Tomcat vulnerability (CVE-2023-28708)
Is loadmaster affected by the following CVE?
Apache has issued a fix for a Tomcat vulnerability (CVE-2023-28708) that leaked application session cookies, resulting in exposed user credentials. The vulnerability results in session cookies lacking the secure attribute, which could allow the session cookie to be transmitted over an insecure channel. The vulnerability affects Apache Tomcat versions up to and including 8.5.85, 9.0.71, 10.1.5, and 11.0.0-M2.
Details of the vulnerabilities are as follows:
|Steps to Reproduce:|
LoadMaster doesn’t use Tomcat, so the LM itself isn’t vulnerable.
Applications running behind LoadMaster that use Tomcat are vulnerable and should be updated with a fixed version of Tomcat. In the meantime, LoadMaster customers can take action to close this vulnerability w.r.t. cookies coming from back-end Tomcat real servers using LoadMaster’s content rules as described here.