Kemp Support, how can we help?

The latest application delivery knowledge and expertise at your fingertips.

Tomcat vulnerability (CVE-2023-28708)





Is loadmaster affected by the following CVE?


Product: Loadmaster

Version: Any

Platform: Any

Application: N/A

Question/Problem Description:

Apache has issued a fix for a Tomcat vulnerability (CVE-2023-28708) that leaked application session cookies, resulting in exposed user credentials. The vulnerability results in session cookies lacking the secure attribute, which could allow the session cookie to be transmitted over an insecure channel. The vulnerability affects Apache Tomcat versions up to and including 8.5.85, 9.0.71, 10.1.5, and 11.0.0-M2.

Details of the vulnerabilities are as follows:
• CVE-2023-28708
i. Successful exploitation of this vulnerability results in the leaking of application session cookies, exposing the user credentials within.
ii. The CVSS is rated medium and scored at 4.3.

Steps to Reproduce:  
Error Message:  
Defect Number:  
Enhancement Number:  

LoadMaster doesn’t use Tomcat, so the LM itself isn’t vulnerable.


Applications running behind LoadMaster that use Tomcat are vulnerable and should be updated with a fixed version of Tomcat. In the meantime, LoadMaster customers can take action to close this vulnerability w.r.t. cookies coming from back-end Tomcat real servers using LoadMaster’s content rules as described here.


Was this article helpful?
0 out of 0 found this helpful