The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
The MITRE CVE dictionary describes this issue as:
Find out more about CVE-2018-8034 from the MITRE CVE dictionary dictionary and NIST NVD.
Tomcat 6, and Red Hat products shipping it, are not affected by this CVE. Tomcat 7, 8, and 9, as well as Red Hat Products shipping them, are affected. Affected products, including Red Hat JBoss Web Server 3 and 5, Enterprise Application Server 6, and Fuse 7, may provide fixes for this issue in a future release.
CVSS3 Base Score | 4.3 |
---|---|
CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
Attack Vector | Network |
Attack Complexity | Low |
Privileges Required | None |
User Interaction | Required |
Scope | Unchanged |
Confidentiality | None |
Integrity Impact | Low |
Availability Impact | None |
Platform | Errata | Release Date |
---|---|---|
Red Hat JBoss Web Server 3.1 for RHEL 7 | RHSA-2019:0131 | 2019-01-22 |
Red Hat JBoss Web Server 3.1 for RHEL 6 | RHSA-2019:0131 | 2019-01-22 |
Red Hat JBoss Web Server 3.1 | RHSA-2019:0130 | 2019-01-22 |
Platform | Package | State |
---|---|---|
Red Hat Software Collections for Red Hat Enterprise Linux | rh-java-common-tomcat | Not affected |
Red Hat OpenShift Application Runtimes 1.0 | springboot | Affected |
Red Hat JBoss Web Server 5 | tomcat | Affected |
Red Hat JBoss Operations Network 3 | jbossweb | Will not fix |
Red Hat JBoss Fuse Service Works 6 | jbossweb | Will not fix |
Red Hat JBoss Fuse 7 | tomcat | Affected |
Red Hat JBoss Fuse 6 | tomcat | Will not fix |
Red Hat JBoss Enterprise SOA Platform 5 | jbossweb | Not affected |
Red Hat JBoss EWS 2 | tomcat7 | Will not fix |
Red Hat JBoss EWS 2 | tomcat6 | Not affected |
Red Hat JBoss EAP 6 | jbossweb | Affected |
Red Hat JBoss EAP 5 | jbossweb | Not affected |
Red Hat JBoss Data Virtualization 6 | jbossweb | Will not fix |
Red Hat JBoss Data Grid 7 | tomcat | Not affected |
Red Hat JBoss Data Grid 6 | jbossweb | Not affected |
Red Hat JBoss BRMS 6 | tomcat | Not affected |
Red Hat JBoss BRMS 5 | jbossweb | Not affected |
Red Hat JBoss BPMS 6 | tomcat | Not affected |
Red Hat Enterprise Linux 7 | tomcat | Affected |
Red Hat Enterprise Linux 6 | tomcat6 | Not affected |