=================================================================== CERT-Renater Note d'Information No. 2023/VULN103 _____________________________________________________________________ DATE : 22/03/2023 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Apache Tomcat versions prior to 11.0.0-M3, 10.1.6, 9.0.72, 8.5.86. ====================================================================https://lists.apache.org/thread/yor1fqsr5jkzwndj1rmrxcw2yc13vo8l _____________________________________________________________________ [SECURITY] CVE-2023-28708 Apache Tomcat - Information Disclosure CVE-2023-28708 Apache Tomcat - Information Disclosure Severity: Important Vendor: The Apache Software Foundation Versions Affected: Apache Tomcat 11.0.0-M1 to 11.0.0-M2 Apache Tomcat 10.1.0-M1 to 10.1.5 Apache Tomcat 9.0.0-M1 to 9.0.71 Apache Tomcat 8.5.0 to 8.5.85 Description: When using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https, session cookies created by Tomcat did not include the secure attribute. This could result in the user agent transmitting the session cookie overan insecure channel. Mitigation: Users of the affected versions should apply one of the following mitigations: - Upgrade to Apache Tomcat 11.0.0-M3 or later - Upgrade to Apache Tomcat 10.1.6 or later - Upgrade to Apache Tomcat 9.0.72 or later - Upgrade to Apache Tomcat 8.5.86 or later History: 2023-03-22 Original advisory References: [1] https://tomcat.apache.org/security-11.html [2] https://tomcat.apache.org/security-10.html [3] https://tomcat.apache.org/security-9.html [4] https://tomcat.apache.org/security-8.html ========================================================+ CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =======================================================