SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


Try our Premium Alert Service
 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service





Category:   Application (Web Server/CGI)  >   Apache Tomcat Vendors:   Apache Software Foundation
Apache Tomcat Default CORS Filter Settings Lets Remote Users Bypass Security Restrictions on the Target System
SecurityTracker Alert ID:  1040998
SecurityTracker URL:  http://securitytracker.com/id/1040998
CVE Reference:   CVE-2018-8014   (Links to External Site)
Date:  May 31 2018
Impact:   Host/resource access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 7.0.41 to 7.0.88, 8.0.0.RC1 to 8.0.52, 8.5.0 to 8.5.31, 9.0.0.M1 to 9.0.8
Description:   A vulnerability was reported in Apache Tomcat. A remote user can bypass security controls on the target system.

The default settings for the CORS filter enabled 'supportsCredentials' for all origins. A remote user can bypass security controls on the target system.

Systems using the CORS filter in the default configuration may be affected.

Impact:   A remote user can bypass security controls on the target system.
Solution:   The vendor has issued a fix (pending versions 7.0.89, 8.0.53, 8.5.32, 9.0.9).

The vendor advisory is available at:

http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.9

Vendor URL:  tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.9 (Links to External Site)
Cause:   Access control error
Underlying OS:  Linux (Any), UNIX (Any), Windows (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
May 31 2018 (Ubuntu Issues Fix) Apache Tomcat Default CORS Filter Settings Lets Remote Users Bypass Security Restrictions on the Target System
Ubuntu has issued a fix for Ubuntu Linux 14.04 LTS, 16.04 LTS, 17.10, and 18.04 LTS.
Aug 16 2018 (Red Hat Issues Fix for Red Hat JBoss Web Server) Apache Tomcat Default CORS Filter Settings Lets Remote Users Bypass Security Restrictions on the Target System
Red Hat has issued a fix for Red Hat JBoss Web Server for Red Hat Enterprise Linux 6 and 7.



 Source Message Contents

Subject:  [oss-security] [SECURITY] CVE-2018-8014 Insecure defaults for CORS filter

CVE-2018-8014 Insecure defaults for CORS filter

Severity: Low

Vendor: The Apache Software Foundation

Versions Affected:
Apache Tomcat 9.0.0.M1 to 9.0.8
Apache Tomcat 8.5.0 to 8.5.31
Apache Tomcat 8.0.0.RC1 to 8.0.52
Apache Tomcat 7.0.41 to 7.0.88

Description:
The defaults settings for the CORS filter are insecure and enable
'supportsCredentials' for all origins.
It is expected that users of the CORS filter will have configured it
appropriately for their environment rather than using it in the default
configuration. Therefore, it is expected that most users will not be
impacted by this issue.

Mitigation:
Users of the affected versions should apply one of the following
mitigations.
- Configure the filter appropriately for your environment

Secure defaults will be provided in the following versions:
- Apache Tomcat 9.0.9 or later when released
- Apache Tomcat 8.5.32 or later when released
- Apache Tomcat 8.0.53 or later when released
- Apache Tomcat 7.0.89 or later when released

History:
2018-05-15 Original advisory

References:
[1] http://tomcat.apache.org/security-9.html
[2] http://tomcat.apache.org/security-8.html
[3] http://tomcat.apache.org/security-7.html

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2018, SecurityGlobal.net LLC