Bug 30113

Summary: tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252, CVE-2022-45143, CVE-2023-24998, CVE-2023-28708
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: tomcat-9.0.54-1.mga8.src.rpm CVE:
Status comment:

Description David Walser 2022-03-03 22:16:46 CET 
SUSE has issued an advisory today (March 3):
https://lists.suse.com/pipermail/sle-security-updates/2022-March/010339.html

The issue is fixed upstream in 9.0.58:
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.58

Mageia 8 is also affected.
David Walser 2022-03-03 22:17:10 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Fixed upstream in 9.0.58

Comment 1 David Walser 2022-04-15 20:29:48 CEST 
SUSE has issued an advisory on April 14:
https://lists.suse.com/pipermail/sle-security-updates/2022-April/010734.html

It implements a security hardening from Tomcat 9.0.62:
https://bugzilla.suse.com/show_bug.cgi?id=1198136

Status comment: Fixed upstream in 9.0.58 => Fixed upstream in 9.0.62

Comment 2 David Walser 2022-06-23 16:18:44 CEST 
Another security issue fixed upstream in Tomcat has been announced today (June 23), and another one was announced on May 16:
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.65

The issues are fixed upstream in 9.0.65.

Summary: tomcat new security issue CVE-2022-23181 => tomcat new security issues CVE-2022-23181, CVE-2022-29885, CVE-2022-34305
Status comment: Fixed upstream in 9.0.62 => Fixed upstream in 9.0.65

Comment 3 David Walser 2022-09-28 19:46:46 CEST 
Another security issue fixed upstream in Tomcat has been announced today (September 28):
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.62

The issue is fixed upstream in 9.0.62.

Summary: tomcat new security issues CVE-2022-23181, CVE-2022-29885, CVE-2022-34305 => tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305

Comment 4 David Walser 2022-10-27 14:23:48 CEST 
Debian-LTS has issued an advisory for the first three CVEs on October 26:
https://www.debian.org/lts/security/2022/dla-3160
Comment 5 David Walser 2022-10-31 15:08:46 CET 
(In reply to David Walser from comment #4)
> Debian-LTS has issued an advisory for the first three CVEs on October 26:
> https://www.debian.org/lts/security/2022/dla-3160

as has Debian on October 29:
https://www.debian.org/security/2022/dsa-5265
Comment 6 David Walser 2022-11-01 13:37:37 CET 
Another security issue fixed upstream in Tomcat has been announced on October 31:
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.68

The issue is fixed upstream in 9.0.68.

Status comment: Fixed upstream in 9.0.65 => Fixed upstream in 9.0.68
Summary: tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305 => tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252

Comment 7 David Walser 2022-12-12 15:55:11 CET 
tomcat-9.0.68-1.mga9 uploaded for Cauldron by David Geiger.

Version: Cauldron => 8
CC: (none) => geiger.david68210
Whiteboard: MGA8TOO => (none)

Comment 8 David Walser 2023-01-04 18:52:32 CET 
Another security issue fixed upstream has been announced on January 3:
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.69

The issue is fixed upstream in 9.0.69.

Status comment: Fixed upstream in 9.0.68 => Fixed upstream in 9.0.69
Summary: tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252 => tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252, CVE-2022-45143
Whiteboard: (none) => MGA8TOO
Version: 8 => Cauldron

Comment 9 David Walser 2023-02-21 16:30:22 CET 
Another security issue fixed upstream has been announced on January 13:
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.71

The issue is fixed upstream in 9.0.71.

Summary: tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252, CVE-2022-45143 => tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252, CVE-2022-45143, CVE-2023-24998
Status comment: Fixed upstream in 9.0.69 => Fixed upstream in 9.0.71

Comment 10 David Walser 2023-03-13 22:42:42 CET 
(In reply to David Walser from comment #9)
> Another security issue fixed upstream has been announced on January 13:
> https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.71
> 
> The issue is fixed upstream in 9.0.71.

SUSE has issued an advisory for this on March 10:
https://lists.suse.com/pipermail/sle-security-updates/2023-March/014018.html
Comment 11 David Walser 2023-03-24 13:15:20 CET 
Another security issue fixed upstream has been announced on March 23:
https://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.72

The issue is fixed upstream in 9.0.72.

Summary: tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252, CVE-2022-45143, CVE-2023-24998 => tomcat new security issues CVE-2021-43980, CVE-2022-23181, CVE-2022-29885, CVE-2022-34305, CVE-2022-42252, CVE-2022-45143, CVE-2023-24998, CVE-2023-28708
Status comment: Fixed upstream in 9.0.71 => Fixed upstream in 9.0.72

Comment 12 David GEIGER 2023-03-27 05:56:19 CEST 
Done for both Cauldron and mga8 updating to latest 9.0.73 release!
Comment 13 David Walser 2023-03-27 14:44:04 CEST 
tomcat-9.0.73-1.mga9 uploaded for Cauldron by David.  Still awaiting freeze move.

Mageia 8 update:
tomcat-9.0.73-1.mga8
tomcat-servlet-4.0-api-9.0.73-1.mga8
tomcat-admin-webapps-9.0.73-1.mga8
tomcat-el-3.0-api-9.0.73-1.mga8
tomcat-webapps-9.0.73-1.mga8
tomcat-jsp-2.3-api-9.0.73-1.mga8
tomcat-lib-9.0.73-1.mga8
tomcat-docs-webapp-9.0.73-1.mga8

from tomcat-9.0.73-1.mga8.src.rpm

Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)

David Walser 2023-03-27 14:44:34 CEST

Whiteboard: (none) => MGA8TOO
Version: 8 => Cauldron
Assignee: java => sysadmin-bugs

Comment 14 David Walser 2023-03-29 14:50:21 CEST 
(In reply to David Walser from comment #13)
> tomcat-9.0.73-1.mga9 uploaded for Cauldron by David.  Still awaiting freeze
> move.
> 
> Mageia 8 update:
> tomcat-9.0.73-1.mga8
> tomcat-servlet-4.0-api-9.0.73-1.mga8
> tomcat-admin-webapps-9.0.73-1.mga8
> tomcat-el-3.0-api-9.0.73-1.mga8
> tomcat-webapps-9.0.73-1.mga8
> tomcat-jsp-2.3-api-9.0.73-1.mga8
> tomcat-lib-9.0.73-1.mga8
> tomcat-docs-webapp-9.0.73-1.mga8
> 
> from tomcat-9.0.73-1.mga8.src.rpm

Cauldron freeze move done.

Assignee: sysadmin-bugs => qa-bugs
Version: Cauldron => 8
Whiteboard: MGA8TOO => (none)
Status comment: Fixed upstream in 9.0.72 => (none)

Comment 15 Herman Viaene 2023-04-04 15:32:13 CEST 
Strange, previous updates had also a tomcat-jsvc ?

CC: (none) => herman.viaene

Comment 16 Herman Viaene 2023-04-04 16:07:59 CEST 
MGA8-64 MATE on Acer Aspire 5253
No installation issues
Ref bug 28501 and bug 23045 for testing.
# systemctl start tomcat.service
[root@mach7 ~]# systemctl -l status tomcat.service
● tomcat.service - Apache Tomcat Web Application Container
     Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2023-04-04 15:37:10 CEST; 16s ago
   Main PID: 5360 (java)
      Tasks: 20 (limit: 4364)
     Memory: 117.0M
        CPU: 21.557s
     CGroup: /system.slice/tomcat.service
             └─5360 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceF>

Apr 04 15:37:23 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:23.876 INFO [main] org.apache.catalina.core.Stand>
Apr 04 15:37:23 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:23.878 INFO [main] org.apache.catalina.core.Stand>
Apr 04 15:37:23 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:23.973 INFO [main] org.apache.catalina.startup.Ho>
Apr 04 15:37:28 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:28.315 INFO [main] org.apache.jasper.servlet.TldS>
Apr 04 15:37:28 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:28.677 WARNING [main] org.apache.catalina.util.Se>
Apr 04 15:37:28 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:28.838 INFO [main] org.apache.catalina.startup.Ho>
Apr 04 15:37:28 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:28.841 INFO [main] org.apache.catalina.startup.Ho>
Apr 04 15:37:30 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:30.099 INFO [main] org.apache.jasper.servlet.TldS>
Apr 04 15:37:30 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:30.118 INFO [main] org.apache.catalina.startup.Ho>
Apr 04 15:37:30 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:30.121 INFO [main] org.apache.catalina.startup.Ho>
Apr 04 15:37:31 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:31.107 INFO [main] org.apache.jasper.servlet.TldS>
Apr 04 15:37:31 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:31.122 INFO [main] org.apache.catalina.startup.Ho>
Apr 04 15:37:31 mach7.hviaene.thuis server[5360]: 04-Apr-2023 15:37:31.125 INFO [main] org.apache.catalina.startup.Ho>


Editing tomcat users and
# systemctl restart tomcat.service
# systemctl -l status tomcat.service
● tomcat.service - Apache Tomcat Web Application Container
     Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled)
     Active: active (running) since Tue 2023-04-04 15:57:41 CEST; 5s ago
   Main PID: 6650 (java)
      Tasks: 20 (limit: 4364)
     Memory: 45.2M
        CPU: 9.371s
     CGroup: /system.slice/tomcat.service
             └─6650 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceF>

Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.327 INFO [main] org.apache.catalina.startup.Ve>
Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.328 INFO [main] org.apache.catalina.startup.Ve>
Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.329 INFO [main] org.apache.catalina.startup.Ve>
Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.341 INFO [main] org.apache.catalina.startup.Ve>
Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.361 INFO [main] org.apache.catalina.startup.Ve>
Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.380 INFO [main] org.apache.catalina.core.AprLi>
Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.382 INFO [main] org.apache.catalina.core.AprLi>
Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.384 INFO [main] org.apache.catalina.core.AprLi>
Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.386 INFO [main] org.apache.catalina.core.AprLi>
Apr 04 15:57:45 mach7.hviaene.thuis server[6650]: 04-Apr-2023 15:57:45.406 INFO [main] org.apache.catalina.core.AprLi>

Then browse http://localhost:8080/sample and I get Error 404
But on the " browse http://localhost:8080 and log into the 'manager app' with the credentials just configured with manager-gui role."
And that opens OK.
Is missing tomcat-jsvc playing here ???
Comment 17 David Walser 2023-04-04 20:39:51 CEST 
Indeed, I see the package has been removed, but none of the other tomcat packages obsoleted it, so that would be an error:
http://svnweb.mageia.org/packages/updates/8/tomcat/current/SPECS/tomcat.spec?r1=1950376&r2=1950375&pathrev=1950376

Keywords: (none) => feedback

Comment 18 David GEIGER 2023-04-05 05:54:45 CEST 
Obsoletes/Provides properly added for Cauldron and mga8!
Comment 19 David Walser 2023-04-05 14:39:20 CEST 
tomcat-9.0.73-1.1.mga8
tomcat-servlet-4.0-api-9.0.73-1.1.mga8
tomcat-admin-webapps-9.0.73-1.1.mga8
tomcat-el-3.0-api-9.0.73-1.1.mga8
tomcat-webapps-9.0.73-1.1.mga8
tomcat-jsp-2.3-api-9.0.73-1.1.mga8
tomcat-lib-9.0.73-1.1.mga8
tomcat-docs-webapp-9.0.73-1.1.mga8

from tomcat-9.0.73-1.1.mga8.src.rpm

Keywords: feedback => (none)

Comment 20 Herman Viaene 2023-04-11 16:08:35 CEST 
Retested and access to manager app works OK.
Went hunting for the "sample" and found where and how in bug 8307 Comment 13.
So all is OK now.

Whiteboard: (none) => MGA8-64-OK

Comment 21 Thomas Andrews 2023-04-11 19:58:06 CEST 
Nice work, Herman! Validating.

CC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => validated_update

Dave Hodgins 2023-04-15 18:53:06 CEST

Keywords: (none) => advisory
CC: (none) => davidwhodgins

Comment 22 Mageia Robot 2023-04-15 21:05:15 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0138.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED