| Summary: | tomcat new security issues CVE-2021-30640, CVE-2021-33037, CVE-2021-41079, CVE-2021-42340 | ||
|---|---|---|---|
| Product: | Mageia | Reporter: | David Walser <luigiwalser> |
| Component: | Security | Assignee: | QA Team <qa-bugs> |
| Status: | RESOLVED FIXED | QA Contact: | Sec team <security> |
| Severity: | critical | ||
| Priority: | Normal | CC: | andrewsfarm, brtians1, davidwhodgins, geiger.david68210, mageia, nicolas.salguero, sysadmin-bugs |
| Version: | 8 | Keywords: | advisory, validated_update |
| Target Milestone: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | MGA8-64-OK | ||
| Source RPM: | tomcat-9.0.41-1.2.mga8.src.rpm | CVE: | CVE-2021-30640, CVE-2021-33037, CVE-2021-41079, CVE-2021-42340 |
| Status comment: | |||
|
Description
David Walser
2021-08-10 16:03:25 CEST
David Walser
2021-08-10 16:03:47 CEST
CC:
(none) =>
geiger.david68210 There was also an issue fixed upstream in 9.0.44: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.44 which was announced on September 15: https://www.openwall.com/lists/oss-security/2021/09/15/6 Only Mageia 8 is affected by this issue. Severity:
major =>
critical There was also an issue fixed upstream in 9.0.54: http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.54 which was announced on October 14: https://www.openwall.com/lists/oss-security/2021/10/14/1 Status comment:
Fixed upstream in 9.0.48 =>
Fixed upstream in 9.0.54 Debian has issued an advisory for two of these issues on October 14: https://www.debian.org/security/2021/dsa-4986
Nicolas Lécureuil
2021-10-17 21:54:07 CEST
CC:
(none) =>
mageia
Nicolas Lécureuil
2021-10-17 21:54:17 CEST
Whiteboard:
MGA8TOO =>
(none) Suggested advisory: ======================== The updated packages fix security vulnerabilities: A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. (CVE-2021-30640) Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. (CVE-2021-33037) Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service. (CVE-2021-41079) The fix for bug 63362 present in Apache Tomcat 10.1.0-M1 to 10.1.0-M5, 10.0.0-M1 to 10.0.11, 9.0.40 to 9.0.53 and 8.5.60 to 8.5.71 introduced a memory leak. The object introduced to collect metrics for HTTP upgrade connections was not released for WebSocket connections once the connection was closed. This created a memory leak that, over time, could lead to a denial of service via an OutOfMemoryError. (CVE-2021-42340) References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30640 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33037 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41079 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42340 https://www.debian.org/security/2021/dsa-4952 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.48 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.44 https://www.openwall.com/lists/oss-security/2021/09/15/6 http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.54 https://www.openwall.com/lists/oss-security/2021/10/14/1 https://www.debian.org/security/2021/dsa-4986 ======================== Updated packages in core/updates_testing: ======================== tomcat-servlet-4.0-api-9.0.54-1.mga8 tomcat-webapps-9.0.54-1.mga8 tomcat-9.0.54-1.mga8 tomcat-admin-webapps-9.0.54-1.mga8 tomcat-el-3.0-api-9.0.54-1.mga8 tomcat-jsvc-9.0.54-1.mga8 tomcat-jsp-2.3-api-9.0.54-1.mga8 tomcat-lib-9.0.54-1.mga8 tomcat-docs-webapp-9.0.54-1.mga8 from SRPM: tomcat-9.0.54-1.mga8.src.rpm Assignee:
java =>
qa-bugs MGA8-64, Gnome (doesn't matter) # uname -a Linux localhost 5.10.70-desktop-1.mga8 #1 SMP Thu Sep 30 09:41:26 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux - apache-commons-daemon-1.2.2-3.mga8.x86_64 - ecj-4.17-1.mga8.noarch - lib64apr-devel-1.7.0-3.2.mga8.x86_64 - lib64apr1_0-1.7.0-3.2.mga8.x86_64 - lib64openssl-devel-1.1.1l-1.mga8.x86_64 - lib64zlib-devel-1.2.11-9.mga8.x86_64 - libtool-2.4.6-13.mga8.x86_64 - libtool-base-2.4.6-13.mga8.x86_64 - multiarch-utils-1.0.14-3.mga8.noarch - tomcat-9.0.54-1.mga8.noarch - tomcat-admin-webapps-9.0.54-1.mga8.noarch - tomcat-el-3.0-api-9.0.54-1.mga8.noarch - tomcat-jsp-2.3-api-9.0.54-1.mga8.noarch - tomcat-lib-9.0.54-1.mga8.noarch - tomcat-native-1.2.26-1.mga8.x86_64 - tomcat-servlet-4.0-api-9.0.54-1.mga8.noarch --- edit the /etc/tomcat/tomcat-users.xml and enabled manager user account. I was able to get to the Tomcat Web Application Manager page. system appears to be working Whiteboard:
(none) =>
MGA8-64-OK validating. Advisory in Comment 4. Keywords:
(none) =>
validated_update
Dave Hodgins
2021-10-23 03:14:24 CEST
CC:
(none) =>
davidwhodgins An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0485.html Resolution:
(none) =>
FIXED |