What's the Problem? When CORS policy is configured to "Origin:*" and "Credentials:true"(default setting), current Tomcat CORS filter will actively convert it to reflect any Origin header value. This kind of behavior is dangerous and has caused many security problems in the past[1-5]. Why is that? Current CORS standards(both W3C CORS and WHATWG fetch standard) have a clear definition for the wildcard '*', which means any domain is allowed. But they also have another important security requirement: "Origin: *" and "Credentials: true" cannot be used at the same time, to avoid overly loose permissions. Currently all browsers follow this requirement to disallow this configuration combination. If a framework actively converts '*' to reflect any origin header value, it means "Origin: *" and "Credentials: true" can be used at the same time. This behavior leads to CORS protocol's security design to be bypassed, causing many misconfiguration security problems. How to fix? Therefore, I suggest frameworks to follow the standard definition of *. When a user configures "Origin:*", frameworks just directly returns "Access-control-Allow-Access: *". When a user configures both "Origin:*" and "Credentials: true" , frameworks should warn users that this is a misconfiguration, instead of return any origin header value. Some similar security issues: [1] https://github.com/cyu/rack-cors/issues/126 [2] https://nodesecurity.io/advisories/148 [3] https://github.com/yiisoft/yii2/issues/16193 Some related blog posts: [4] http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html [5] https://ejj.io/misconfigured-cors/
Hi, is there something I forget to do to advance this report? I haven't received any response yet. Thanks, Jianjun
Potential security issues should not be reported via a public bug tracker. Please see the following for details of how to report security issues in Apache Tomcat: http://tomcat.apache.org/security.html Please see the following for details of how to report security issues in any other Apache project: http://www.apache.org/security/ Fixed in: - trunk for 9.0.9 onwards - 8.5.x for 8.5.32 onwards - 8.0.x for 8.0.53 onwards - 7.0.x for 7.0.89 onwards The lack of response was due to the Tomcat committers not wishing to draw further attention to the issue until it had been addressed. This issue has been assigned CVE-2018-8014.