What is the impact of and workaround for CVE-2023-28708?

Solution Verified - Updated 13 Aug 2024

Environment

Red Hat Enterprise Linux (RHEL)
JBoss Web Server (JWS)
Tomcat

Issue

Is our Tomcat configuration impacted by CVE-2023-28708?

Resolution

CVE-2023-28708 only potentially impacts a Tomcat configuration using a RemoteIpFilter behind a proxy or loadbalancer that sets an X-Forwarded-Proto request header with a value of https. If you do note use RemoteIpFilter in such a configuration, then the vulnerability would not have any impact on you.
If you do use RemoteIpFilter in such a case, then the impact is that JSESSIONID cookies are not generated with the Secure flag as would be desired. That means clients could potentially send their JSESSIONID over plain HTTP, which may allow others to see and steal the client's JSESSIONID from the unencrypted transmission. This could simply be corrected by configuring the application WEB-INF/web.xml for secure JSESSIONID cookies, for example:

<web-app>
    <session-config>
        <cookie-config>
            <http-only>true</http-only>
            <secure>true</secure>
        </cookie-config>
        <tracking-mode>COOKIE</tracking-mode>
    </session-config>
</web-app>

SBR

Webservers

Product(s)

Components

Category

Troubleshoot

Tags

jboss
tomcat

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.