CVE-2023-28708 - How an Apache Tomcat Proxy Setting Could Leak Your Cookies

In 2023, a vulnerability was discovered in popular versions of Apache Tomcat, the Java-based web server and servlet container. The issue—now tracked as CVE-2023-28708—revolves around how Tomcat handled session cookies when sitting behind a reverse proxy.

If you run a Tomcat-powered service behind a proxy using HTTP (instead of HTTPS), and the proxy uses the X-Forwarded-Proto header to say the client connection was secure, you might be in for a surprise: Tomcat would sometimes skip adding the Secure attribute to session cookies. This means your users’ session tokens could travel over plain HTTP—putting accounts at risk!

Below, I break down what happened, show sample code, explain when you’re at risk, and discuss how to fix it.

What Exactly Was the Issue?

With sites today, it’s common to use a TLS-terminating reverse proxy (like NGINX or an AWS ELB) in front of an app server (like Tomcat). The proxy listens on HTTPS, decrypts the traffic, then connects to Tomcat, usually over plain HTTP. To let backend services know the original protocol, the proxy uses X-Forwarded-Proto: https.

Apache Tomcat’s RemoteIpFilter can be configured to trust this header. For years, that’s been a vital part of making web applications work securely behind proxies. But, in vulnerable Tomcat versions, this trust led to a logic bug: Tomcat would believe it was talking over HTTPS (because of the header) and would forget to add the Secure flag to session cookies.

Proxy ⟷ Tomcat (over HTTP, with X-Forwarded-Proto: https)

Tomcat sets a session cookie

The cookie doesn’t include the Secure attribute

User reconnects, but now the session cookie is sent even for HTTP pages!

Why the Secure Attribute Matters

The Secure flag on a cookie tells browsers: *only send this cookie over HTTPS*. Without it, a session identifier can get sent over both HTTP and HTTPS. If a user visits an HTTP endpoint (malicious or otherwise), their session cookie could leak out in plaintext—allowing attackers to hijack the session.

Example, vulnerable session cookie sent by Tomcat

Set-Cookie: JSESSIONID=ABCDEF123456789; Path=/; HttpOnly

8.5. to 8.5.85

Reference:  
- Tomcat Security Advisory
- NVD CVE-2023-28708 Entry

Imagine a Tomcat app with the following filter in its web.xml

<filter>
    <filter-name>remoteIpFilter</filter-name>
    <filter-class>org.apache.catalina.filters.RemoteIpFilter</filter-class>
</filter>
<filter-mapping>
    <filter-name>remoteIpFilter</filter-name>
    <url-pattern>/*</url-pattern>
</filter-mapping>

And suppose your NGINX reverse proxy dispatches requests like this

location / {
    proxy_set_header X-Forwarded-Proto https;
    proxy_pass http://tomcat_backend;
}

Now, a user logs in. Tomcat creates a session cookie.

The *expected* behavior is

Set-Cookie: JSESSIONID=ABCDEF123456789; Path=/; HttpOnly; Secure

Actual behavior:
Since Tomcat is behind a proxy and only sees HTTP, it doesn’t set Secure on the cookie—but because of RemoteIpFilter, it *should*.

Simulate a login to Tomcat, going through an HTTP proxy that sets the X-Forwarded-Proto header.

curl -v -H "X-Forwarded-Proto: https" http://localhost:808/your-app/login

If vulnerable, you’ll see

Set-Cookie: JSESSIONID=xyz123; Path=/; HttpOnly

Attacker launches a phishing page or tricks the user to load a plain HTTP resource from your site.

- User’s browser, not seeing the Secure attribute for the session cookie, transmits it via clear HTTP.

Attacker intercepts the session cookie, hijacks the session, and takes over the user’s account.

All because Tomcat failed to mark the session cookie as Secure!

8.5.86 and later

You can download updated Tomcat versions here.

Strict proxy rules.

Configure proxies to reject or overwrite suspicious headers. Don’t let the client directly set X-Forwarded-Proto!

4. Cookie rewrite/intercept in the proxy.

Conclusion

CVE-2023-28708 is a classic example of the devil being in the details when it comes to proxies, headers, and cookie security. While many assume using a reverse proxy “just works,” subtle misconfigurations or bugs can undermine your site’s safety—potentially exposing all your users’ sessions.

More info

- Official Tomcat Security Notification
- NIST NVD: CVE-2023-28708

Timeline

Published on: 03/22/2023 11:15:00 UTC
Last modified on: 03/27/2023 15:26:00 UTC