https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Bug ID: 1480618 Summary: CVE-2017-7674 tomcat: Cache Poisoning Product: Security Response Component: vulnerability Keywords: Security Severity: medium Priority: medium Assignee: security-response-team@redhat.com Reporter: amaris@redhat.com CC: aileenc@redhat.com, alee@redhat.com, apintea@redhat.com, bkundal@redhat.com, bmaxwell@redhat.com, ccoleman@redhat.com, cdewolf@redhat.com, chazlett@redhat.com, csutherl@redhat.com, darran.lofthouse@redhat.com, dedgar@redhat.com, dimitris@redhat.com, dmcphers@redhat.com, dosoudil@redhat.com, felias@redhat.com, fgavrilo@redhat.com, gvarsami@redhat.com, gzaronik@redhat.com, hchiorea@redhat.com, hhorak@redhat.com, ivan.afonichev@gmail.com, java-sig-commits@lists.fedoraproject.org, jawilson@redhat.com, jclere@redhat.com, jcoleman@redhat.com, jdoyle@redhat.com, jgoulding@redhat.com, jolee@redhat.com, jondruse@redhat.com, jorton@redhat.com, jshepherd@redhat.com, kconner@redhat.com, krzysztof.daniel@gmail.com, ldimaggi@redhat.com, lgao@redhat.com, loleary@redhat.com, mbabacek@redhat.com, me@coolsvap.net, mizdebsk@redhat.com, myarboro@redhat.com, nwallace@redhat.com, pavelp@redhat.com, pgier@redhat.com, pjurak@redhat.com, ppalaga@redhat.com, psakar@redhat.com, pslavice@redhat.com, rnetuka@redhat.com, rstancel@redhat.com, rsvoboda@redhat.com, rwagner@redhat.com, spinder@redhat.com, sstavrev@redhat.com, tcunning@redhat.com, theute@redhat.com, tkirby@redhat.com, trick@vanstaveren.us, twalsh@redhat.com, vhalbert@redhat.com, vtunka@redhat.com, weli@redhat.com
The CORS Filter did not add an HTTP Vary header indicating that the response varies depending on Origin. This permitted client and server side cache poisoning in some circumstances.
Affected versions: 7.0.41 to 7.0.78, 8.0.0.RC1 to 8.0.44, 8.5.0 to 8.5.15
Upstream patches:
Tomcat 7: https://svn.apache.org/viewvc?view=revision&revision=1795816 Tomcat 8.0.x: https://svn.apache.org/viewvc?view=revision&revision=1795815 Tomcat 8.5.x: https://svn.apache.org/viewvc?view=revision&revision=1795814
External References:
https://tomcat.apache.org/security-7.html https://tomcat.apache.org/security-8.html
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1480619, 1480621, 1480620
--- Comment #1 from Adam Mariš amaris@redhat.com --- Created jbossweb tracking bugs for this issue:
Affects: openshift-1 [bug 1480619]
Created tomcat tracking bugs for this issue:
Affects: epel-6 [bug 1480621] Affects: fedora-all [bug 1480620]
Referenced Bugs:
https://bugzilla.redhat.com/show_bug.cgi?id=1480620 [Bug 1480620] CVE-2017-7674 tomcat: Cache Poisoning [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1480621 [Bug 1480621] CVE-2017-7674 tomcat: Cache Poisoning [epel-6]
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Adam Mariš amaris@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Blocks| |1480628
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0810,reported=20170810,sour |0810,reported=20170810,sour |ce=internet,cvss3=5.9/CVSS: |ce=internet,cvss3=5.9/CVSS: |3.0/AV:N/AC:H/PR:N/UI:N/S:U |3.0/AV:N/AC:H/PR:N/UI:N/S:U |/C:N/I:H/A:N,rhel-7/tomcat= |/C:N/I:H/A:N,rhel-7/tomcat= |new,rhscl-2/rh-java-common- |new,rhscl-2/rh-java-common- |tomcat=new,jbews-2/tomcat7= |tomcat=new,jbews-2/tomcat7= |new,jws-3/tomcat7=new,jws-3 |wontfix,jws-3/tomcat7=affec |/tomcat8=new,jdg-6/jbossweb |ted,jws-3/tomcat8=affected, |=new,jdv-6/jbossweb=new,eap |jdg-6/jbossweb=new,jdv-6/jb |-6/jbossweb=new,fsw-6/jboss |ossweb=new,eap-6/jbossweb=n |web=new,fuse-6/jbossweb=new |ew,fsw-6/jbossweb=new,fuse- |,fuse-6/tomcat7=new,fuse-6/ |6/jbossweb=new,fuse-6/tomca |tomcat8=new,jon-3/jbossweb= |t7=new,fuse-6/tomcat8=new,j |new,jpp-6/jbossweb=new,open |on-3/jbossweb=new,jpp-6/jbo |shift-1/jbossweb=affected,f |ssweb=new,openshift-1/jboss |edora-all/tomcat=affected,e |web=affected,fedora-all/tom |pel-6/tomcat=affected,rhel- |cat=affected,epel-6/tomcat= |6/tomcat6=new,jbews-2/tomca |affected,rhel-6/tomcat6=new |t6=new |,jbews-2/tomcat6=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0810,reported=20170810,sour |0810,reported=20170810,sour |ce=internet,cvss3=5.9/CVSS: |ce=internet,cvss3=5.9/CVSS: |3.0/AV:N/AC:H/PR:N/UI:N/S:U |3.0/AV:N/AC:H/PR:N/UI:N/S:U |/C:N/I:H/A:N,rhel-7/tomcat= |/C:N/I:H/A:N,rhel-7/tomcat= |new,rhscl-2/rh-java-common- |new,rhscl-2/rh-java-common- |tomcat=new,jbews-2/tomcat7= |tomcat=notaffected,jbews-2/ |wontfix,jws-3/tomcat7=affec |tomcat7=wontfix,jws-3/tomca |ted,jws-3/tomcat8=affected, |t7=affected,jws-3/tomcat8=a |jdg-6/jbossweb=new,jdv-6/jb |ffected,jdg-6/jbossweb=new, |ossweb=new,eap-6/jbossweb=n |jdv-6/jbossweb=new,eap-6/jb |ew,fsw-6/jbossweb=new,fuse- |ossweb=new,fsw-6/jbossweb=n |6/jbossweb=new,fuse-6/tomca |ew,fuse-6/jbossweb=new,fuse |t7=new,fuse-6/tomcat8=new,j |-6/tomcat7=new,fuse-6/tomca |on-3/jbossweb=new,jpp-6/jbo |t8=new,jon-3/jbossweb=new,j |ssweb=new,openshift-1/jboss |pp-6/jbossweb=new,openshift |web=affected,fedora-all/tom |-1/jbossweb=affected,fedora |cat=affected,epel-6/tomcat= |-all/tomcat=affected,epel-6 |affected,rhel-6/tomcat6=new |/tomcat=affected,rhel-6/tom |,jbews-2/tomcat6=wontfix |cat6=notaffected,jbews-2/to | |mcat6=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Timothy Walsh twalsh@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0810,reported=20170810,sour |0810,reported=20170810,sour |ce=internet,cvss3=5.9/CVSS: |ce=internet,cvss3=5.9/CVSS: |3.0/AV:N/AC:H/PR:N/UI:N/S:U |3.0/AV:N/AC:H/PR:N/UI:N/S:U |/C:N/I:H/A:N,rhel-7/tomcat= |/C:N/I:H/A:N,rhel-7/tomcat= |new,rhscl-2/rh-java-common- |new,rhscl-2/rh-java-common- |tomcat=notaffected,jbews-2/ |tomcat=notaffected,jbews-2/ |tomcat7=wontfix,jws-3/tomca |tomcat7=wontfix,jws-3/tomca |t7=affected,jws-3/tomcat8=a |t7=affected,jws-3/tomcat8=a |ffected,jdg-6/jbossweb=new, |ffected,jdg-6/jbossweb=new, |jdv-6/jbossweb=new,eap-6/jb |jdv-6/jbossweb=new,eap-6/jb |ossweb=new,fsw-6/jbossweb=n |ossweb=notaffected,fsw-6/jb |ew,fuse-6/jbossweb=new,fuse |ossweb=new,fuse-6/jbossweb= |-6/tomcat7=new,fuse-6/tomca |new,fuse-6/tomcat7=new,fuse |t8=new,jon-3/jbossweb=new,j |-6/tomcat8=new,jon-3/jbossw |pp-6/jbossweb=new,openshift |eb=new,jpp-6/jbossweb=new,o |-1/jbossweb=affected,fedora |penshift-1/jbossweb=affecte |-all/tomcat=affected,epel-6 |d,fedora-all/tomcat=affecte |/tomcat=affected,rhel-6/tom |d,epel-6/tomcat=affected,rh |cat6=notaffected,jbews-2/to |el-6/tomcat6=notaffected,jb |mcat6=wontfix |ews-2/tomcat6=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Tomas Hoger thoger@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Summary|CVE-2017-7674 tomcat: Cache |CVE-2017-7674 tomcat: Vary |Poisoning |header not added by CORS | |filter leading to cache | |poisoning
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0810,reported=20170810,sour |0810,reported=20170810,sour |ce=internet,cvss3=5.9/CVSS: |ce=internet,cvss3=5.9/CVSS: |3.0/AV:N/AC:H/PR:N/UI:N/S:U |3.0/AV:N/AC:H/PR:N/UI:N/S:U |/C:N/I:H/A:N,rhel-7/tomcat= |/C:N/I:H/A:N,rhel-7/tomcat= |new,rhscl-2/rh-java-common- |new,rhscl-2/rh-java-common- |tomcat=notaffected,jbews-2/ |tomcat=notaffected,jbews-2/ |tomcat7=wontfix,jws-3/tomca |tomcat7=wontfix,jws-3/tomca |t7=affected,jws-3/tomcat8=a |t7=affected,jws-3/tomcat8=a |ffected,jdg-6/jbossweb=new, |ffected,jdg-6/jbossweb=new, |jdv-6/jbossweb=new,eap-6/jb |jdv-6/jbossweb=new,eap-6/jb |ossweb=notaffected,fsw-6/jb |ossweb=notaffected,fsw-6/jb |ossweb=new,fuse-6/jbossweb= |ossweb=new,fuse-6/jbossweb= |new,fuse-6/tomcat7=new,fuse |new,fuse-6/tomcat7=new,fuse |-6/tomcat8=new,jon-3/jbossw |-6/tomcat8=new,jon-3/jbossw |eb=new,jpp-6/jbossweb=new,o |eb=notaffected,jpp-6/jbossw |penshift-1/jbossweb=affecte |eb=new,openshift-1/jbossweb |d,fedora-all/tomcat=affecte |=affected,fedora-all/tomcat |d,epel-6/tomcat=affected,rh |=affected,epel-6/tomcat=aff |el-6/tomcat6=notaffected,jb |ected,rhel-6/tomcat6=notaff |ews-2/tomcat6=wontfix |ected,jbews-2/tomcat6=wontf | |ix
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
--- Comment #3 from Jason Shepherd jshepherd@redhat.com --- EAP 6 doesn't not contain the vulnerable CORSFilter. Any products based on EAP 6 would not be affected, unless they add the CORSFilter in their layered code.
Marking JON-3 as NOTAFFECTED
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0810,reported=20170810,sour |0810,reported=20170810,sour |ce=internet,cvss3=5.9/CVSS: |ce=internet,cvss3=5.9/CVSS: |3.0/AV:N/AC:H/PR:N/UI:N/S:U |3.0/AV:N/AC:H/PR:N/UI:N/S:U |/C:N/I:H/A:N,rhel-7/tomcat= |/C:N/I:H/A:N,rhel-7/tomcat= |new,rhscl-2/rh-java-common- |new,rhscl-2/rh-java-common- |tomcat=notaffected,jbews-2/ |tomcat=notaffected,jbews-2/ |tomcat7=wontfix,jws-3/tomca |tomcat7=wontfix,jws-3/tomca |t7=affected,jws-3/tomcat8=a |t7=affected,jws-3/tomcat8=a |ffected,jdg-6/jbossweb=new, |ffected,jdg-6/jbossweb=new, |jdv-6/jbossweb=new,eap-6/jb |jdv-6/jbossweb=new,eap-6/jb |ossweb=notaffected,fsw-6/jb |ossweb=notaffected,fsw-6/jb |ossweb=new,fuse-6/jbossweb= |ossweb=new,fuse-6/jbossweb= |new,fuse-6/tomcat7=new,fuse |new,fuse-6/tomcat7=new,fuse |-6/tomcat8=new,jon-3/jbossw |-6/tomcat8=new,jon-3/jbossw |eb=notaffected,jpp-6/jbossw |eb=notaffected,jpp-6/jbossw |eb=new,openshift-1/jbossweb |eb=notaffected,openshift-1/ |=affected,fedora-all/tomcat |jbossweb=affected,fedora-al |=affected,epel-6/tomcat=aff |l/tomcat=affected,epel-6/to |ected,rhel-6/tomcat6=notaff |mcat=affected,rhel-6/tomcat |ected,jbews-2/tomcat6=wontf |6=notaffected,jbews-2/tomca |ix |t6=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0810,reported=20170810,sour |0810,reported=20170810,sour |ce=internet,cvss3=5.9/CVSS: |ce=internet,cvss3=5.9/CVSS: |3.0/AV:N/AC:H/PR:N/UI:N/S:U |3.0/AV:N/AC:H/PR:N/UI:N/S:U |/C:N/I:H/A:N,rhel-7/tomcat= |/C:N/I:H/A:N,rhel-7/tomcat= |new,rhscl-2/rh-java-common- |new,rhscl-2/rh-java-common- |tomcat=notaffected,jbews-2/ |tomcat=notaffected,jbews-2/ |tomcat7=wontfix,jws-3/tomca |tomcat7=wontfix,jws-3/tomca |t7=affected,jws-3/tomcat8=a |t7=affected,jws-3/tomcat8=a |ffected,jdg-6/jbossweb=new, |ffected,jdg-6/jbossweb=nota |jdv-6/jbossweb=new,eap-6/jb |ffected,jdv-6/jbossweb=new, |ossweb=notaffected,fsw-6/jb |eap-6/jbossweb=notaffected, |ossweb=new,fuse-6/jbossweb= |fsw-6/jbossweb=new,fuse-6/j |new,fuse-6/tomcat7=new,fuse |bossweb=new,fuse-6/tomcat7= |-6/tomcat8=new,jon-3/jbossw |new,fuse-6/tomcat8=new,jon- |eb=notaffected,jpp-6/jbossw |3/jbossweb=notaffected,jpp- |eb=notaffected,openshift-1/ |6/jbossweb=notaffected,open |jbossweb=affected,fedora-al |shift-1/jbossweb=affected,f |l/tomcat=affected,epel-6/to |edora-all/tomcat=affected,e |mcat=affected,rhel-6/tomcat |pel-6/tomcat=affected,rhel- |6=notaffected,jbews-2/tomca |6/tomcat6=notaffected,jbews |t6=wontfix |-2/tomcat6=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0810,reported=20170810,sour |0810,reported=20170810,sour |ce=internet,cvss3=5.9/CVSS: |ce=internet,cvss3=5.9/CVSS: |3.0/AV:N/AC:H/PR:N/UI:N/S:U |3.0/AV:N/AC:H/PR:N/UI:N/S:U |/C:N/I:H/A:N,rhel-7/tomcat= |/C:N/I:H/A:N,rhel-7/tomcat= |new,rhscl-2/rh-java-common- |new,rhscl-2/rh-java-common- |tomcat=notaffected,jbews-2/ |tomcat=notaffected,jbews-2/ |tomcat7=wontfix,jws-3/tomca |tomcat7=wontfix,jws-3/tomca |t7=affected,jws-3/tomcat8=a |t7=affected,jws-3/tomcat8=a |ffected,jdg-6/jbossweb=nota |ffected,jdg-6/jbossweb=nota |ffected,jdv-6/jbossweb=new, |ffected,jdv-6/jbossweb=nota |eap-6/jbossweb=notaffected, |ffected,eap-6/jbossweb=nota |fsw-6/jbossweb=new,fuse-6/j |ffected,fsw-6/jbossweb=new, |bossweb=new,fuse-6/tomcat7= |fuse-6/jbossweb=new,fuse-6/ |new,fuse-6/tomcat8=new,jon- |tomcat7=new,fuse-6/tomcat8= |3/jbossweb=notaffected,jpp- |new,jon-3/jbossweb=notaffec |6/jbossweb=notaffected,open |ted,jpp-6/jbossweb=notaffec |shift-1/jbossweb=affected,f |ted,openshift-1/jbossweb=af |edora-all/tomcat=affected,e |fected,fedora-all/tomcat=af |pel-6/tomcat=affected,rhel- |fected,epel-6/tomcat=affect |6/tomcat6=notaffected,jbews |ed,rhel-6/tomcat6=notaffect |-2/tomcat6=wontfix |ed,jbews-2/tomcat6=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0810,reported=20170810,sour |0810,reported=20170810,sour |ce=internet,cvss3=5.9/CVSS: |ce=internet,cvss3=5.9/CVSS: |3.0/AV:N/AC:H/PR:N/UI:N/S:U |3.0/AV:N/AC:H/PR:N/UI:N/S:U |/C:N/I:H/A:N,rhel-7/tomcat= |/C:N/I:H/A:N,rhel-7/tomcat= |new,rhscl-2/rh-java-common- |new,rhscl-2/rh-java-common- |tomcat=notaffected,jbews-2/ |tomcat=notaffected,jbews-2/ |tomcat7=wontfix,jws-3/tomca |tomcat7=wontfix,jws-3/tomca |t7=affected,jws-3/tomcat8=a |t7=affected,jws-3/tomcat8=a |ffected,jdg-6/jbossweb=nota |ffected,jdg-6/jbossweb=nota |ffected,jdv-6/jbossweb=nota |ffected,jdv-6/jbossweb=nota |ffected,eap-6/jbossweb=nota |ffected,eap-6/jbossweb=nota |ffected,fsw-6/jbossweb=new, |ffected,fsw-6/jbossweb=new, |fuse-6/jbossweb=new,fuse-6/ |fuse-6/jbossweb=notaffected |tomcat7=new,fuse-6/tomcat8= |,fuse-6/tomcat7=new,fuse-6/ |new,jon-3/jbossweb=notaffec |tomcat8=new,jon-3/jbossweb= |ted,jpp-6/jbossweb=notaffec |notaffected,jpp-6/jbossweb= |ted,openshift-1/jbossweb=af |notaffected,openshift-1/jbo |fected,fedora-all/tomcat=af |ssweb=affected,fedora-all/t |fected,epel-6/tomcat=affect |omcat=affected,epel-6/tomca |ed,rhel-6/tomcat6=notaffect |t=affected,rhel-6/tomcat6=n |ed,jbews-2/tomcat6=wontfix |otaffected,jbews-2/tomcat6= | |wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Jason Shepherd jshepherd@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0810,reported=20170810,sour |0810,reported=20170810,sour |ce=internet,cvss3=5.9/CVSS: |ce=internet,cvss3=5.9/CVSS: |3.0/AV:N/AC:H/PR:N/UI:N/S:U |3.0/AV:N/AC:H/PR:N/UI:N/S:U |/C:N/I:H/A:N,rhel-7/tomcat= |/C:N/I:H/A:N,rhel-7/tomcat= |new,rhscl-2/rh-java-common- |new,rhscl-2/rh-java-common- |tomcat=notaffected,jbews-2/ |tomcat=notaffected,jbews-2/ |tomcat7=wontfix,jws-3/tomca |tomcat7=wontfix,jws-3/tomca |t7=affected,jws-3/tomcat8=a |t7=affected,jws-3/tomcat8=a |ffected,jdg-6/jbossweb=nota |ffected,jdg-6/jbossweb=nota |ffected,jdv-6/jbossweb=nota |ffected,jdv-6/jbossweb=nota |ffected,eap-6/jbossweb=nota |ffected,eap-6/jbossweb=nota |ffected,fsw-6/jbossweb=new, |ffected,fsw-6/jbossweb=nota |fuse-6/jbossweb=notaffected |ffected,fuse-6/jbossweb=not |,fuse-6/tomcat7=new,fuse-6/ |affected,fuse-6/tomcat7=new |tomcat8=new,jon-3/jbossweb= |,fuse-6/tomcat8=new,jon-3/j |notaffected,jpp-6/jbossweb= |bossweb=notaffected,jpp-6/j |notaffected,openshift-1/jbo |bossweb=notaffected,openshi |ssweb=affected,fedora-all/t |ft-1/jbossweb=affected,fedo |omcat=affected,epel-6/tomca |ra-all/tomcat=affected,epel |t=affected,rhel-6/tomcat6=n |-6/tomcat=affected,rhel-6/t |otaffected,jbews-2/tomcat6= |omcat6=notaffected,jbews-2/ |wontfix |tomcat6=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Šimon Lukašík slukasik@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |slukasik@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0810,reported=20170810,sour |0810,reported=20170810,sour |ce=internet,cvss3=5.9/CVSS: |ce=internet,cvss3=5.9/CVSS: |3.0/AV:N/AC:H/PR:N/UI:N/S:U |3.0/AV:N/AC:H/PR:N/UI:N/S:U |/C:N/I:H/A:N,rhel-7/tomcat= |/C:N/I:H/A:N,rhel-7/tomcat= |new,rhscl-2/rh-java-common- |wontfix,rhscl-2/rh-java-com |tomcat=notaffected,jbews-2/ |mon-tomcat=notaffected,jbew |tomcat7=wontfix,jws-3/tomca |s-2/tomcat7=wontfix,jws-3/t |t7=affected,jws-3/tomcat8=a |omcat7=affected,jws-3/tomca |ffected,jdg-6/jbossweb=nota |t8=affected,jdg-6/jbossweb= |ffected,jdv-6/jbossweb=nota |notaffected,jdv-6/jbossweb= |ffected,eap-6/jbossweb=nota |notaffected,eap-6/jbossweb= |ffected,fsw-6/jbossweb=nota |notaffected,fsw-6/jbossweb= |ffected,fuse-6/jbossweb=not |notaffected,fuse-6/jbossweb |affected,fuse-6/tomcat7=new |=notaffected,fuse-6/tomcat7 |,fuse-6/tomcat8=new,jon-3/j |=new,fuse-6/tomcat8=new,jon |bossweb=notaffected,jpp-6/j |-3/jbossweb=notaffected,jpp |bossweb=notaffected,openshi |-6/jbossweb=notaffected,ope |ft-1/jbossweb=affected,fedo |nshift-1/jbossweb=affected, |ra-all/tomcat=affected,epel |fedora-all/tomcat=affected, |-6/tomcat=affected,rhel-6/t |epel-6/tomcat=affected,rhel |omcat6=notaffected,jbews-2/ |-6/tomcat6=notaffected,jbew |tomcat6=wontfix |s-2/tomcat6=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1480618 Bug 1480618 depends on bug 1480621, which changed state.
Bug 1480621 Summary: CVE-2017-7674 tomcat: Cache Poisoning [epel-6] https://bugzilla.redhat.com/show_bug.cgi?id=1480621
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1480618 Bug 1480618 depends on bug 1480620, which changed state.
Bug 1480620 Summary: CVE-2017-7674 tomcat: Cache Poisoning [fedora-all] https://bugzilla.redhat.com/show_bug.cgi?id=1480620
What |Removed |Added ---------------------------------------------------------------------------- Status|ON_QA |CLOSED Resolution|--- |ERRATA
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0810,reported=20170810,sour |0810,reported=20170810,sour |ce=internet,cvss3=5.9/CVSS: |ce=internet,cvss3=5.9/CVSS: |3.0/AV:N/AC:H/PR:N/UI:N/S:U |3.0/AV:N/AC:H/PR:N/UI:N/S:U |/C:N/I:H/A:N,rhel-7/tomcat= |/C:N/I:H/A:N,rhel-7/tomcat= |wontfix,rhscl-2/rh-java-com |affected,rhscl-2/rh-java-co |mon-tomcat=notaffected,jbew |mmon-tomcat=notaffected,jbe |s-2/tomcat7=wontfix,jws-3/t |ws-2/tomcat7=wontfix,jws-3/ |omcat7=affected,jws-3/tomca |tomcat7=affected,jws-3/tomc |t8=affected,jdg-6/jbossweb= |at8=affected,jdg-6/jbossweb |notaffected,jdv-6/jbossweb= |=notaffected,jdv-6/jbossweb |notaffected,eap-6/jbossweb= |=notaffected,eap-6/jbossweb |notaffected,fsw-6/jbossweb= |=notaffected,fsw-6/jbossweb |notaffected,fuse-6/jbossweb |=notaffected,fuse-6/jbosswe |=notaffected,fuse-6/tomcat7 |b=notaffected,fuse-6/tomcat |=new,fuse-6/tomcat8=new,jon |7=new,fuse-6/tomcat8=new,jo |-3/jbossweb=notaffected,jpp |n-3/jbossweb=notaffected,jp |-6/jbossweb=notaffected,ope |p-6/jbossweb=notaffected,op |nshift-1/jbossweb=affected, |enshift-1/jbossweb=affected |fedora-all/tomcat=affected, |,fedora-all/tomcat=affected |epel-6/tomcat=affected,rhel |,epel-6/tomcat=affected,rhe |-6/tomcat6=notaffected,jbew |l-6/tomcat6=notaffected,jbe |s-2/tomcat6=wontfix |ws-2/tomcat6=wontfix
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Doran Moppert dmoppert@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Depends On| |1495654, 1495655
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
--- Doc Text *updated* by Doran Moppert dmoppert@redhat.com --- A vulnerability was discovered in Tomcat. The CORS Filter did not send a "Vary: Origin" HTTP header, potentially allowing sensitive data to be leaked to other visitors through both client-side and server-side caches.
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Eric Christensen sparks@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0810,reported=20170810,sour |0810,reported=20170809,sour |ce=internet,cvss3=5.9/CVSS: |ce=internet,cvss3=5.9/CVSS: |3.0/AV:N/AC:H/PR:N/UI:N/S:U |3.0/AV:N/AC:H/PR:N/UI:N/S:U |/C:N/I:H/A:N,rhel-7/tomcat= |/C:N/I:H/A:N,rhel-7/tomcat= |affected,rhscl-2/rh-java-co |affected,rhscl-2/rh-java-co |mmon-tomcat=notaffected,jbe |mmon-tomcat=notaffected,jbe |ws-2/tomcat7=wontfix,jws-3/ |ws-2/tomcat7=wontfix,jws-3/ |tomcat7=affected,jws-3/tomc |tomcat7=affected,jws-3/tomc |at8=affected,jdg-6/jbossweb |at8=affected,jdg-6/jbossweb |=notaffected,jdv-6/jbossweb |=notaffected,jdv-6/jbossweb |=notaffected,eap-6/jbossweb |=notaffected,eap-6/jbossweb |=notaffected,fsw-6/jbossweb |=notaffected,fsw-6/jbossweb |=notaffected,fuse-6/jbosswe |=notaffected,fuse-6/jbosswe |b=notaffected,fuse-6/tomcat |b=notaffected,fuse-6/tomcat |7=new,fuse-6/tomcat8=new,jo |7=new,fuse-6/tomcat8=new,jo |n-3/jbossweb=notaffected,jp |n-3/jbossweb=notaffected,jp |p-6/jbossweb=notaffected,op |p-6/jbossweb=notaffected,op |enshift-1/jbossweb=affected |enshift-1/jbossweb=affected |,fedora-all/tomcat=affected |,fedora-all/tomcat=affected |,epel-6/tomcat=affected,rhe |,epel-6/tomcat=affected,rhe |l-6/tomcat6=notaffected,jbe |l-6/tomcat6=notaffected,jbe |ws-2/tomcat6=wontfix |ws-2/tomcat6=wontfix
--- Doc Text *updated* --- A vulnerability was discovered in Tomcat where the CORS Filter did not send a "Vary: Origin" HTTP header. This potentially allows sensitive data to be leaked to other visitors through both client-side and server-side caches.
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
--- Doc Text *updated* by Tomas Hoger thoger@redhat.com --- A vulnerability was discovered in Tomcat where the CORS Filter did not send a "Vary: Origin" HTTP header. This potentially allowed sensitive data to be leaked to other visitors through both client-side and server-side caches.
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
--- Comment #5 from errata-xmlrpc errata-xmlrpc@redhat.com --- This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2017:3081 https://access.redhat.com/errata/RHSA-2017:3081
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Yasuhiro Ozone yozone@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- CC| |yozone@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=1480618
Viliam Križan vkrizan@redhat.com changed:
What |Removed |Added ---------------------------------------------------------------------------- Whiteboard|impact=moderate,public=2017 |impact=moderate,public=2017 |0810,reported=20170809,sour |0810,reported=20170810,sour |ce=internet,cvss3=5.9/CVSS: |ce=internet,cvss3=5.9/CVSS: |3.0/AV:N/AC:H/PR:N/UI:N/S:U |3.0/AV:N/AC:H/PR:N/UI:N/S:U |/C:N/I:H/A:N,rhel-7/tomcat= |/C:N/I:H/A:N,rhel-7/tomcat= |affected,rhscl-2/rh-java-co |affected,rhscl-2/rh-java-co |mmon-tomcat=notaffected,jbe |mmon-tomcat=notaffected,jbe |ws-2/tomcat7=wontfix,jws-3/ |ws-2/tomcat7=wontfix,jws-3/ |tomcat7=affected,jws-3/tomc |tomcat7=affected,jws-3/tomc |at8=affected,jdg-6/jbossweb |at8=affected,jdg-6/jbossweb |=notaffected,jdv-6/jbossweb |=notaffected,jdv-6/jbossweb |=notaffected,eap-6/jbossweb |=notaffected,eap-6/jbossweb |=notaffected,fsw-6/jbossweb |=notaffected,fsw-6/jbossweb |=notaffected,fuse-6/jbosswe |=notaffected,fuse-6/jbosswe |b=notaffected,fuse-6/tomcat |b=notaffected,fuse-6/tomcat |7=new,fuse-6/tomcat8=new,jo |7=new,fuse-6/tomcat8=new,jo |n-3/jbossweb=notaffected,jp |n-3/jbossweb=notaffected,jp |p-6/jbossweb=notaffected,op |p-6/jbossweb=notaffected,op |enshift-1/jbossweb=affected |enshift-1/jbossweb=affected |,fedora-all/tomcat=affected |,fedora-all/tomcat=affected |,epel-6/tomcat=affected,rhe |,epel-6/tomcat=affected,rhe |l-6/tomcat6=notaffected,jbe |l-6/tomcat6=notaffected,jbe |ws-2/tomcat6=wontfix |ws-2/tomcat6=wontfix
java-sig-commits@lists.fedoraproject.org