CVE-2023-28708: Session Cookies Missing Secure Attribute When RemoteIpFilter is Used in Apache Tomcat

A recently discovered security vulnerability, identified as CVE-2023-28708, exists in Apache Tomcat versions 11..-M1 to 11..-M2, 10.1.-M1 to 10.1.5, 9..-M1 to 9..71, and 8.5. to 8.5.85. This vulnerability, when exploited, could result in the user agent transmitting the session cookie over an insecure channel. The cause of this vulnerability is the absence of the secure attribute in session cookies created by Tomcat when using the RemoteIpFilter with requests received from a reverse proxy via HTTP that include the X-Forwarded-Proto header set to https.

In this post, we will detail the necessary information regarding this vulnerability, including an explanation of the exploit, code snippets, and links to original references.

Exploit Details

When a reverse proxy handles requests and sets the X-Forwarded-Proto header to https, Tomcat should ideally ensure that the session cookies have the secure attribute set. However, the versions mentioned above do not enforce this, making it possible for attackers to intercept the session cookies transmitted over insecure channels. The issue arises when using the RemoteIpFilter in combination with requests that include the X-Forwarded-Proto header set to https.

RemoteIpFilter is a feature that allows the web server to identify the client's IP address and secure status through the X-Forwarded-For and X-Forwarded-Proto headers. When using the RemoteIpFilter, the session cookies should have the secure attribute set if the X-Forwarded-Proto header is set to https; however, this is not the case, leading to potential security issues.

An example of correctly configuring the RemoteIpFilter in the web.xml file of your application

<filter>
    <filter-name>RemoteIpFilter</filter-name>
    <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
    <init-param>
        <param-name>internalProxies</param-name>
        <param-value>127...1</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>RemoteIpFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

Ensure that your reverse proxy sets the correct X-Forwarded-Proto header

proxy_set_header X-Forwarded-Proto https;

When checking the secure attribute in the session cookies, it should be present

Cookie cookie = new Cookie("JSESSIONID", session.getId());
cookie.setSecure(true); // This should be true when X-Forwarded-Proto is set to https

Original References

- CVE-2023-28708 - NVD
- Tomcat 11..-M2 - Changelog)

Conclusion

It is crucial to address this vulnerability in your Apache Tomcat deployment to ensure that your application is not susceptible to attackers intercepting session cookies. To mitigate this vulnerability, you should update your Tomcat deployment to the latest version that contains the necessary security fix, or follow the workarounds if you cannot update immediately. Always stay up-to-date on the latest security vulnerabilities and best practices to secure your web application and protect sensitive user information.

Timeline

Published on: 03/22/2023 11:15:00 UTC
Last modified on: 03/27/2023 15:26:00 UTC