You are here
Tomcat: Security Constraint Bypasses
Submitted on 27. February 2018 - 9:20 by Anonymous (not verified).
Last update on 18. August 2020 - 16:43.
Last update on 18. August 2020 - 16:43.
IDs:
CVE-2018-1305, CVE-2018-1304
Keywords:
Tomcat, Security Constraint Bypass
Description:
Apache Tomcat fixes the vulnerabilities CVE-2018-1305 and CVE-2018-1304 in versions 8.5.28, 8.0.50 and 7.0.85.
Airlock WAF and Airlock Login/IAM are not affected. Back-ends behind Airlock WAF may be vulnerable, see resolution.
- CVE-2018-1305
Allows to bypass security constraints that are defined by servlet security annotations. Airlock WAF and Login/IAM do not use these annotations and are therefore not vulnerable. - CVE-2018-1304
Allows to bypass security constraints when using an empty URL pattern in security constraint definitions. Airlock WAF and Login/IAM do not use this mechanism and are therefore not vulnerable.
Resolution:
No action required for Airlock Suite software.
We recommend to update vulnerable Apache Tomcat versions on back-ends if the Java application uses Security Contraints with the servlet assertions @ServletSecurity or @WebServlet.
Component:
Airlock
Airlock Vulnerability Status:
Does not affect Airlock
Back-end Vulnerability Status:
Back-ends may be vulnerable, see resolution