This document contains official content from the BMC Software Knowledge Base. It is automatically updated when the knowledge article is modified.
MyIT Digital Workplace
Any version prior to 18.08
Customer Security team reported following vulnerabilities of Smart IT /MyiT tomcat:
"Based on NATIONAL VULNERABILITY DATABASE (https://nvd.nist.gov/vuln/detail/CVE-2018-8014)
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
We did see cors related filter entries in myit ux/web-inf/web.xml files. Please help to check and how can we resolve the vulnerability."
This vulnerability is addressed since release 18.08.
For customers using the listed Tomcat version (9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88), they can migrate to a Tomcat version where the issue is fixed.