On February 23, 2018, Apache launched a security bulletin, notifying that a security bypass vulnerability was found in Apache Tomcat 7, 8, and 9, with the CVE numbers CVE-2018-1305 and CVE-2018-1304. Attackers can use the vulnerability to bypass some security constraints and perform unauthorized operations.
As Apache Tomcat is widely used, Apache suggested users to focus on this vulnerability and perform self-check.
See the following for more information about the vulnerability.
Apache Tomcat security policy bypass vulnerability
Security constraints defined by annotations of Servlets are only applied once a Servlet is loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets are loaded - for some security constraints not to be applied. This could have exposed resources to users who are not authorized to access them.
Condition and method of exploitation
The vulnerability can be remotely exploited through PoC.
- Apache Tomcat 9: 9.0.0.M1 to 9.0.4
- Apache Tomcat 8: 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49
- Apache Tomcat 7: 7.0.0 to 7.0.84
- Apache Tomcat 9 >= 9.0.5
- Apache Tomcat 8 >= 8.5.28
- Apache Tomcat 8 >= 8.0.50
- Apache Tomcat 7 >= 7.0.85
Check whether any affected version of Apache Tomcat is used.
How to fix or mitigate
Upgrade to the latest version:
- Version 9 (9.0.5 or later): https://tomcat.apache.org/download-70.cgi
- Version 8 (8.5.28 or later): https://tomcat.apache.org/download-80.cgi
- Version 7 (7.0.85 or later): https://tomcat.apache.org/download-90.cgi
Note: We recommend that you perform a test and make a snapshot on your ECS instance to back up data before the upgrade.