PT-2018-2982 · Apache+7 · Apache Tomcat+7
Publicado
2018-06-26
·
Atualizado
2024-10-21
·
CVE-2018-8034
CVSS v2.0
7.8
Alta
| Vetor | AV:N/AC:L/Au:N/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Tomcat versions 7.0.35 through 7.0.88
Apache Tomcat versions 8.0.0.RC1 through 8.0.52
Apache Tomcat versions 8.5.0 through 8.5.31
Apache Tomcat versions 9.0.0.M1 through 9.0.9
Description
The issue is related to the host name verification when using TLS with the WebSocket client, which was missing and is now enabled by default. This allows a remote attacker to bypass existing security restrictions by exploiting errors in host name checking during Transport Layer Security (TLS) protocol use.
Recommendations
For Apache Tomcat versions 7.0.35 through 7.0.88, enable host name verification for the WebSocket client.
For Apache Tomcat versions 8.0.0.RC1 through 8.0.52, enable host name verification for the WebSocket client.
For Apache Tomcat versions 8.5.0 through 8.5.31, enable host name verification for the WebSocket client.
For Apache Tomcat versions 9.0.0.M1 through 9.0.9, enable host name verification for the WebSocket client.
Exploit
Correção
Improper Certificate Validation
Improperly Implemented Security Check for Standard
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Identificadores relacionados
Produtos afetados
Alt Linux
Almalinux
Apache Tomcat
Centos
Red Hat
Rocky Linux
Suse
Ubuntu