edit-icon download-icon

[Vulnerability notice] CVE-2018-1304/1305: Security policy bypass vulnerability in Apache Tomcat

Last Updated: Apr 08, 2018

On February 23, 2018, Apache launched a security bulletin, notifying that a security bypass vulnerability was found in Apache Tomcat 7, 8, and 9, with the CVE numbers CVE-2018-1305 and CVE-2018-1304. Attackers can use the vulnerability to bypass some security constraints and perform unauthorized operations.

As Apache Tomcat is widely used, Apache suggested users to focus on this vulnerability and perform self-check.

See the following for more information about the vulnerability.


CVE identifier

CVE-2018-1304/1305

Vulnerability name

Apache Tomcat security policy bypass vulnerability

Vulnerability rating

Medium

Vulnerability description

Security constraints defined by annotations of Servlets are only applied once a Servlet is loaded. Because security constraints defined in this way apply to the URL pattern and any URLs below that point, it was possible - depending on the order Servlets are loaded - for some security constraints not to be applied. This could have exposed resources to users who are not authorized to access them.

Condition and method of exploitation

The vulnerability can be remotely exploited through PoC.

Affected scope

  • Apache Tomcat 9: 9.0.0.M1 to 9.0.4
  • Apache Tomcat 8: 8.5.0 to 8.5.27, 8.0.0.RC1 to 8.0.49
  • Apache Tomcat 7: 7.0.0 to 7.0.84

Unaffected versions:

  • Apache Tomcat 9 >= 9.0.5
  • Apache Tomcat 8 >= 8.5.28
  • Apache Tomcat 8 >= 8.0.50
  • Apache Tomcat 7 >= 7.0.85

Vulnerability detection

Check whether any affected version of Apache Tomcat is used.

How to fix or mitigate

Upgrade to the latest version:

Note: We recommend that you perform a test and make a snapshot on your ECS instance to back up data before the upgrade.

Reference

[1]. https://lists.apache.org/thread.html/d3354bb0a4eda4acc0a66f3eb24a213fdb75d12c7d16060b23e65781@announce.tomcat.apache.org
[2]. https://www.mail-archive.com/users@tomcat.apache.org/msg128401.html
[3]. https://www.mail-archive.com/users@tomcat.apache.org/msg128400.html

Thank you! We've received your feedback.