CORS Filter vulnerability lies within MyIT tomcat

Version 2
    Share This:

    This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.


    PRODUCT:

    MyIT Digital Workplace


    APPLIES TO:

    Any version prior to 18.08



    PROBLEM:

    Customer Security team reported following vulnerabilities of Smart IT /MyiT tomcat:

    "Based on NATIONAL VULNERABILITY DATABASE (https://nvd.nist.gov/vuln/detail/CVE-2018-8014)

    The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.

    We did see cors related filter entries in myit ux/web-inf/web.xml files. Please help to check and how can we resolve the vulnerability."

     


    SOLUTION:

    This vulnerability is addressed since release 18.08.  

    For customers using the listed Tomcat version (9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88), they can migrate to a Tomcat version where the issue is fixed.

     


    Article Number:

    000156863


    Article Type:

    Solutions to a Product Problem



      Looking for additional information?    Search BMC Support  or  Browse Knowledge Articles