CVE-2023-28708 : Security Advisory and Response

This CVE involves Apache Tomcat where the JSESSIONID cookie is missing the secure attribute in certain configurations, potentially leading to the transmission of session cookies over an insecure channel.

Understanding CVE-2023-28708

This vulnerability affects Apache Tomcat versions 11.0.0-M1 to 11.0.0-M2, 10.1.0-M1 to 10.1.5, 9.0.0-M1 to 9.0.71, and 8.5.0 to 8.5.85 when using the RemoteIpFilter with requests received from a reverse proxy via HTTP with the X-Forwarded-Proto header set to https.

What is CVE-2023-28708?

When utilizing the RemoteIpFilter with requests received from a reverse proxy over HTTP that contains the X-Forwarded-Proto header set to https, session cookies created by the affected Apache Tomcat versions do not include the secure attribute. This omission may cause the user agent to send the session cookie over an insecure channel, potentially exposing sensitive information.

The Impact of CVE-2023-28708

The impact of this vulnerability is significant as it allows for the potential exposure of session cookies over unencrypted channels, putting user data and privacy at risk. Attackers could potentially intercept and misuse these cookies to access sensitive information.

Technical Details of CVE-2023-28708

This section delves into the specific technical aspects of the CVE.

Vulnerability Description

The vulnerability arises from the missing secure attribute in the JSESSIONID cookie generated by the specified versions of Apache Tomcat, specifically under certain configurations when interacting with a reverse proxy over HTTP with the X-Forwarded-Proto header set to https.

Affected Systems and Versions

Apache Tomcat 11.0.0-M1 to 11.0.0-M2
Apache Tomcat 10.1.0-M1 to 10.1.5
Apache Tomcat 9.0.0-M1 to 9.0.71
Apache Tomcat 8.5.0 to 8.5.85

Exploitation Mechanism

The exploitation of this vulnerability involves intercepting the session cookie transmitted over an insecure channel due to the missing secure attribute, potentially enabling attackers to access sensitive user data.

Mitigation and Prevention

Addressing CVE-2023-28708 requires immediate action to enhance security measures and protect systems and user data.

Immediate Steps to Take

Users of affected Apache Tomcat versions should apply patches promptly to mitigate the vulnerability.
Consider implementing additional security measures such as encrypting communication channels to safeguard sensitive data.

Long-Term Security Practices

Regularly monitor for security updates and apply patches promptly to address any vulnerabilities in Apache Tomcat.
Implement secure cookie configurations and encryption practices to enhance data protection.

Patching and Updates

Refer to the provided vendor advisory from Apache Software Foundation for detailed instructions on patching and updating the affected Apache Tomcat versions to mitigate the CVE-2023-28708 vulnerability.