CVE-2018-8034
The MITRE CVE dictionary describes this issue as:
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
Find out more about CVE-2018-8034 from the MITRE CVE dictionary dictionary and NIST NVD.
Statement
Tomcat 6, and Red Hat products shipping it, are not affected by this CVE. Tomcat 7, 8, and 9, as well as Red Hat Products shipping them, are affected. Affected products, including Red Hat JBoss Web Server 3 and 5, Enterprise Application Server 6, and Fuse 7, may provide fixes for this issue in a future release.
CVSS v3 metrics
NOTE: The following CVSS v3 metrics and score provided are preliminary and subject to review.
| CVSS3 Base Score | 4.3 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | None |
| Integrity Impact | Low |
| Availability Impact | None |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Software Collections for Red Hat Enterprise Linux | rh-java-common-tomcat | Not affected |
| Red Hat OpenShift Application Runtimes 1.0 | springboot | Affected |
| Red Hat JBoss Web Server 5 | tomcat | Affected |
| Red Hat JBoss Web Server 3 | tomcat7 | Affected |
| Red Hat JBoss Web Server 3 | tomcat8 | Affected |
| Red Hat JBoss Operations Network 3 | jbossweb | Will not fix |
| Red Hat JBoss Fuse Service Works 6 | jbossweb | Will not fix |
| Red Hat JBoss Fuse 7 | tomcat | Affected |
| Red Hat JBoss Fuse 6 | tomcat | Will not fix |
| Red Hat JBoss Enterprise SOA Platform 5 | jbossweb | Not affected |
| Red Hat JBoss EWS 2 | tomcat7 | Will not fix |
| Red Hat JBoss EWS 2 | tomcat6 | Not affected |
| Red Hat JBoss EAP 6 | jbossweb | Affected |
| Red Hat JBoss EAP 5 | jbossweb | Not affected |
| Red Hat JBoss Data Virtualization 6 | jbossweb | Will not fix |
| Red Hat JBoss Data Grid 7 | tomcat | Not affected |
| Red Hat JBoss Data Grid 6 | jbossweb | Not affected |
| Red Hat JBoss BRMS 6 | tomcat | Not affected |
| Red Hat JBoss BRMS 5 | jbossweb | Not affected |
| Red Hat JBoss BPMS 6 | tomcat | Not affected |
| Red Hat Enterprise Linux 7 | tomcat | Affected |
| Red Hat Enterprise Linux 6 | tomcat6 | Not affected |
CVE description copyright © 2017, The MITRE Corporation