CVE-2023-28708: Information Disclosure Vulnerability in Apache Tomcat

As technology advances, so do the tactics of cybercriminals who are constantly on the lookout for vulnerabilities in software to exploit. Apache Tomcat, a popular Java web application server, is the latest software to have a security vulnerability that can expose user data to security risks.

The vulnerability, identified as CVE-2023-28708, allows cybercriminals to access session cookies transmitted over an insecure channel. This vulnerability affects versions of Apache Tomcat from 8.5.0 to 8.5.85, 9.0.0-M1 to 9.0.71, 10.1.0-M1 to 10.1.5, and 11.0.0-M1 to 11.0.0-M2.

The Apache Tomcat server, which implements Jakarta Servlet, Jakarta Expression Language, and WebSocket technologies, provides a “pure Java” HTTP web server environment in which Java code can run. This makes it a popular choice for developers looking to create web applications with Java.

However, the vulnerability in Apache Tomcat means that session cookies created by the server do not include the secure attribute when using the RemoteIpFilter with requests received from a reverse proxy via HTTP that includes the X-Forwarded-Proto header set to https. This creates a potential security risk as the user agent could transmit the session cookie over an insecure channel, allowing cybercriminals to access sensitive user data.

To mitigate the CVE-2023-28708 vulnerability, users of affected versions should upgrade to Apache Tomcat 11.0.0-M3 or later, Apache Tomcat 10.1.6 or later, Apache Tomcat 9.0.72 or later, or Apache Tomcat 8.5.86 or later. It is essential for users to apply these upgrades as soon as possible to reduce the risk of cybercriminals exploiting the vulnerability.