An update for tomcat is now available for openEuler-22.03-LTS-SP1
Security Advisory
openeuler-security@openeuler.org
openEuler security committee
openEuler-SA-2024-2404
Final
1.0
1.0
2024-11-15
Initial
2024-11-15
2024-11-15
openEuler SA Tool V1.0
2024-11-15
tomcat security update
An update for tomcat is now available for openEuler-22.03-LTS-SP1
The Apache Tomcat software is developed in an open and participatory environment and released under the Apache License version 2. The Apache Tomcat project is intended to be a collaboration of the best-of-breed developers from around the world. We invite you to participate in this open development project
Security Fix(es):
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.(CVE-2021-43980)
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.(CVE-2022-25762)
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.(CVE-2023-44487)
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
(CVE-2023-46589)
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
(CVE-2024-23672)
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
(CVE-2024-24549)
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.
Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
(CVE-2024-34750)
An update for tomcat is now available for openEuler-22.03-LTS-SP1.
openEuler Security has rated this update as having a security impact of high. A Common Vunlnerability Scoring System(CVSS)base score,which gives a detailed severity rating, is available for each vulnerability from the CVElink(s) in the References section.
High
tomcat
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2404
https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2021-43980
https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2022-25762
https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-44487
https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2023-46589
https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-23672
https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-24549
https://www.openeuler.org/en/security/cve/detail/?cveId=CVE-2024-34750
https://nvd.nist.gov/vuln/detail/CVE-2021-43980
https://nvd.nist.gov/vuln/detail/CVE-2022-25762
https://nvd.nist.gov/vuln/detail/CVE-2023-44487
https://nvd.nist.gov/vuln/detail/CVE-2023-46589
https://nvd.nist.gov/vuln/detail/CVE-2024-23672
https://nvd.nist.gov/vuln/detail/CVE-2024-24549
https://nvd.nist.gov/vuln/detail/CVE-2024-34750
openEuler-22.03-LTS-SP1
tomcat-9.0.96-1.oe2203sp1.noarch.rpm
tomcat-help-9.0.96-1.oe2203sp1.noarch.rpm
tomcat-jsvc-9.0.96-1.oe2203sp1.noarch.rpm
tomcat-9.0.96-1.oe2203sp1.src.rpm
The simplified implementation of blocking reads and writes introduced in Tomcat 10 and back-ported to Tomcat 9.0.47 onwards exposed a long standing (but extremely hard to trigger) concurrency bug in Apache Tomcat 10.1.0 to 10.1.0-M12, 10.0.0-M1 to 10.0.18, 9.0.0-M1 to 9.0.60 and 8.5.0 to 8.5.77 that could cause client connections to share an Http11Processor instance resulting in responses, or part responses, to be received by the wrong client.
2024-11-15
CVE-2021-43980
openEuler-22.03-LTS-SP1
Low
3.7
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
tomcat security update
2024-11-15
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2404
If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.
2024-11-15
CVE-2022-25762
openEuler-22.03-LTS-SP1
High
8.6
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
tomcat security update
2024-11-15
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2404
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
2024-11-15
CVE-2023-44487
openEuler-22.03-LTS-SP1
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
tomcat security update
2024-11-15
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2404
Improper Input Validation vulnerability in Apache Tomcat.Tomcat from 11.0.0-M1 through 11.0.0-M10, from 10.1.0-M1 through 10.1.15, from 9.0.0-M1 through 9.0.82 and from 8.5.0 through 8.5.95 did not correctly parse HTTP trailer headers. A trailer header that exceeded the header size limit could cause Tomcat to treat a single
request as multiple requests leading to the possibility of request
smuggling when behind a reverse proxy.
Users are recommended to upgrade to version 11.0.0-M11 onwards, 10.1.16 onwards, 9.0.83 onwards or 8.5.96 onwards, which fix the issue.
2024-11-15
CVE-2023-46589
openEuler-22.03-LTS-SP1
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
tomcat security update
2024-11-15
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2404
Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
2024-11-15
CVE-2024-23672
openEuler-22.03-LTS-SP1
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
tomcat security update
2024-11-15
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2404
Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed.This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M16, from 10.1.0-M1 through 10.1.18, from 9.0.0-M1 through 9.0.85, from 8.5.0 through 8.5.98.
Users are recommended to upgrade to version 11.0.0-M17, 10.1.19, 9.0.86 or 8.5.99 which fix the issue.
2024-11-15
CVE-2024-24549
openEuler-22.03-LTS-SP1
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
tomcat security update
2024-11-15
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2404
Improper Handling of Exceptional Conditions, Uncontrolled Resource Consumption vulnerability in Apache Tomcat. When processing an HTTP/2 stream, Tomcat did not handle some cases of excessive HTTP headers correctly. This led to a miscounting of active HTTP/2 streams which in turn led to the use of an incorrect infinite timeout which allowed connections to remain open which should have been closed.
This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.0-M20, from 10.1.0-M1 through 10.1.24, from 9.0.0-M1 through 9.0.89.
Users are recommended to upgrade to version 11.0.0-M21, 10.1.25 or 9.0.90, which fixes the issue.
2024-11-15
CVE-2024-34750
openEuler-22.03-LTS-SP1
High
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
tomcat security update
2024-11-15
https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2024-2404