Bug 62343

Summary: CORS security: reflecting any origin header value when configured to * is dangerous
Product: Tomcat 8 Reporter: Jianjun Chen <whucjj>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: normal    
Priority: P2    
Version: 8.5.x-trunk   
Target Milestone: ----   
Hardware: All   
OS: All   

Description Jianjun Chen 2018-05-01 05:18:16 UTC
What's the Problem?
When CORS policy is configured to "Origin:*" and "Credentials:true"(default setting), current Tomcat CORS filter will actively convert it to reflect any Origin header value. This kind of behavior is dangerous and has caused many security problems in the past[1-5].

Why is that?
Current CORS standards(both W3C CORS and WHATWG fetch standard) have a clear definition for the wildcard '*', which means any domain is allowed. But they also have another important security requirement: "Origin: *" and "Credentials: true" cannot be used at the same time, to avoid overly loose permissions. Currently all browsers follow this requirement to disallow this configuration combination.

If a framework actively converts '*' to reflect any origin header value, it means "Origin: *" and "Credentials: true" can be used at the same time. This behavior leads to CORS protocol's security design to be bypassed, causing many misconfiguration security problems.

How to fix?
Therefore, I suggest frameworks to follow the standard definition of *. When a user configures "Origin:*", frameworks just directly returns "Access-control-Allow-Access: *". When a user configures both "Origin:*" and "Credentials: true" , frameworks should warn users that this is a misconfiguration, instead of return any origin header value.

Some similar security issues:
[1] https://github.com/cyu/rack-cors/issues/126
[2] https://nodesecurity.io/advisories/148
[3] https://github.com/yiisoft/yii2/issues/16193

Some related blog posts:
[4] http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
[5] https://ejj.io/misconfigured-cors/
Comment 1 Jianjun Chen 2018-05-11 09:09:37 UTC
Hi, is there something I forget to do to advance this report?  I haven't received any response yet.

Comment 2 Mark Thomas 2018-05-16 15:07:55 UTC
Potential security issues should not be reported via a public bug tracker.

Please see the following for details of how to report security issues in Apache Tomcat:

Please see the following for details of how to report security issues in any other Apache project:

Fixed in:
- trunk for 9.0.9 onwards
- 8.5.x for 8.5.32 onwards
- 8.0.x for 8.0.53 onwards
- 7.0.x for 7.0.89 onwards

The lack of response was due to the Tomcat committers not wishing to draw further attention to the issue until it had been addressed.

This issue has been assigned CVE-2018-8014.