Uploaded image for project: 'Kylin'
  1. Kylin
  2. KYLIN-3611

Upgrade Tomcat to 7.0.91, 8.5.34 or later

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: v2.6.0, v2.5.1
    • Component/s: None
    • Labels:
      None

      Description

      [SECURITY] CVE-2018-11784 Apache Tomcat - Open Redirect

       
       
       
      CVE-2018-11784 Apache Tomcat - Open Redirect

      Severity: Moderate

      Vendor: The Apache Software Foundation

      Versions Affected:
      Apache Tomcat 9.0.0.M1 to 9.0.11
      Apache Tomcat 8.5.0 to 8.5.33
      Apache Tomcat 7.0.23 to 7.0.90
      The unsupported 8.0.x release line has not been analysed but is likely
      to be affected.

      Description:
      When the default servlet returned a redirect to a directory (e.g.
      redirecting to '/foo/' when the user requested '/foo') a specially
      crafted URL could be used to cause the redirect to be generated to any
      URI of the attackers choice.

      Mitigation:
      Users of the affected versions should apply one of the following
      mitigations:

      • Upgrade to Apache Tomcat 9.0.12 or later.
      • Upgrade to Apache Tomcat 8.5.34 or later.
      • Upgrade to Apache Tomcat 7.0.91 or later.
      • Use mapperDirectoryRedirectEnabled="true" and
          mapperContextRootRedirectEnabled="true" on the Context to ensure that
          redirects are issued by the Mapper rather than the default Servlet.
          See the Context configuration documentation for further important
          details.

      Credit:
      This vulnerability was found by Sergey Bobrov and reported responsibly
      to the Apache Tomcat Security Team.

      History:
      2018-10-03 Original advisory

      References:
      [1] http://tomcat.apache.org/security-9.html
      [2] http://tomcat.apache.org/security-8.html
      [3] http://tomcat.apache.org/security-7.html

        Attachments

          Activity

            People

            • Assignee:
              GodDispose zhoujie
              Reporter:
              shaofengshi Shao Feng Shi
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: