https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Bug ID: 1579611 Summary: CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins Product: Security Response Component: vulnerability Keywords: Security Severity: low Priority: low Assignee: security-response-team@redhat.com Reporter: sfowler@redhat.com CC: abhgupta@redhat.com, aileenc@redhat.com, alazarot@redhat.com, alee@redhat.com, anstephe@redhat.com, apintea@redhat.com, avibelli@redhat.com, bgeorges@redhat.com, bkundal@redhat.com, bmaxwell@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, cmoulliard@redhat.com, csutherl@redhat.com, darran.lofthouse@redhat.com, dbaker@redhat.com, dimitris@redhat.com, dosoudil@redhat.com, drieden@redhat.com, etirelli@redhat.com, fgavrilo@redhat.com, gvarsami@redhat.com, gzaronik@redhat.com, hghasemb@redhat.com, hhorak@redhat.com, ibek@redhat.com, ivan.afonichev@gmail.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jbalunas@redhat.com, jclere@redhat.com, jcoleman@redhat.com, jdoyle@redhat.com, jokerman@redhat.com, jolee@redhat.com, jondruse@redhat.com, jorton@redhat.com, jpallich@redhat.com, jschatte@redhat.com, jshepherd@redhat.com, jstastny@redhat.com, kconner@redhat.com, krathod@redhat.com, krzysztof.daniel@gmail.com, kverlaen@redhat.com, ldimaggi@redhat.com, lgao@redhat.com, loleary@redhat.com, lpetrovi@redhat.com, lthon@redhat.com, mbabacek@redhat.com, me@coolsvap.net, mizdebsk@redhat.com, mszynkie@redhat.com, myarboro@redhat.com, nwallace@redhat.com, paradhya@redhat.com, pavelp@redhat.com, pgallagh@redhat.com, pgier@redhat.com, pjurak@redhat.com, ppalaga@redhat.com, psakar@redhat.com, pslavice@redhat.com, pszubiak@redhat.com, rnetuka@redhat.com, rrajasek@redhat.com, rruss@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rsynek@redhat.com, rwagner@redhat.com, rzhang@redhat.com, sdaley@redhat.com, spinder@redhat.com, sstavrev@redhat.com, sthangav@redhat.com, tcunning@redhat.com, theute@redhat.com, tkirby@redhat.com, trankin@redhat.com, trogers@redhat.com, twalsh@redhat.com, vhalbert@redhat.com, vtunka@redhat.com, weli@redhat.com
Apache Tomcat through versions 7.0.88, 8.0.52, 8.5.31 and 9.0.8 have defaults settings for the CORS filter that are insecure and enable 'supportsCredentials' for all origins.
External References:
https://lists.apache.org/thread.html/fbfb713e4f8a4c0f81089b89450828011343593... http://tomcat.apache.org/security-9.html http://tomcat.apache.org/security-8.html http://tomcat.apache.org/security-7.html
Upstream Patches:
http://svn.apache.org/viewvc?view=rev&rev=1831726 http://svn.apache.org/viewvc?view=rev&rev=1831728 http://svn.apache.org/viewvc?view=rev&rev=1831729 http://svn.apache.org/viewvc?view=rev&rev=1831730
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1579614, 1579613, 1579612
--- Comment #1 from Sam Fowler sfowler@redhat.com --- Created tomcat tracking bugs for this issue:
Affects: epel-all [bug 1579613] Affects: fedora-all [bug 1579612]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1579612 [Bug 1579612] CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1579613 [Bug 1579613] CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins [epel-all]
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Sam Fowler sfowler@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1579616
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Bharti Kundal bkundal@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20180517, |impact=low,public=20180517, |reported=20180518,source=in |reported=20180518,source=in |ternet,cvss3=4.3/CVSS:3.0/A |ternet,cvss3=4.3/CVSS:3.0/A |V:N/AC:L/PR:L/UI:N/S:U/C:L/ |V:N/AC:L/PR:L/UI:N/S:U/C:L/ |I:N/A:N,cwe=CWE-284,fedora- |I:N/A:N,cwe=CWE-284,fedora- |all/tomcat=affected,epel-al |all/tomcat=affected,epel-al |l/tomcat=affected,rhscl-3/r |l/tomcat=affected,rhscl-3/r |h-java-common-tomcat=new,bp |h-java-common-tomcat=new,bp |ms-6/tomcat=new,brms-6/tomc |ms-6/tomcat=new,brms-6/tomc |at=new,brms-5/jbossweb=new, |at=new,brms-5/jbossweb=new, |eap-5/jbossweb=new,eap-6/jb |eap-5/jbossweb=new,eap-6/jb |ossweb=new,jdg-6/jbossweb=n |ossweb=notaffected,jdg-6/jb |ew,jdg-7/tomcat=new,jdv-6/j |ossweb=new,jdg-7/tomcat=new |bossweb=new,soap-5/jbossweb |,jdv-6/jbossweb=new,soap-5/ |=new,fuse-7/tomcat=new,fuse |jbossweb=new,fuse-7/tomcat= |-6/jbossweb=new,fsw-6/jboss |new,fuse-6/jbossweb=new,fsw |web=new,fis-2/tomcat=new,sp |-6/jbossweb=new,fis-2/tomca |ringboot-1/tomcat=new,jbews |t=new,springboot-1/tomcat=n |-2/tomcat6=new,jbews-2/tomc |ew,jbews-2/tomcat6=new,jbew |at7=new,jws-3/tomcat7=new,j |s-2/tomcat7=new,jws-3/tomca |ws-3/tomcat8=new,rhel-8/tom |t7=new,jws-3/tomcat8=new,rh |cat=affected,rhel-7/tomcat= |el-8/tomcat=affected,rhel-7 |new,rhel-6/tomcat6=new,jon- |/tomcat=new,rhel-6/tomcat6= |3/jbossweb=new,openshift-on |new,jon-3/jbossweb=new,open |line-2/jbossweb=new |shift-online-2/jbossweb=new
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Yasuhiro Ozone yozone@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |yozone@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Hooman Broujerdi hghasemb@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20180517, |impact=low,public=20180517, |reported=20180518,source=in |reported=20180518,source=in |ternet,cvss3=4.3/CVSS:3.0/A |ternet,cvss3=4.3/CVSS:3.0/A |V:N/AC:L/PR:L/UI:N/S:U/C:L/ |V:N/AC:L/PR:L/UI:N/S:U/C:L/ |I:N/A:N,cwe=CWE-284,fedora- |I:N/A:N,cwe=CWE-284,fedora- |all/tomcat=affected,epel-al |all/tomcat=affected,epel-al |l/tomcat=affected,rhscl-3/r |l/tomcat=affected,rhscl-3/r |h-java-common-tomcat=new,bp |h-java-common-tomcat=new,bp |ms-6/tomcat=new,brms-6/tomc |ms-6/tomcat=new,brms-6/tomc |at=new,brms-5/jbossweb=new, |at=new,brms-5/jbossweb=new, |eap-5/jbossweb=new,eap-6/jb |eap-5/jbossweb=new,eap-6/jb |ossweb=notaffected,jdg-6/jb |ossweb=notaffected,jdg-6/jb |ossweb=new,jdg-7/tomcat=new |ossweb=new,jdg-7/tomcat=new |,jdv-6/jbossweb=new,soap-5/ |,jdv-6/jbossweb=new,soap-5/ |jbossweb=new,fuse-7/tomcat= |jbossweb=new,fuse-7/tomcat= |new,fuse-6/jbossweb=new,fsw |affected,fuse-6/jbossweb=wo |-6/jbossweb=new,fis-2/tomca |ntfix,fsw-6/jbossweb=new,fi |t=new,springboot-1/tomcat=n |s-2/tomcat=affected,springb |ew,jbews-2/tomcat6=new,jbew |oot-1/tomcat=new,jbews-2/to |s-2/tomcat7=new,jws-3/tomca |mcat6=new,jbews-2/tomcat7=n |t7=new,jws-3/tomcat8=new,rh |ew,jws-3/tomcat7=new,jws-3/ |el-8/tomcat=affected,rhel-7 |tomcat8=new,rhel-8/tomcat=a |/tomcat=new,rhel-6/tomcat6= |ffected,rhel-7/tomcat=new,r |new,jon-3/jbossweb=new,open |hel-6/tomcat6=new,jon-3/jbo |shift-online-2/jbossweb=new |ssweb=new,openshift-online- | |2/jbossweb=new
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Hooman Broujerdi hghasemb@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20180517, |impact=low,public=20180517, |reported=20180518,source=in |reported=20180518,source=in |ternet,cvss3=4.3/CVSS:3.0/A |ternet,cvss3=4.3/CVSS:3.0/A |V:N/AC:L/PR:L/UI:N/S:U/C:L/ |V:N/AC:L/PR:L/UI:N/S:U/C:L/ |I:N/A:N,cwe=CWE-284,fedora- |I:N/A:N,cwe=CWE-284,fedora- |all/tomcat=affected,epel-al |all/tomcat=affected,epel-al |l/tomcat=affected,rhscl-3/r |l/tomcat=affected,rhscl-3/r |h-java-common-tomcat=new,bp |h-java-common-tomcat=new,bp |ms-6/tomcat=new,brms-6/tomc |ms-6/tomcat=new,brms-6/tomc |at=new,brms-5/jbossweb=new, |at=new,brms-5/jbossweb=new, |eap-5/jbossweb=new,eap-6/jb |eap-5/jbossweb=new,eap-6/jb |ossweb=notaffected,jdg-6/jb |ossweb=notaffected,jdg-6/jb |ossweb=new,jdg-7/tomcat=new |ossweb=new,jdg-7/tomcat=new |,jdv-6/jbossweb=new,soap-5/ |,jdv-6/jbossweb=new,soap-5/ |jbossweb=new,fuse-7/tomcat= |jbossweb=new,fuse-7/tomcat= |affected,fuse-6/jbossweb=wo |affected,fuse-6/jbossweb=wo |ntfix,fsw-6/jbossweb=new,fi |ntfix,fsw-6/jbossweb=wontfi |s-2/tomcat=affected,springb |x,fis-2/tomcat=affected,spr |oot-1/tomcat=new,jbews-2/to |ingboot-1/tomcat=new,jbews- |mcat6=new,jbews-2/tomcat7=n |2/tomcat6=new,jbews-2/tomca |ew,jws-3/tomcat7=new,jws-3/ |t7=new,jws-3/tomcat7=new,jw |tomcat8=new,rhel-8/tomcat=a |s-3/tomcat8=new,rhel-8/tomc |ffected,rhel-7/tomcat=new,r |at=affected,rhel-7/tomcat=n |hel-6/tomcat6=new,jon-3/jbo |ew,rhel-6/tomcat6=new,jon-3 |ssweb=new,openshift-online- |/jbossweb=new,openshift-onl |2/jbossweb=new |ine-2/jbossweb=new
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20180517, |impact=low,public=20180517, |reported=20180518,source=in |reported=20180518,source=in |ternet,cvss3=4.3/CVSS:3.0/A |ternet,cvss3=4.3/CVSS:3.0/A |V:N/AC:L/PR:L/UI:N/S:U/C:L/ |V:N/AC:L/PR:L/UI:N/S:U/C:L/ |I:N/A:N,cwe=CWE-284,fedora- |I:N/A:N,cwe=CWE-284,fedora- |all/tomcat=affected,epel-al |all/tomcat=affected,epel-al |l/tomcat=affected,rhscl-3/r |l/tomcat=affected,rhscl-3/r |h-java-common-tomcat=new,bp |h-java-common-tomcat=new,bp |ms-6/tomcat=new,brms-6/tomc |ms-6/tomcat=new,brms-6/tomc |at=new,brms-5/jbossweb=new, |at=new,brms-5/jbossweb=new, |eap-5/jbossweb=new,eap-6/jb |eap-5/jbossweb=new,eap-6/jb |ossweb=notaffected,jdg-6/jb |ossweb=notaffected,jdg-6/jb |ossweb=new,jdg-7/tomcat=new |ossweb=new,jdg-7/tomcat=new |,jdv-6/jbossweb=new,soap-5/ |,jdv-6/jbossweb=new,soap-5/ |jbossweb=new,fuse-7/tomcat= |jbossweb=new,fuse-7/tomcat= |affected,fuse-6/jbossweb=wo |affected,fuse-6/jbossweb=wo |ntfix,fsw-6/jbossweb=wontfi |ntfix,fsw-6/jbossweb=wontfi |x,fis-2/tomcat=affected,spr |x,fis-2/tomcat=affected,spr |ingboot-1/tomcat=new,jbews- |ingboot-1/tomcat=new,jbews- |2/tomcat6=new,jbews-2/tomca |2/tomcat6=notaffected,jbews |t7=new,jws-3/tomcat7=new,jw |-2/tomcat7=wontfix,jws-3/to |s-3/tomcat8=new,rhel-8/tomc |mcat7=affected,jws-3/tomcat |at=affected,rhel-7/tomcat=n |8=affected,rhel-8/tomcat=af |ew,rhel-6/tomcat6=new,jon-3 |fected,rhel-7/tomcat=new,rh |/jbossweb=new,openshift-onl |el-6/tomcat6=new,jon-3/jbos |ine-2/jbossweb=new |sweb=new,openshift-online-2 | |/jbossweb=new
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20180517, |impact=low,public=20180517, |reported=20180518,source=in |reported=20180518,source=in |ternet,cvss3=4.3/CVSS:3.0/A |ternet,cvss3=4.3/CVSS:3.0/A |V:N/AC:L/PR:L/UI:N/S:U/C:L/ |V:N/AC:L/PR:L/UI:N/S:U/C:L/ |I:N/A:N,cwe=CWE-284,fedora- |I:N/A:N,cwe=CWE-284,fedora- |all/tomcat=affected,epel-al |all/tomcat=affected,epel-al |l/tomcat=affected,rhscl-3/r |l/tomcat=affected,rhscl-3/r |h-java-common-tomcat=new,bp |h-java-common-tomcat=new,bp |ms-6/tomcat=new,brms-6/tomc |ms-6/tomcat=new,brms-6/tomc |at=new,brms-5/jbossweb=new, |at=new,brms-5/jbossweb=new, |eap-5/jbossweb=new,eap-6/jb |eap-5/jbossweb=new,eap-6/jb |ossweb=notaffected,jdg-6/jb |ossweb=notaffected,jdg-6/jb |ossweb=new,jdg-7/tomcat=new |ossweb=new,jdg-7/tomcat=new |,jdv-6/jbossweb=new,soap-5/ |,jdv-6/jbossweb=new,soap-5/ |jbossweb=new,fuse-7/tomcat= |jbossweb=new,fuse-7/tomcat= |affected,fuse-6/jbossweb=wo |affected,fuse-6/jbossweb=wo |ntfix,fsw-6/jbossweb=wontfi |ntfix,fsw-6/jbossweb=wontfi |x,fis-2/tomcat=affected,spr |x,fis-2/tomcat=affected,spr |ingboot-1/tomcat=new,jbews- |ingboot-1/tomcat=new,jbews- |2/tomcat6=notaffected,jbews |2/tomcat6=notaffected,jbews |-2/tomcat7=wontfix,jws-3/to |-2/tomcat7=wontfix,jws-3/to |mcat7=affected,jws-3/tomcat |mcat7=affected,jws-3/tomcat |8=affected,rhel-8/tomcat=af |8=affected,rhel-8/tomcat=af |fected,rhel-7/tomcat=new,rh |fected,rhel-7/tomcat=new,rh |el-6/tomcat6=new,jon-3/jbos |el-6/tomcat6=new,jon-3/jbos |sweb=new,openshift-online-2 |sweb=new,openshift-online-2 |/jbossweb=new |/jbossweb=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Kurt Seifried kseifried@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1582362
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Deepti Sharma deesharm@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |deesharm@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20180517, |impact=low,public=20180517, |reported=20180518,source=in |reported=20180518,source=in |ternet,cvss3=4.3/CVSS:3.0/A |ternet,cvss3=4.3/CVSS:3.0/A |V:N/AC:L/PR:L/UI:N/S:U/C:L/ |V:N/AC:L/PR:L/UI:N/S:U/C:L/ |I:N/A:N,cwe=CWE-284,fedora- |I:N/A:N,cwe=CWE-284,fedora- |all/tomcat=affected,epel-al |all/tomcat=affected,epel-al |l/tomcat=affected,rhscl-3/r |l/tomcat=affected,rhscl-3/r |h-java-common-tomcat=new,bp |h-java-common-tomcat=notaff |ms-6/tomcat=new,brms-6/tomc |ected,bpms-6/tomcat=new,brm |at=new,brms-5/jbossweb=new, |s-6/tomcat=new,brms-5/jboss |eap-5/jbossweb=new,eap-6/jb |web=new,eap-5/jbossweb=new, |ossweb=notaffected,jdg-6/jb |eap-6/jbossweb=notaffected, |ossweb=new,jdg-7/tomcat=new |jdg-6/jbossweb=new,jdg-7/to |,jdv-6/jbossweb=new,soap-5/ |mcat=new,jdv-6/jbossweb=new |jbossweb=new,fuse-7/tomcat= |,soap-5/jbossweb=new,fuse-7 |affected,fuse-6/jbossweb=wo |/tomcat=affected,fuse-6/jbo |ntfix,fsw-6/jbossweb=wontfi |ssweb=wontfix,fsw-6/jbosswe |x,fis-2/tomcat=affected,spr |b=wontfix,fis-2/tomcat=affe |ingboot-1/tomcat=new,jbews- |cted,springboot-1/tomcat=ne |2/tomcat6=notaffected,jbews |w,jbews-2/tomcat6=notaffect |-2/tomcat7=wontfix,jws-3/to |ed,jbews-2/tomcat7=wontfix, |mcat7=affected,jws-3/tomcat |jws-3/tomcat7=affected,jws- |8=affected,rhel-8/tomcat=af |3/tomcat8=affected,rhel-8/t |fected,rhel-7/tomcat=new,rh |omcat=affected,rhel-7/tomca |el-6/tomcat6=new,jon-3/jbos |t=new,rhel-6/tomcat6=new,jo |sweb=new,openshift-online-2 |n-3/jbossweb=new,openshift- |/jbossweb=affected |online-2/jbossweb=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=low,public=20180517, |impact=low,public=20180517, |reported=20180518,source=in |reported=20180518,source=in |ternet,cvss3=4.3/CVSS:3.0/A |ternet,cvss3=4.3/CVSS:3.0/A |V:N/AC:L/PR:L/UI:N/S:U/C:L/ |V:N/AC:L/PR:L/UI:N/S:U/C:L/ |I:N/A:N,cwe=CWE-284,fedora- |I:N/A:N,cwe=CWE-284,fedora- |all/tomcat=affected,epel-al |all/tomcat=affected,epel-al |l/tomcat=affected,rhscl-3/r |l/tomcat=affected,rhscl-3/r |h-java-common-tomcat=notaff |h-java-common-tomcat=notaff |ected,bpms-6/tomcat=new,brm |ected,bpms-6/tomcat=new,brm |s-6/tomcat=new,brms-5/jboss |s-6/tomcat=new,brms-5/jboss |web=new,eap-5/jbossweb=new, |web=new,eap-5/jbossweb=new, |eap-6/jbossweb=notaffected, |eap-6/jbossweb=notaffected, |jdg-6/jbossweb=new,jdg-7/to |jdg-6/jbossweb=new,jdg-7/to |mcat=new,jdv-6/jbossweb=new |mcat=new,jdv-6/jbossweb=new |,soap-5/jbossweb=new,fuse-7 |,soap-5/jbossweb=new,fuse-7 |/tomcat=affected,fuse-6/jbo |/tomcat=affected,fuse-6/jbo |ssweb=wontfix,fsw-6/jbosswe |ssweb=wontfix,fsw-6/jbosswe |b=wontfix,fis-2/tomcat=affe |b=wontfix,fis-2/tomcat=affe |cted,springboot-1/tomcat=ne |cted,springboot-1/tomcat=ne |w,jbews-2/tomcat6=notaffect |w,jbews-2/tomcat6=notaffect |ed,jbews-2/tomcat7=wontfix, |ed,jbews-2/tomcat7=wontfix, |jws-3/tomcat7=affected,jws- |jws-3/tomcat7=affected,jws- |3/tomcat8=affected,rhel-8/t |3/tomcat8=affected,rhel-8/t |omcat=affected,rhel-7/tomca |omcat=affected,rhel-7/tomca |t=new,rhel-6/tomcat6=new,jo |t=affected,rhel-6/tomcat6=n |n-3/jbossweb=new,openshift- |otaffected,jon-3/jbossweb=n |online-2/jbossweb=affected |ew,openshift-online-2/jboss | |web=affected
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1590182
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Girish Andavarapu gandavar@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |gandavar@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Priority|low |medium Whiteboard|impact=low,public=20180517, |impact=moderate,public=2018 |reported=20180518,source=in |0517,reported=20180518,sour |ternet,cvss3=4.3/CVSS:3.0/A |ce=internet,cvss3=5.7/CVSS: |V:N/AC:L/PR:L/UI:N/S:U/C:L/ |3.0/AV:N/AC:L/PR:L/UI:R/S:U |I:N/A:N,cwe=CWE-284,fedora- |/C:H/I:N/A:N,cwe=CWE-284,fe |all/tomcat=affected,epel-al |dora-all/tomcat=affected,ep |l/tomcat=affected,rhscl-3/r |el-all/tomcat=affected,rhsc |h-java-common-tomcat=notaff |l-3/rh-java-common-tomcat=n |ected,bpms-6/tomcat=new,brm |otaffected,bpms-6/tomcat=ne |s-6/tomcat=new,brms-5/jboss |w,brms-6/tomcat=new,brms-5/ |web=new,eap-5/jbossweb=new, |jbossweb=new,eap-5/jbossweb |eap-6/jbossweb=notaffected, |=new,eap-6/jbossweb=notaffe |jdg-6/jbossweb=new,jdg-7/to |cted,jdg-6/jbossweb=new,jdg |mcat=new,jdv-6/jbossweb=new |-7/tomcat=new,jdv-6/jbosswe |,soap-5/jbossweb=new,fuse-7 |b=new,soap-5/jbossweb=new,f |/tomcat=affected,fuse-6/jbo |use-7/tomcat=affected,fuse- |ssweb=wontfix,fsw-6/jbosswe |6/jbossweb=wontfix,fsw-6/jb |b=wontfix,fis-2/tomcat=affe |ossweb=wontfix,fis-2/tomcat |cted,springboot-1/tomcat=ne |=affected,springboot-1/tomc |w,jbews-2/tomcat6=notaffect |at=new,jbews-2/tomcat6=nota |ed,jbews-2/tomcat7=wontfix, |ffected,jbews-2/tomcat7=won |jws-3/tomcat7=affected,jws- |tfix,jws-3/tomcat7=affected |3/tomcat8=affected,rhel-8/t |,jws-3/tomcat8=affected,rhe |omcat=affected,rhel-7/tomca |l-8/tomcat=affected,rhel-7/ |t=affected,rhel-6/tomcat6=n |tomcat=affected,rhel-6/tomc |otaffected,jon-3/jbossweb=n |at6=notaffected,jon-3/jboss |ew,openshift-online-2/jboss |web=new,openshift-online-2/ |web=affected |jbossweb=affected Severity|low |medium
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
ksuzumur@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ksuzumur@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Dasharath Masirkar dmasirka@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |dmasirka@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Fixed In Version|tomcat 9.0.9, tomcat |tomcat 8.0.53, tomcat |8.5.32, tomcat 8.0.53, |8.5.32, tomcat 9.0.9, |tomcat 7.0.89 |tomcat 7.0.89
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
Chess Hazlett chazlett@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |ikanello@redhat.com Whiteboard|impact=moderate,public=2018 |impact=moderate,public=2018 |0517,reported=20180518,sour |0517,reported=20180518,sour |ce=internet,cvss3=5.7/CVSS: |ce=internet,cvss3=5.7/CVSS: |3.0/AV:N/AC:L/PR:L/UI:R/S:U |3.0/AV:N/AC:L/PR:L/UI:R/S:U |/C:H/I:N/A:N,cwe=CWE-284,fe |/C:H/I:N/A:N,cwe=CWE-284,fe |dora-all/tomcat=affected,ep |dora-all/tomcat=affected,ep |el-all/tomcat=affected,rhsc |el-all/tomcat=affected,rhsc |l-3/rh-java-common-tomcat=n |l-3/rh-java-common-tomcat=n |otaffected,bpms-6/tomcat=ne |otaffected,bpms-6/tomcat=no |w,brms-6/tomcat=new,brms-5/ |taffected,brms-6/tomcat=not |jbossweb=new,eap-5/jbossweb |affected,brms-5/jbossweb=no |=new,eap-6/jbossweb=notaffe |taffected,eap-5/jbossweb=ne |cted,jdg-6/jbossweb=new,jdg |w,eap-6/jbossweb=notaffecte |-7/tomcat=new,jdv-6/jbosswe |d,jdg-6/jbossweb=notaffecte |b=new,soap-5/jbossweb=new,f |d,jdg-7/tomcat=notaffected, |use-7/tomcat=affected,fuse- |jdv-6/jbossweb=notaffected, |6/jbossweb=wontfix,fsw-6/jb |soap-5/jbossweb=notaffected |ossweb=wontfix,fis-2/tomcat |,fuse-7/tomcat=affected,fus |=affected,springboot-1/tomc |e-6/jbossweb=wontfix,fsw-6/ |at=new,jbews-2/tomcat6=nota |jbossweb=wontfix,fis-2/tomc |ffected,jbews-2/tomcat7=won |at=affected,springboot-1/to |tfix,jws-3/tomcat7=affected |mcat=affected,jbews-2/tomca |,jws-3/tomcat8=affected,rhe |t6=notaffected,jbews-2/tomc |l-8/tomcat=affected,rhel-7/ |at7=wontfix,jws-3/tomcat7=a |tomcat=affected,rhel-6/tomc |ffected,jws-3/tomcat8=affec |at6=notaffected,jon-3/jboss |ted,rhel-8/tomcat=affected, |web=new,openshift-online-2/ |rhel-7/tomcat=affected,rhel |jbossweb=affected |-6/tomcat6=notaffected,jon- | |3/jbossweb=notaffected,open | |shift-online-2/jbossweb=aff | |ected
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
--- Comment #9 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server
Via RHSA-2018:2470 https://access.redhat.com/errata/RHSA-2018:2470
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:2470
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
--- Comment #10 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat JBoss Web Server 3 for RHEL 7 Red Hat JBoss Web Server 3 for RHEL 6
Via RHSA-2018:2469 https://access.redhat.com/errata/RHSA-2018:2469
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:2469
https://bugzilla.redhat.com/show_bug.cgi?id=1579611 Bug 1579611 depends on bug 1579613, which changed state.
Bug 1579613 Summary: CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins [epel-all] https://bugzilla.redhat.com/show_bug.cgi?id=1579613
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1579611 Bug 1579611 depends on bug 1579612, which changed state.
Bug 1579612 Summary: CVE-2018-8014 tomcat: Insecure defaults in CORS filter enable 'supportsCredentials' for all origins [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1579612
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
--- Comment #12 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Fuse 7.2
Via RHSA-2018:3768 https://access.redhat.com/errata/RHSA-2018:3768
https://bugzilla.redhat.com/show_bug.cgi?id=1579611
errata-xmlrpc errata-xmlrpc@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- External Bug ID| |Red Hat Product Errata | |RHSA-2018:3768
java-sig-commits@lists.stg.fedoraproject.org