You are here

Tomcat: Security Constraint Bypass und Cache Poisoning

IDs: 
CVE-2017-7675, CVE-2017-7674
Keywords: 
Tomcat, Cache Poisoning, Security Constraint Bypass, CORS, HTTP/2
Description: 

Apache Tomcat fixes the vulnerabilities CVE-2017-7674 in versions 7.0.79 and 8.5.16, and CVE-2017-7675 in 8.5.16.

Airlock WAF and Airlock Login/IAM are not affected. Back-ends behind Airlock WAF may be vulnerable, see resolution.

  • CVE-2017-7675
    Allows security constraint bypass using specially crafted URLs when using HTTP/2. Airlock Login/IAM is not affected in the default configuration, as HTTP/2 is not used. Airlock WAF does not use Tomcat 8.5 and is therefore not vulnerable. Back-ends behind Airlock WAF are not vulnerable, as HTTP/2 is not supported.
  • CVE-2017-7674
    Allows cache poisoning when using the Tomcat CORS-Filter. The default configuration of Airlock Login/IAM is not vulnerable, as the filter is not used. Airlock WAF does not use the Tomcat CORS-Filter and is therefore not affected. Back-ends behind Airlock WAF may be vulnerable, see resolution.
Resolution: 
  • CVE-2017-7674
    Back-ends using Tomcat in versions 8.5.0 to 8.5.15 or 7.0.41 to 7.0.78 may be vulnerable if the Tomcat CORS-Filter is enabled. To avoid the cache poisoning attack, add a response header with name 'Vary' and value 'Origin' to the relevant mappings, or update Tomcat to version 7.0.79, 8.5.16 or higher.
Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Back-ends may be vulnerable, see resolution