Date: Fri, 23 Feb 2018 00:33:34 +0000 From: Mark Thomas <markt@...che.org> To: oss-security@...ts.openwall.com Subject: Fwd: [SECURITY] CVE-2018-1305 Security constraint annotations applied too late -------- Forwarded Message -------- Subject: [SECURITY] CVE-2018-1305 Security constraint annotations applied too late Date: Fri, 23 Feb 2018 00:27:36 +0000 From: Mark Thomas <markt@...che.org> Reply-To: announce@...cat.apache.org, announce@...cat.apache.org To: Tomcat Users List <users@...cat.apache.org> CC: Tomcat Developers List <dev@...cat.apache.org>, announce@...che.org, announce@...cat.apache.org <announce@...cat.apache.org> CVE-2018-1305 Security constraint annotations applied too late Severity: High Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.4 Apache Tomcat 8.5.0 to 8.5.27 Apache Tomcat 8.0.0.RC1 to 8.0.49 Apache Tomcat 7.0.0 to 7.0.84 Description: Security constraints defined by annotations of Servlets were only applied once a Servlet had been loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets were loaded - for some security constraints not to be applied. This could have exposed resources to users who were not authorised to access them. Mitigation: Users of the affected versions should apply one of the following mitigations. Upgrade to: - Apache Tomcat 9.0.5 or later - Apache Tomcat 8.5.28 or later - Apache Tomcat 8.0.50 or later - Apache Tomcat 7.0.85 or later Credit: This issue was identified by the Apache Tomcat Security Team. History: 2018-02-23 Original advisory References:  http://tomcat.apache.org/security-9.html  http://tomcat.apache.org/security-8.html  http://tomcat.apache.org/security-7.html
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.