Apache Tomcat information disclosure CVE-2023-28708 When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie over an insecure channel. Affects: 8.5.0 to 8.5.85 https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.86 https://bz.apache.org/bugzilla/show_bug.cgi?id=66471 https://github.com/apache/tomcat/commit/5b72c94e8b2c4ada63a1d91dc527bf4d8fd1f510
Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M2 Apache Tomcat 10.1.0-M1 to 10.1.5 Apache Tomcat 9.0.0-M1 to 9.0.71 Apache Tomcat 8.5.0 to 8.5.85 https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
Created tomcat tracking bugs for this issue: Affects: epel-8 [bug 2181441] Affects: fedora-36 [bug 2181442] Affects: fedora-37 [bug 2181443]
This issue has been addressed in the following products: Red Hat JBoss Web Server 5.7 on RHEL 7 Red Hat JBoss Web Server 5.7 on RHEL 8 Red Hat JBoss Web Server 5.7 on RHEL 9 Via RHSA-2023:4909 https://access.redhat.com/errata/RHSA-2023:4909
This issue has been addressed in the following products: JWS 5.7.4 release Via RHSA-2023:4910 https://access.redhat.com/errata/RHSA-2023:4910
This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old RHEL 8 or 9).
In reply to comment #9: > This bug has not been fixed in the Tomcat 9.0.62 for RHEL 8 and RHEL 9 > (NOTE: _NOT_ the JBoss Tomcat, the one available to anyone running plain old > RHEL 8 or 9). This CVE will be fixed with the release of rhel-8.9 and rhel-9.3. RHEL-8 with tomcat-9.0.62-27.el8_9 and RHEL-9 with tomcat-9.0.62-37.el9_3.
This CVE is fixed in builds tomcat-9.0.62-27.el8_9 and RHEL-9 with tomcat-9.0.62-37.el9_3
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6570 https://access.redhat.com/errata/RHSA-2023:6570
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7065 https://access.redhat.com/errata/RHSA-2023:7065