CVE-2023-28708
📋 TL;DR
Apache Tomcat fails to set the 'secure' attribute on session cookies when using RemoteIpFilter with X-Forwarded-Proto headers from reverse proxies. This allows session cookies to be transmitted over insecure HTTP connections instead of requiring HTTPS. Affects Tomcat versions 8.5.0-8.5.85, 9.0.0-M1-9.0.71, 10.1.0-M1-10.1.5, and 11.0.0-M1-11.0.0-M2.
💻 Affected Systems
- Apache Tomcat
📦 What is this software?
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
Tomcat by Apache
⚠️ Risk & Real-World Impact
Worst Case
Session hijacking via man-in-the-middle attacks where attackers intercept unencrypted session cookies and impersonate legitimate users.
Likely Case
Session cookies transmitted over mixed content connections, potentially exposing sessions on networks with insufficient encryption.
If Mitigated
Minimal impact if all traffic uses HTTPS end-to-end without relying on X-Forwarded-Proto headers.
🎯 Exploit Status
Exploitation requires network position to intercept traffic and specific Tomcat configuration. No public exploits known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 8.5.86, 9.0.72, 10.1.6, 11.0.0-M3
Vendor Advisory: https://lists.apache.org/thread/hdksc59z3s7tm39x0pp33mtwdrt8qr67
Restart Required: Yes
Instructions:
1. Download patched Tomcat version from Apache website. 2. Stop Tomcat service. 3. Backup current installation. 4. Replace with patched version. 5. Restart Tomcat service.
🔧 Temporary Workarounds
Disable RemoteIpFilter
allRemove or disable RemoteIpFilter configuration if not required
# Edit server.xml and remove or comment out RemoteIpFilter valve
# Example: <!-- <Valve className="org.apache.catalina.valves.RemoteIpValve" ... /> -->
Force HTTPS at reverse proxy
allConfigure reverse proxy to always use HTTPS and not forward X-Forwarded-Proto headers
# Example nginx config: proxy_set_header X-Forwarded-Proto $scheme;
# Ensure $scheme is always 'https'
🧯 If You Can't Patch
- Ensure all client-to-reverse-proxy and reverse-proxy-to-Tomcat connections use HTTPS exclusively
- Implement additional session security controls like short session timeouts and IP binding
🔍 How to Verify
Check if Vulnerable:
Check if using RemoteIpFilter with X-Forwarded-Proto headers and Tomcat version is in affected rangeCheck Version:
java -cp catalina.jar org.apache.catalina.util.ServerInfoVerify Fix Applied:
Verify Tomcat version is patched (8.5.86+, 9.0.72+, 10.1.6+, 11.0.0-M3+) and test that session cookies include 'secure' flag📡 Detection & Monitoring
Log Indicators:
- Session cookies without secure flag in HTTP responses
- Mixed content warnings in application logs
Network Indicators:
- Session cookies transmitted over HTTP when HTTPS expected
- X-Forwarded-Proto: https headers in HTTP traffic
SIEM Query:
http.response.cookies:* session* NOT secure AND http.request.headers:X-Forwarded-Proto:https