{ "threat_severity" : "Moderate", "public_date" : "2018-05-17T00:00:00Z", "bugzilla" : { "description" : "tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins", "id" : "1579611", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1579611" }, "cvss3" : { "cvss3_base_score" : "5.7", "cvss3_scoring_vector" : "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N", "status" : "verified" }, "cwe" : "CWE-284", "details" : [ "The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue." ], "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 7", "release_date" : "2019-08-06T00:00:00Z", "advisory" : "RHSA-2019:2205", "cpe" : "cpe:/o:redhat:enterprise_linux:7", "package" : "tomcat-0:7.0.76-9.el7" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2019-06-18T00:00:00Z", "advisory" : "RHSA-2019:1529", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "pki-deps:10.6-8000020190524054914.55190bc5" }, { "product_name" : "Red Hat Fuse 7.2", "release_date" : "2018-12-04T00:00:00Z", "advisory" : "RHSA-2018:3768", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "tomcat" }, { "product_name" : "Red Hat JBoss Web Server 3.1", "release_date" : "2018-08-16T00:00:00Z", "advisory" : "RHSA-2018:2470", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1", "package" : "tomcat7" }, { "product_name" : "Red Hat JBoss Web Server 3.1", "release_date" : "2018-08-16T00:00:00Z", "advisory" : "RHSA-2018:2470", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1", "package" : "tomcat8" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2018-08-16T00:00:00Z", "advisory" : "RHSA-2018:2469", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "tomcat7-0:7.0.70-27.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2018-08-16T00:00:00Z", "advisory" : "RHSA-2018:2469", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "tomcat8-0:8.0.36-31.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 6", "release_date" : "2018-08-16T00:00:00Z", "advisory" : "RHSA-2018:2469", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el6", "package" : "tomcat-native-0:1.2.17-17.redhat_17.ep7.el6" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2018-08-16T00:00:00Z", "advisory" : "RHSA-2018:2469", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "tomcat7-0:7.0.70-27.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2018-08-16T00:00:00Z", "advisory" : "RHSA-2018:2469", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "tomcat8-0:8.0.36-31.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 3 for RHEL 7", "release_date" : "2018-08-16T00:00:00Z", "advisory" : "RHSA-2018:2469", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:3.1::el7", "package" : "tomcat-native-0:1.2.17-17.redhat_17.ep7.el7" }, { "product_name" : "Red Hat JBoss Web Server 5.0", "release_date" : "2019-03-04T00:00:00Z", "advisory" : "RHSA-2019:0450", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.0", "package" : "tomcat" }, { "product_name" : "Red Hat JBoss Web Server 5.0 on RHEL 6", "release_date" : "2019-03-04T00:00:00Z", "advisory" : "RHSA-2019:0451", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.0::el6", "package" : "jws5-ecj-0:4.6.1-6.redhat_1.1.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.0 on RHEL 6", "release_date" : "2019-03-04T00:00:00Z", "advisory" : "RHSA-2019:0451", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.0::el6", "package" : "jws5-javapackages-tools-0:3.4.1-5.15.10.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.0 on RHEL 6", "release_date" : "2019-03-04T00:00:00Z", "advisory" : "RHSA-2019:0451", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.0::el6", "package" : "jws5-jboss-logging-0:3.3.1-5.Final_redhat_1.1.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.0 on RHEL 6", "release_date" : "2019-03-04T00:00:00Z", "advisory" : "RHSA-2019:0451", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.0::el6", "package" : "jws5-mod_cluster-0:1.4.0-9.Final_redhat_1.1.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.0 on RHEL 6", "release_date" : "2019-03-04T00:00:00Z", "advisory" : "RHSA-2019:0451", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.0::el6", "package" : "jws5-tomcat-0:9.0.7-17.redhat_16.1.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.0 on RHEL 6", "release_date" : "2019-03-04T00:00:00Z", "advisory" : "RHSA-2019:0451", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.0::el6", "package" : "jws5-tomcat-native-0:1.2.17-26.redhat_26.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.0 on RHEL 6", "release_date" : "2019-03-04T00:00:00Z", "advisory" : "RHSA-2019:0451", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.0::el6", "package" : "jws5-tomcat-vault-0:1.1.7-5.Final_redhat_2.1.el6jws" }, { "product_name" : "Red Hat JBoss Web Server 5.0 on RHEL 7", "release_date" : "2019-03-04T00:00:00Z", "advisory" : "RHSA-2019:0451", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.0::el7", "package" : "jws5-ecj-0:4.6.1-6.redhat_1.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.0 on RHEL 7", "release_date" : "2019-03-04T00:00:00Z", "advisory" : "RHSA-2019:0451", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.0::el7", "package" : "jws5-javapackages-tools-0:3.4.1-5.15.10.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.0 on RHEL 7", "release_date" : "2019-03-04T00:00:00Z", "advisory" : "RHSA-2019:0451", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.0::el7", "package" : "jws5-jboss-logging-0:3.3.1-5.Final_redhat_1.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.0 on RHEL 7", "release_date" : "2019-03-04T00:00:00Z", "advisory" : "RHSA-2019:0451", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.0::el7", "package" : "jws5-mod_cluster-0:1.4.0-9.Final_redhat_1.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.0 on RHEL 7", "release_date" : "2019-03-04T00:00:00Z", "advisory" : "RHSA-2019:0451", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.0::el7", "package" : "jws5-tomcat-0:9.0.7-17.redhat_16.1.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.0 on RHEL 7", "release_date" : "2019-03-04T00:00:00Z", "advisory" : "RHSA-2019:0451", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.0::el7", "package" : "jws5-tomcat-native-0:1.2.17-26.redhat_26.el7jws" }, { "product_name" : "Red Hat JBoss Web Server 5.0 on RHEL 7", "release_date" : "2019-03-04T00:00:00Z", "advisory" : "RHSA-2019:0451", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:5.0::el7", "package" : "jws5-tomcat-vault-0:1.1.7-5.Final_redhat_2.1.el7jws" } ], "package_state" : [ { "product_name" : "Red Hat BPM Suite 6", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform" }, { "product_name" : "Red Hat Enterprise Linux 6", "fix_state" : "Not affected", "package_name" : "tomcat6", "cpe" : "cpe:/o:redhat:enterprise_linux:6" }, { "product_name" : "Red Hat JBoss BRMS 5", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:5" }, { "product_name" : "Red Hat JBoss BRMS 6", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:6" }, { "product_name" : "Red Hat JBoss Data Grid 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_grid:6" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Not affected", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Data Virtualization 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_data_virtualization:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 5", "fix_state" : "Out of support scope", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:5" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Not affected", "package_name" : "tomcat6", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat JBoss Enterprise Web Server 2", "fix_state" : "Will not fix", "package_name" : "tomcat7", "cpe" : "cpe:/a:redhat:jboss_enterprise_web_server:2" }, { "product_name" : "Red Hat JBoss Fuse 6", "fix_state" : "Will not fix", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_fuse:6" }, { "product_name" : "Red Hat JBoss Fuse Integration Service 2", "fix_state" : "Will not fix", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:fuse_integration_services:2" }, { "product_name" : "Red Hat JBoss Fuse Service Works 6", "fix_state" : "Will not fix", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_fuse_service_works:6" }, { "product_name" : "Red Hat JBoss Operations Network 3", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_operations_network:3" }, { "product_name" : "Red Hat JBoss SOA Platform 5", "fix_state" : "Not affected", "package_name" : "jbossweb", "cpe" : "cpe:/a:redhat:jboss_enterprise_soa_platform:5" }, { "product_name" : "Red Hat OpenShift Application Runtimes", "fix_state" : "Will not fix", "package_name" : "tomcat", "cpe" : "cpe:/a:redhat:openshift_application_runtimes:1.0" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Not affected", "package_name" : "rh-java-common-tomcat", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2018-8014\nhttps://nvd.nist.gov/vuln/detail/CVE-2018-8014\nhttp://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.89\nhttp://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.53\nhttp://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.32\nhttp://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.9" ], "name" : "CVE-2018-8014", "mitigation" : { "value" : "When using the CORS filter, it is recommended to configure it explicitly for your environment. In particular, the combination of `cors.allowed.origins = *` and `cors.support.credentials = True` should be avoided as this can leave your application vulnerable to cross-site scripting (XSS). For details on configuring CORS filter, please refer to https://tomcat.apache.org/tomcat-7.0-doc/config/filter.html#CORS_Filter", "lang" : "en:us" }, "csaw" : false }