447 2181448 2181449 2181450 2181451 2181452 2181453 2181454 2181455 2181456 2181457 2181458 2181459 2181460 2181461 2182286
Blocks: 2180858
TreeView+ depends on / blocked
 
Reported: 2023-03-22 12:23 UTC by Sandipan Roy
Modified: 2024-04-22 14:36 UTC (History)
11 users (show)

Fixed In Version: tomcat 8.5.86, tomcat 9.0.72, tomcat 10.1.6, tomcat 11.0.0-M3
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:4909 0 None None None 2023-09-04 12:16:22 UTC
Red Hat Product Errata RHSA-2023:4910 0 None None None 2023-09-04 12:24:20 UTC
Red Hat Product Errata RHSA-2023:6570 0 None None None 2023-11-07 08:19:27 UTC
Red Hat Product Errata RHSA-2023:7065 0 None None None 2023-11-14 15:19:53 UTC

Description Sandipan Roy 2023-03-22 12:23:03 UTC 
Apache Tomcat information disclosure CVE-2023-28708

When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel.

Affects: 8.5.0 to 8.5.85

https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.86
https://bz.apache.org/bugzilla/show_bug.cgi?id=66471
https://github.com/apache/tomcat/commit/5b72c94e8b2c4ada63a1d91dc527bf4d8fd1f510
Comment 1 TEJ RATHI 2023-03-24 06:29:48 UTC 
Versions Affected:
Apache Tomcat 11.0.0-M1 to 11.0.0-M2
Apache Tomcat 10.1.0-M1 to 10.1.5
Apache Tomcat 9.0.0-M1 to 9.0.71
Apache Tomcat 8.5.0 to 8.5.85

https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
Comment 2 Sandipan Roy 2023-03-24 06:32:06 UTC 
Created tomcat tracking bugs for this issue:

Affects: epel-8 [bug 2181441]
Affects: fedora-36 [bug 2181442]
Affects: fedora-37 [bug 2181443]
Comment 7 errata-xmlrpc 2023-09-04 12:16:20 UTC 
This issue has been addressed in the following products:

  Red Hat JBoss Web Server 5.7 on RHEL 7
  Red Hat JBoss Web Server 5.7 on RHEL 8
  Red Hat JBoss Web Server 5.7 on RHEL 9

Via RHSA-2023:4909 https://access.redhat.com/errata/RHSA-2023:4909
Comment 8 errata-xmlrpc 2023-09-04 12:24:18 UTC 
This issue has been addressed in the following products:

  JWS 5.7.4 release

Via RHSA-2023:4910 https://access.redhat.com/errata/RHSA-2023:4910
Comment 9 Ben 2023-10-12 09:56:07 UTC 
This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).
Comment 10 TEJ RATHI 2023-10-25 10:58:06 UTC 
In reply to comment #9:
> This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9
> (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old
> RHEL 8 or 9).

This CVE will be fixed with the release of rhel-8.9 and rhel-9.3. RHEL-8 with tomcat-9.0.62-27.el8_9 and RHEL-9 with tomcat-9.0.62-37.el9_3.
Comment 11 Matus Madzin 2023-10-26 21:38:47 UTC 
This CVE is fixed in builds tomcat-9.0.62-27.el8_9 and RHEL-9 with tomcat-9.0.62-37.el9_3
Comment 12 errata-xmlrpc 2023-11-07 08:19:25 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6570 https://access.redhat.com/errata/RHSA-2023:6570
Comment 13 errata-xmlrpc 2023-11-14 15:19:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7065 https://access.redhat.com/errata/RHSA-2023:7065
Note You need to log in before you can comment on or make changes to this bug.