Alerts This Week
Warning Icon 1 758
Alerts This Week
Warning Icon 1 758

Debian 8 DLA-1450-1 Critical: Tomcat8 Authorization Issues

debian lts
Calendar Grey July 29, 2018
Dist Debian Esm H88
Elevate tomcat8 to version 8.0.14-1+deb8u12 to resolve severe vulnerabilities in Debian.
Several security vulnerabilities have been discovered in the Tomcat servlet and JSP engine

Summary

CVE-2018-1304
The URL pattern of "" (the empty string) which exactly maps to the
context root was not correctly handled in Apache Tomcat when used as
part of a security constraint definition. This caused the constraint
to be ignored. It was, therefore, possible for unauthorized users to
gain access to web application resources that should have been
protected. Only security constraints with a URL pattern of the empty
string were affected.

CVE-2018-1305
Security constraints defined by annotations of Servlets in Apache
Tomcat were only applied once a Servlet had been loaded. Because
security constraints defined in this way apply to the URL pattern
and any URLs below that point, it was possible - depending on the
order Servlets were loaded - for some security constraints not to be
applied. This could have exposed resources to users who were not
authorized to access them.


For Debian 8 "Jessie", these problems have been fixed in version

Read the Full Advisory


Severity
critical
Lowest
Low
Medium
High
Critical

<pre><font face="Courier">Package: tomcat8
Version: 8.0.14-1+deb8u12
CVE ID: CVE-2018-1304 CVE-2018-1305
Debian Bug: 802312

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here