4.3
MEDIUM

CVE-2017-7674

Published: 11/08/2017 Updated: 29/06/2018
CVSS v2 Base Score: 4.3 | Impact Score: 2.9 | Exploitability Score: 8.6
CVSS v3 Base Score: 4.3 | Impact Score: 1.4 | Exploitability Score: 2.8

Vulnerability Summary

Ubuntu: USN-3519-1 (CVE-2017-7674): Tomcat vulnerabilities

Several security issues were fixed in Tomcat.

The CORS Filter in Apache Tomcat 9.0.0.M1 to 9.0.0.M21, 8.5.0 to 8.5.15, 8.0.0.RC1 to 8.0.44 and 7.0.41 to 7.0.78 did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.

Two issues were discovered in the Tomcat servlet and JSP engine. CVE-2017-7674 Rick Riemer discovered that the Cross-Origin Resource Sharing filter did not add a Vary header indicating possible different responses, which could lead to cache poisoning. CVE-2017-7675 (stretch only) Markus Dörschmidt found that the HTTP/2 implementation bypassed some security checks, thus allowing an attacker to conduct directory traversal attacks by using specially crafted URLs. For the oldstable distribution (jessie), these problems have been fixed in version 8.0.14-1+deb8u11. For the stable distribution (stretch), these problems have been fixed in version 8.5.14-1+deb9u2. We recommend that you upgrade your tomcat8 packages.

Vector: AV:N/AC:M/Au:N/C:N/I:P/A:N
Access Complexity: MEDIUM
Authentication: NONE
Access Vector: NETWORK
Confidentiality Impact: NONE
Integrity Impact: PARTIAL
Availability Impact: NONE

Affected Products

Vendor Product Versions
ApacheTomcat7.0.41, 7.0.42, 7.0.43, 7.0.44, 7.0.45, 7.0.46, 7.0.47, 7.0.48, 7.0.49, 7.0.50, 7.0.52, 7.0.53, 7.0.54, 7.0.55, 7.0.56, 7.0.57, 7.0.58, 7.0.59, 7.0.60, 7.0.61, 7.0.62, 7.0.63, 7.0.64, 7.0.65, 7.0.66, 7.0.67, 7.0.68, 7.0.69, 7.0.70, 7.0.71, 7.0.72, 7.0.73, 7.0.74, 7.0.75, 7.0.76, 7.0.77, 7.0.78, 8.0, 8.0.0, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5, 8.0.6, 8.0.7, 8.0.8, 8.0.9, 8.0.10, 8.0.11, 8.0.12, 8.0.13, 8.0.14, 8.0.15, 8.0.16, 8.0.17, 8.0.18, 8.0.19, 8.0.20, 8.0.21, 8.0.22, 8.0.23, 8.0.24, 8.0.25, 8.0.26, 8.0.27, 8.0.28, 8.0.29, 8.0.30, 8.0.31, 8.0.32, 8.0.33, 8.0.34, 8.0.35, 8.0.36, 8.0.37, 8.0.38, 8.0.39, 8.0.40, 8.0.41, 8.0.42, 8.0.43, 8.0.44, 8.5.0, 8.5.1, 8.5.2, 8.5.3, 8.5.4, 8.5.5, 8.5.6, 8.5.7, 8.5.8, 8.5.9, 8.5.10, 8.5.11, 8.5.12, 8.5.13, 8.5.14, 8.5.15, 9.0.0

Vendor Advisories

Synopsis Important: tomcat security update Type/Severity Security Advisory: Important Topic An update for tomcat is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring System (CVSS) base score, w ...
Two issues were discovered in the Tomcat servlet and JSP engine CVE-2017-7674 Rick Riemer discovered that the Cross-Origin Resource Sharing filter did not add a Vary header indicating possible different responses, which could lead to cache poisoning CVE-2017-7675 (stretch only) Markus Dörschmidt found that the HTTP/2 implementat ...
1480618: Vary header not added by CORS filter leading to cache poisoning The CORS Filter in Apache Tomcat did not add an HTTP Vary header indicating that the response varies depending on Origin This permitted client and server side cache poisoning in some circumstances (CVE-2017-7674 ) ...
Several security issues were fixed in Tomcat ...
Security constrained bypass in error page mechanism:A vulnerability was discovered in the error page mechanism in Tomcat's DefaultServlet implementation A crafted HTTP request could cause undesired side effects, possibly including the removal or replacement of the custom error page (CVE-2017-5664 ) The CORS Filter in Apache Tomcat 900M1 to 90 ...
A vulnerability was discovered in Tomcat where the CORS Filter did not send a "Vary: Origin" HTTP header This potentially allowed sensitive data to be leaked to other visitors through both client-side and server-side caches ...
Security constrained bypass in error page mechanism:While investigating bug 60718, it was noticed that some calls to application listeners in Apache Tomcat 900M1 to 900M17, 850 to 8511, 800RC1 to 8041, and 700 to 7075 did not use the appropriate facade object When running an untrusted application under a SecurityManager, it was ...
Synopsis Important: Red Hat JBoss Web Server 310 Service Pack 1 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31 for RHEL 6 and Red Hat JBoss Web Server 31 for RHEL 7Red Hat Product Security has rated this update as having a sec ...
Synopsis Important: Red Hat JBoss Web Server Service Pack 1 security update Type/Severity Security Advisory: Important Topic An update is now available for Red Hat JBoss Web Server 31Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Sys ...
Oracle Critical Patch Update Advisory - April 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous ...

References