<html>
<head>
<base href="https://bugzilla.rosalinux.ru/">
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Platform</th>
<td>2021.1
</td>
</tr>
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_CONFIRMED "
title="CONFIRMED - [CVE 21] tomcat 9.0.37 CVEs found"
href="https://bugzilla.rosalinux.ru/show_bug.cgi?id=13333">13333</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>[CVE 21] tomcat 9.0.37 CVEs found
</td>
</tr>
<tr>
<th>Classification</th>
<td>ROSA-based products
</td>
</tr>
<tr>
<th>Product</th>
<td>ROSA Fresh
</td>
</tr>
<tr>
<th>Version</th>
<td>All
</td>
</tr>
<tr>
<th>Hardware</th>
<td>All
</td>
</tr>
<tr>
<th>URL</th>
<td>CVE-2020-9484, CVE-2021-24122, CVE-2021-25122, CVE-2021-25329, CVE-2021-30640, CVE-2021-33037, CVE-2021-41079, CVE-2021-42340, CVE-2021-43980, CVE-2022-23181, CVE-2022-25762, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252, CVE-2023-28708,
</td>
</tr>
<tr>
<th>OS</th>
<td>Linux
</td>
</tr>
<tr>
<th>Status</th>
<td>CONFIRMED
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>Normal
</td>
</tr>
<tr>
<th>Component</th>
<td>System (kernel, glibc, systemd, bash, PAM...)
</td>
</tr>
<tr>
<th>Assignee</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>Reporter</th>
<td>y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>QA Contact</th>
<td>bugs@lists.rosalinux.ru
</td>
</tr>
<tr>
<th>CC</th>
<td>s.matveev@rosalinux.ru, y.tumanov@rosalinux.ru
</td>
</tr>
<tr>
<th>Target Milestone</th>
<td>---
</td>
</tr>
<tr>
<th>Flags</th>
<td>secteam_verified?
</td>
</tr></table>
<p>
<div>
<pre>Please patch CVEs for package tomcat version 9.0.37
INFO (CVEs are): tomcat 9.0.37
cves found
CVE-2020-9484
Desc: When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to
9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to
control the contents and name of a file on the server; and b) the server is
configured to use the PersistenceManager with a FileStore; and c) the
PersistenceManager is configured with
sessionAttributeValueClassNameFilter="null" (the default unless a
SecurityManager is used) or a sufficiently lax filter to allow the attacker
provided object to be deserialized; and d) the attacker knows the relative file
path from the storage location used by FileStore to the file the attacker has
control over; then, using a specifically crafted request, the attacker will be
able to trigger remote code execution via deserialization of the file under
their control. Note that all of conditions a) to d) must be true for the attack
to succeed.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2020-9484">https://nvd.nist.gov/vuln/detail/CVE-2020-9484</a>
Severity: HIGH
CVE-2021-24122
Desc: When serving resources from a network location using the NTFS file
system, Apache Tomcat versions 10.0.0-M1 to 10.0.0-M9, 9.0.0.M1 to 9.0.39,
8.5.0 to 8.5.59 and 7.0.0 to 7.0.106 were susceptible to JSP source code
disclosure in some configurations. The root cause was the unexpected behaviour
of the JRE API File.getCanonicalPath() which in turn was caused by the
inconsistent behaviour of the Windows API (FindFirstFileW) in some
circumstances.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-24122">https://nvd.nist.gov/vuln/detail/CVE-2021-24122</a>
Severity: MEDIUM
CVE-2021-25122
Desc: When responding to new h2c connection requests, Apache Tomcat versions
10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate
request headers and a limited amount of request body from one request to
another meaning user A and user B could both see the results of user A's
request.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-25122">https://nvd.nist.gov/vuln/detail/CVE-2021-25122</a>
Severity: HIGH
CVE-2021-25329
Desc: The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat
10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107
with a configuration edge case that was highly unlikely to be used, the Tomcat
instance was still vulnerable to CVE-2020-9494. Note that both the previously
published prerequisites for CVE-2020-9484 and the previously published
mitigations for CVE-2020-9484 also apply to this issue.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-25329">https://nvd.nist.gov/vuln/detail/CVE-2021-25329</a>
Severity: HIGH
CVE-2021-30640
Desc: A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to
authenticate using variations of a valid user name and/or to bypass some of the
protection provided by the LockOut Realm. This issue affects Apache Tomcat
10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-30640">https://nvd.nist.gov/vuln/detail/CVE-2021-30640</a>
Severity: MEDIUM
CVE-2021-33037
Desc: Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66
did not correctly parse the HTTP transfer-encoding request header in some
circumstances leading to the possibility to request smuggling when used with a
reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding
header if the client declared it would only accept an HTTP/1.0 response; -
Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if
present, the chunked encoding was the final encoding.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-33037">https://nvd.nist.gov/vuln/detail/CVE-2021-33037</a>
Severity: MEDIUM
CVE-2021-41079
Desc: Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2
did not properly validate incoming TLS packets. When Tomcat was configured to
use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be
used to trigger an infinite loop resulting in a denial of service.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-41079">https://nvd.nist.gov/vuln/detail/CVE-2021-41079</a>
Severity: HIGH
CVE-2021-42340
Desc: The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5,
10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory
leak. The object introduced to collect metrics for HTTP upgrade connections was
not released for WebSocket connections once the connection was closed. This
created a memory leak that, over time, could lead to a denial of service via an
OutOfMemoryError.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-42340">https://nvd.nist.gov/vuln/detail/CVE-2021-42340</a>
Severity: HIGH
CVE-2021-43980
Desc: The simplified implementation of blocking reads and writes introduced in
Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but
extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to
10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that
could cause client connections to share an Http11Processor instance resulting
in responses, or part responses, to be received by the wrong client.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-43980">https://nvd.nist.gov/vuln/detail/CVE-2021-43980</a>
Severity: LOW
CVE-2022-23181
Desc: The fix for bug CVE-2020-9484 introduced a time of check, time of use
vulnerability into Apache Tomcat 10.1.0-M1 to 10.1.0-M8, 10.0.0-M5 to 10.0.14,
9.0.35 to 9.0.56 and 8.5.55 to 8.5.73 that allowed a local attacker to perform
actions with the privileges of the user that the Tomcat process is using. This
issue is only exploitable when Tomcat is configured to persist sessions using
the FileStore.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-23181">https://nvd.nist.gov/vuln/detail/CVE-2022-23181</a>
Severity: HIGH
CVE-2022-25762
Desc: If a web application sends a WebSocket message concurrently with the
WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or
Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will
continue to use the socket after it has been closed. The error handling
triggered in this case could cause the a pooled object to be placed in the pool
twice. This could result in subsequent connections using the same object
concurrently which could result in data being returned to the wrong use and/or
other errors.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-25762">https://nvd.nist.gov/vuln/detail/CVE-2022-25762</a>
Severity: HIGH
CVE-2022-29885
Desc: The documentation of Apache Tomcat 10.1.0-M1 to 10.1.0-M14, 10.0.0-M1 to
10.0.20, 9.0.13 to 9.0.62 and 8.5.38 to 8.5.78 for the EncryptInterceptor
incorrectly stated it enabled Tomcat clustering to run over an untrusted
network. This was not correct. While the EncryptInterceptor does provide
confidentiality and integrity protection, it does not protect against all risks
associated with running over any untrusted network, particularly DoS risks.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-29885">https://nvd.nist.gov/vuln/detail/CVE-2022-29885</a>
Severity: HIGH
CVE-2022-34305
Desc: In Apache Tomcat 10.1.0-M1 to 10.1.0-M16, 10.0.0-M1 to 10.0.22, 9.0.30 to
9.0.64 and 8.5.50 to 8.5.81 the Form authentication example in the examples web
application displayed user provided data without filtering, exposing a XSS
vulnerability.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-34305">https://nvd.nist.gov/vuln/detail/CVE-2022-34305</a>
Severity: MEDIUM
CVE-2022-42252
Desc: If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to
10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers
via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat
did not reject a request containing an invalid Content-Length header making a
request smuggling attack possible if Tomcat was located behind a reverse proxy
that also failed to reject the request with the invalid header.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-42252">https://nvd.nist.gov/vuln/detail/CVE-2022-42252</a>
Severity: HIGH
CVE-2023-28708
Desc: When using the RemoteIpFilter with requests received from a reverse proxy
via HTTP that include the X-Forwarded-Proto header set to https, session
cookies created by Apache Tomcat 11.0.0-M1 to 11.0.0.-M2, 10.1.0-M1 to 10.1.5,
9.0.0-M1 to 9.0.71 and 8.5.0 to 8.5.85 did not include the secure attribute.
This could result in the user agent transmitting the session cookie over an
insecure channel.
Link: <a href="https://nvd.nist.gov/vuln/detail/CVE-2023-28708">https://nvd.nist.gov/vuln/detail/CVE-2023-28708</a>
Severity: MEDIUM</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are the QA Contact for the bug.</li>
<li>You are the assignee for the bug.</li>
</ul>
</body>
</html>