-
Type:
Bug
-
Status: Closed
-
Priority:
Minor
-
Resolution: Done
-
Affects Version/s: FIS 2.0
-
Fix Version/s: fuse-7.0
-
Component/s: FIS-Productization Pipeline
-
Sprint:Fuse 7.0 Sprint 27
-
Security Sensitive Issue:This issue is security relevant
Security Tracking Issue
Do not make this issue public.
This bug is subject to the Security Errata Policy.
The overall impact of the blocking security issue(s) is Moderate. Based on this impact, this bug must be resolved by 23-Feb-2019.
Please refer to the Security Errata Policy documentation for further details: https://docs.prodsec.redhat.com/policy-guide/#policy-errata
Flaw:
CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users
https://bugzilla.redhat.com/show_bug.cgi?id=1548282
Apache Tomcat versions 7.0.0 to 7.0.84, 8.0.0.RC1 to 8.0.49 and 8.5.0 to 8.5.27 only apply security constraints defined by Servlets once those Servlets are loaded. Depending on the order that Servlets load, some security constraints may not be applied leading to unintended resource exposure.
External References:
https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.85
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.50
https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.28
Upstream Fixes:
Tomcat 7.0.x:
http://svn.apache.org/viewvc?view=rev&rev=1823322
http://svn.apache.org/viewvc?view=rev&rev=1824360
Tomcat 8.0.x:
http://svn.apache.org/viewvc?view=rev&rev=1823319
http://svn.apache.org/viewvc?view=rev&rev=1824359
Tomcat 8.5.x:
http://svn.apache.org/viewvc?view=rev&rev=1823314
http://svn.apache.org/viewvc?view=rev&rev=1824358
