446
VMScore

CVE-2018-8034

Published: 01/08/2018 Updated: 14/05/2019
CVSS v2 Base Score: 5 | Impact Score: 2.9 | Exploitability Score: 10
CVSS v3 Base Score: 7.5 | Impact Score: 3.6 | Exploitability Score: 3.9
VMScore: 446
Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N

Vulnerability Summary

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Vulnerability Trend

Vendor Advisories

Synopsis Moderate: Red Hat JBoss Enterprise Application Platform 6422 security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64Red Hat Product Security has rated this update as having a security impact of Moderate A C ...
Synopsis Moderate: Red Hat JBoss Web Server 31 Service Pack 6 security and bug fix update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat JBoss Web Server 31Red Hat Product Security has rated this release as having a security impactof Moderate A Common Vulnerabilit ...
Synopsis Moderate: Red Hat JBoss Enterprise Application Platform 6422 security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 5Red Hat Product Security has rated this update as having a s ...
Synopsis Moderate: Red Hat JBoss Enterprise Application Platform 6422 security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 6Red Hat Product Security has rated this update as having a s ...
Synopsis Moderate: Red Hat JBoss Enterprise Application Platform 6422 security update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat JBoss Enterprise Application Platform 64 for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a s ...
Synopsis Moderate: Red Hat JBoss Web Server 50 Service Pack 2 security and bug fix update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat JBoss Web Server 50 for RHEL 6 and Red Hat JBoss Web Server 50 for RHEL 7Red Hat Product Security has rated this release as hav ...
Synopsis Moderate: Red Hat JBoss Web Server 50 Service Pack 2 security and bug fix update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat JBoss Web Server 50 for RHEL 6 and Red Hat JBoss Web Server 50 for RHEL 7Red Hat Product Security has rated this release as hav ...
Synopsis Moderate: Red Hat JBoss Web Server 31 Service Pack 6 security and bug fix update Type/Severity Security Advisory: Moderate Topic An update is now available for Red Hat JBoss Web Server 31 for RHEL 6 and Red Hat JBoss Web Server 31 for RHEL 7Red Hat Product Security has rated this release as hav ...
Synopsis Important: pki-deps:106 security update Type/Severity Security Advisory: Important Topic An update for the pki-deps:106 module is now available for Red Hat Enterprise Linux 8Red Hat Product Security has rated this update as having a security impact of Important A Common Vulnerability Scoring Sy ...
Several security issues were fixed in Tomcat ...
Synopsis Moderate: tomcat security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic An update for tomcat is now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as having a security impact of Moderate A Common Vulnerability Scoring Syst ...
The host name verification when using TLS with the WebSocket client was missing It is now enabled by default Versions Affected: Apache Tomcat 900M1 to 909, 850 to 8531, 800RC1 to 8052, and 7035 to 7088 ...
IBM Integration Bus ships Apache Tomcat which is susceptible to vulnerabilities which were reported and have been addressed ...
Several issues were discovered in the Tomcat servlet and JSP engine They could lead to unauthorized access to protected resources, denial-of-service, or information leak For the stable distribution (stretch), these problems have been fixed in version 8514-1+deb9u3 We recommend that you upgrade your tomcat8 packages For the detailed security s ...
The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration Therefore, it is expected that most users will not be impacted ...
IBM WebSphere Cast Iron Solution has addressed the following vulnerabilities reported in Apache Tomcat v7 ...
The defaults settings for the CORS filter provided in Apache Tomcat are insecure and enable 'supportsCredentials' for all origins It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration Therefore, it is expected that most users will not be impacted ...
Synopsis Important: Red Hat Fuse 750 security update Type/Severity Security Advisory: Important Topic A minor version update (from 74 to 75) is now available for Red Hat Fuse The purpose of this text-only errata is to inform you about the security issues fixed in this releaseRed Hat Product Security h ...
The host name verification when using TLS with the WebSocket client was missing It is now enabled by default Versions Affected: Apache Tomcat 900M1 to 909, 850 to 8531, 800RC1 to 8052, and 7035 to 7088 (CVE-2018-8034 ) The URL pattern of "" (the empty string) which exactly maps to the context root was not correctly handled in A ...
Symantec Network Protection products using affected versions of Apache Tomcat are susceptible to multiple security vulnerabilities A remote attacker, with access to the management interface, can gain unauthorized access to a web application resource or cause denial of service in the Tomcat server A remote SSL/TLS client can authenticate with a re ...
Oracle Critical Patch Update Advisory - October 2018 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previou ...
Oracle Solaris Third Party Bulletin - July 2018 Description The Oracle Solaris Third Party Bulletin announces patches for one or more security vulnerabilities fixed in third party software that is included in Oracle Solaris distributions Starting January 20, 2015, Third Party Bulletins are released on the same day when Oracle Critical P ...

Mailing Lists

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 - ------------------------------------------------------------------------- Debian Security Advisory DSA-4281-1 security () debian org wwwdebianorg/security/ Sebastien Delafond August 29, 2018 wwwdebianorg/security/faq ...

Github Repositories

CS578 ReadMe Team members: Shuang Hu Yixiang Ding Description The current implementation of ARC are reading source code line by line but there's no analysis being carried out on security issues However there do exist some patterns that the vulnerabilities could be detected through scanning the source code For example there could be some WebSocket vulnerability that not

checking alerts of X-CERT

gocarts(go-CERT-alerts-summarizer) gocarts checks alerts of X-CERT (eg JPCERT, US-CERT) This project refers to knqyf263/gost Abstract gocarts is written in Go, and therefore you can just grab the binary releases and drop it in your $PATH gocarts summarizes alerts by CVE ID You can search alert's detail by CVE ID Main features gocarts has the following features S

Cyber Securiy MOOC Unsecure project

LINK: githubcom/ilmari666/cybsec Based on the Springboot-template as per course material that can be installed and run with suitably configured Netbeans and Maven Five flaws as per wwwowasporg/images/7/72/OWASP_Top_10-2017_%28en%29pdfpdf This document can be read at githubcom/ilmari666/cybsec/blob/master/READMEmd FLAW 1: A2:2017 Broken Authentica

References

CWE-295http://mail-archives.us.apache.org/mod_mbox/www-announce/201807.mbox/%3C20180722091057.GA70283@minotaur.apache.org%3Ehttp://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.htmlhttp://www.securityfocus.com/bid/104895http://www.securitytracker.com/id/1041374https://access.redhat.com/errata/RHSA-2019:0130https://access.redhat.com/errata/RHSA-2019:0131https://access.redhat.com/errata/RHSA-2019:0450https://access.redhat.com/errata/RHSA-2019:0451https://access.redhat.com/errata/RHSA-2019:1159https://access.redhat.com/errata/RHSA-2019:1160https://access.redhat.com/errata/RHSA-2019:1161https://access.redhat.com/errata/RHSA-2019:1162https://access.redhat.com/errata/RHSA-2019:1529https://access.redhat.com/errata/RHSA-2019:2205https://access.redhat.com/errata/RHSA-2019:3892https://lists.apache.org/thread.html/1dd0a59c1295cc08ce4c9e7edae5ad2268acc9ba55adcefa0532e5ba@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/3d19773b4cf0377db62d1e9328bf9160bf1819f04f988315086931d7@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/5c0e00fd31efc11e147bf99d0f03c00a734447d3b131ab0818644cdb@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/6af47120905aa7d8fe12f42e8ff2284fb338ba141d3b77b8c7cb61b3@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/845312a10aabbe2c499fca94003881d2c79fc993d85f34c1f5c77424@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/88855876c33f2f9c532ffb75bfee570ccf0b17ffa77493745af9a17a@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/ac51944aef91dd5006b8510b0bef337adaccfe962fb90e7af9c22db4@%3Cissues.activemq.apache.org%3Ehttps://lists.apache.org/thread.html/b5e3f51d28cd5d9b1809f56594f2cf63dcd6a90429e16ea9f83bbedc@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/e85e83e9954f169bbb77b44baae5a33d8de878df557bb32b7f793661@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/eb6efa8d59c45a7a9eff94c4b925467d3b3fec8ba7697f3daa314b04@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r3bbb800a816d0a51eccc5a228c58736960a9fffafa581a225834d97d@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r48c1444845fe15a823e1374674bfc297d5008a5453788099ea14caf0@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r6ccee4e849bc77df0840c7f853f6bd09d426f6741247da2b7429d5d9@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3Ehttps://lists.apache.org/thread.html/raba0fabaf4d56d4325ab2aca8814f0b30a237ab83d8106b115ee279a@%3Cdev.tomcat.apache.org%3Ehttps://lists.debian.org/debian-lts-announce/2018/07/msg00047.htmlhttps://lists.debian.org/debian-lts-announce/2018/09/msg00001.htmlhttps://security.netapp.com/advisory/ntap-20180817-0001/https://usn.ubuntu.com/3723-1/https://www.debian.org/security/2018/dsa-4281https://www.oracle.com/security-alerts/cpuapr2020.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.htmlhttps://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.htmlhttps://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.htmlhttps://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2018-8034https://access.redhat.com/errata/RHSA-2019:1162https://usn.ubuntu.com/3723-1/https://nvd.nist.govhttps://tools.cisco.com/security/center/viewAlert.x?alertId=58470