Bug 62343 - CORS security: reflecting any origin header value when configured to * is dangerous
Summary: CORS security: reflecting any origin header value when configured to * is dan...
Alias: None
Product: Tomcat 8
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 8.5.x-trunk
Hardware: All All
: P2 normal (vote)
Target Milestone: ----
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2018-05-01 05:18 UTC by Jianjun Chen
Modified: 2018-05-16 15:07 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Jianjun Chen 2018-05-01 05:18:16 UTC
What's the Problem?
When CORS policy is configured to "Origin:*" and "Credentials:true"(default setting), current Tomcat CORS filter will actively convert it to reflect any Origin header value. This kind of behavior is dangerous and has caused many security problems in the past[1-5].

Why is that?
Current CORS standards(both W3C CORS and WHATWG fetch standard) have a clear definition for the wildcard '*', which means any domain is allowed. But they also have another important security requirement: "Origin: *" and "Credentials: true" cannot be used at the same time, to avoid overly loose permissions. Currently all browsers follow this requirement to disallow this configuration combination.

If a framework actively converts '*' to reflect any origin header value, it means "Origin: *" and "Credentials: true" can be used at the same time. This behavior leads to CORS protocol's security design to be bypassed, causing many misconfiguration security problems.

How to fix?
Therefore, I suggest frameworks to follow the standard definition of *. When a user configures "Origin:*", frameworks just directly returns "Access-control-Allow-Access: *". When a user configures both "Origin:*" and "Credentials: true" , frameworks should warn users that this is a misconfiguration, instead of return any origin header value.

Some similar security issues:
[1] https://github.com/cyu/rack-cors/issues/126
[2] https://nodesecurity.io/advisories/148
[3] https://github.com/yiisoft/yii2/issues/16193

Some related blog posts:
[4] http://blog.portswigger.net/2016/10/exploiting-cors-misconfigurations-for.html
[5] https://ejj.io/misconfigured-cors/
Comment 1 Jianjun Chen 2018-05-11 09:09:37 UTC
Hi, is there something I forget to do to advance this report?  I haven't received any response yet.

Comment 2 Mark Thomas 2018-05-16 15:07:55 UTC
Potential security issues should not be reported via a public bug tracker.

Please see the following for details of how to report security issues in Apache Tomcat:

Please see the following for details of how to report security issues in any other Apache project:

Fixed in:
- trunk for 9.0.9 onwards
- 8.5.x for 8.5.32 onwards
- 8.0.x for 8.0.53 onwards
- 7.0.x for 7.0.89 onwards

The lack of response was due to the Tomcat committers not wishing to draw further attention to the issue until it had been addressed.

This issue has been assigned CVE-2018-8014.