Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 662168 (CVE-2018-8014) - www-servers/tomcat: Insecure default settings (CVE-2018-8014)
Summary: www-servers/tomcat: Insecure default settings (CVE-2018-8014)
Alias: CVE-2018-8014
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
Whiteboard: B4 [noglsa cve]
Depends on: 678858 CVE-2019-0221
  Show dependency tree
Reported: 2018-07-26 07:16 UTC by GLSAMaker/CVETool Bot
Modified: 2020-03-19 17:05 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-07-26 07:16:37 UTC
CVE-2018-8014 (
  The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1
  to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are
  insecure and enable 'supportsCredentials' for all origins. It is expected
  that users of the CORS filter will have configured it appropriately for
  their environment rather than using it in the default configuration.
  Therefore, it is expected that most users will not be impacted by this

@Maintainers please bump fixed versions and call for stabilization when ready.

Thank you
Comment 1 Miroslav Šulc gentoo-dev 2019-02-10 14:29:13 UTC
i guess this will take some time, because:

* www-servers/tomcat:7 - is fine, we have only 7.0.92 (stable)
* www-servers/tomcat:8 - we have affected 8.0.52 (stable) and unaffected 8.0.53 (unstable), which depends on >=dev-java/ant-core-1.9.13 which is not stable yet
* www-servers/tomcat:8.5 - we have affected 8.5.31 (stable) and unaffected 8.5.37 (unstable), which depends on >=dev-java/ant-core-1.9.13 which is not stable yet
* www-servers/tomcat:9 - we have affected 9.0.8 (stable) and unaffected 9.0.{14,16] (unstable), both depend on >=dev-java/ant-core-1.9.13 which is not stable yet and also on virtual/jdk-11 which is masked atm

we can stabilize ant-core-1.9.13 sooner than at 2019-02-24 and hence we could remove the affected versions for slots 8 and 8.5, but idk when we will unmask java 11, gyakovlev would probably know better. and it will take some time before it will go stable.

shall we proceed with ant-core-1.9.13 and/or 1.10.5 stabilization to fix at least slot 8 and 8.5? there were some issues with these new versions but all that have been reported have been solved.
Comment 2 Larry the Git Cow gentoo-dev 2019-03-02 19:57:21 UTC
The bug has been referenced in the following commit(s):

commit 61beaeeb0af2968e7e27c278bd5b33ea00849880
Author:     Miroslav Šulc <>
AuthorDate: 2019-03-02 19:56:36 +0000
Commit:     Miroslav Šulc <>
CommitDate: 2019-03-02 19:57:03 +0000

    www-servers/tomcat-8.{0.52,5.31}: removed obsolete
    Package-Manager: Portage-2.3.62, Repoman-2.3.12
    Signed-off-by: Miroslav Šulc <>

 www-servers/tomcat/Manifest             |   2 -
 www-servers/tomcat/tomcat-8.0.52.ebuild | 158 --------------------------------
 www-servers/tomcat/tomcat-8.5.31.ebuild | 158 --------------------------------
 3 files changed, 318 deletions(-)
Comment 3 Miroslav Šulc gentoo-dev 2020-02-09 23:41:02 UTC
i've dropped 9.0.7 so you can proceed now
Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-19 17:05:44 UTC
Repository is clean, all done!