Uploaded image for project: 'Red Hat Fuse'
  1. Red Hat Fuse
  2. ENTESB-8628

CVE-2018-1305 tomcat8: tomcat: Late application of security constraints can lead to resource exposure for unauthorised users [fis-2.0]

    Details

    • Sprint:
      Fuse 7.0 Sprint 27
    • Security Sensitive Issue:
      This issue is security relevant

      Description

      Security Tracking Issue

      Do not make this issue public.

      This bug is subject to the Security Errata Policy.

      The overall impact of the blocking security issue(s) is Moderate. Based on this impact, this bug must be resolved by 23-Feb-2019.

      Please refer to the Security Errata Policy documentation for further details: https://docs.prodsec.redhat.com/policy-guide/#policy-errata

      Flaw:


      CVE-2018-1305 tomcat: Late application of security constraints can lead to resource exposure for unauthorised users
      https://bugzilla.redhat.com/show_bug.cgi?id=1548282

      Apache Tomcat versions 7.0.0 to 7.0.84, 8.0.0.RC1 to 8.0.49 and 8.5.0 to 8.5.27 only apply security constraints defined by Servlets once those Servlets are loaded. Depending on the order that Servlets load, some security constraints may not be applied leading to unintended resource exposure.

      External References:

      https://tomcat.apache.org/security-7.html#Fixed_in_Apache_Tomcat_7.0.85
      https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.0.50
      https://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.28

      Upstream Fixes:

      Tomcat 7.0.x:

      http://svn.apache.org/viewvc?view=rev&rev=1823322
      http://svn.apache.org/viewvc?view=rev&rev=1824360

      Tomcat 8.0.x:

      http://svn.apache.org/viewvc?view=rev&rev=1823319
      http://svn.apache.org/viewvc?view=rev&rev=1824359

      Tomcat 8.5.x:

      http://svn.apache.org/viewvc?view=rev&rev=1823314
      http://svn.apache.org/viewvc?view=rev&rev=1824358

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                hooman_b2455 Hooman Broujerdi
                Tester:
                Lukáš Löwinger
                Involved:
                Hooman Broujerdi
              • Votes:
                0 Vote for this issue
                Watchers:
                5 Start watching this issue

                Dates

                • Due:
                  Created:
                  Updated:
                  Resolved: