Bug 26862 - tomcat new security issues CVE-2020-11996 and CVE-2020-1393[45]
Summary: tomcat new security issues CVE-2020-11996 and CVE-2020-1393[45]
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2020-06-26 15:00 CEST by David Walser
Modified: 2020-07-29 23:01 CEST (History)
4 users (show)

See Also:
Source RPM: tomcat-9.0.35-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-06-26 15:00:49 CEST
A security issue fixed upstream in Tomcat has been announced on June 25:
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.36

The issue is fixed upstream in 9.0.36.

Mageia 7 is also affected.
David Walser 2020-06-26 15:01:03 CEST

Status comment: (none) => Fixed upstream in 9.0.36
Whiteboard: (none) => MGA7TOO

Comment 1 David Walser 2020-07-01 22:14:25 CEST
I see a _tmpfilescreate call in %post, which looks like it doesn't belong there, as I don't see a tmpfiles.d file in %files.  Please make sure that's the case, otherwise we probably have this issue:
https://lists.opensuse.org/opensuse-updates/2020-06/msg00160.html
Comment 2 David Walser 2020-07-07 23:07:04 CEST
SUSE has issued an advisory for this on July 3:
https://lists.suse.com/pipermail/sle-security-updates/2020-July/007071.html
Comment 3 David GEIGER 2020-07-08 08:10:06 CEST
Done for both Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 4 David Walser 2020-07-08 16:51:05 CEST
Advisory:
========================

Updated tomcat packages fix security vulnerability:

A specially crafted sequence of HTTP/2 requests could trigger high CPU usage
for several seconds. If a sufficient number of such requests were made on
concurrent HTTP/2 connections, the server could become unresponsive
(CVE-2020-11996).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11996
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.36
========================

Updated packages in core/updates_testing:
========================
tomcat-9.0.36-1.mga7
tomcat-admin-webapps-9.0.36-1.mga7
tomcat-docs-webapp-9.0.36-1.mga7
tomcat-jsvc-9.0.36-1.mga7
tomcat-jsp-2.3-api-9.0.36-1.mga7
tomcat-lib-9.0.36-1.mga7
tomcat-servlet-4.0-api-9.0.36-1.mga7
tomcat-el-3.0-api-9.0.36-1.mga7
tomcat-webapps-9.0.36-1.mga7

from tomcat-9.0.36-1.mga7.src.rpm

Status comment: Fixed upstream in 9.0.36 => (none)
Version: Cauldron => 7
Assignee: java => qa-bugs
Whiteboard: MGA7TOO => (none)

Comment 5 David Walser 2020-07-08 16:51:29 CEST
(In reply to David Walser from comment #1)
> I see a _tmpfilescreate call in %post, which looks like it doesn't belong
> there, as I don't see a tmpfiles.d file in %files.  Please make sure that's
> the case, otherwise we probably have this issue:
> https://lists.opensuse.org/opensuse-updates/2020-06/msg00160.html

David, please remove this from the SPEC if it's not needed.
Comment 6 Brian Rockwell 2020-07-13 19:45:18 CEST
The following 19 packages are going to be installed:

- apache-commons-daemon-1.0.15-16.mga7.x86_64
- ecj-4.10-1.mga7.noarch
- glibc-devel-2.29-20.mga7.x86_64
- kernel-userspace-headers-5.6.14-2.mga7.x86_64
- lib64apr-devel-1.7.0-1.mga7.x86_64
- lib64apr1_0-1.7.0-1.mga7.x86_64
- lib64openssl-devel-1.1.0l-1.1.mga7.x86_64
- lib64uuid-devel-2.33.2-1.mga7.x86_64
- lib64xcrypt-devel-4.4.6-1.mga7.x86_64
- lib64zlib-devel-1.2.11-7.mga7.x86_64
- libtool-2.4.6-9.mga7.x86_64
- libtool-base-2.4.6-9.mga7.x86_64
- multiarch-utils-1.0.14-2.mga7.noarch
- tomcat-9.0.36-1.mga7.noarch
- tomcat-el-3.0-api-9.0.36-1.mga7.noarch
- tomcat-jsp-2.3-api-9.0.36-1.mga7.noarch
- tomcat-lib-9.0.36-1.mga7.noarch
- tomcat-native-1.2.23-1.mga7.x86_64
- tomcat-servlet-4.0-api-9.0.36-1.mga7.noarch

49MB of additional disk space will be used.


-- able to start tomcat

Added the following

The following 9 packages are going to be installed:

- apache-2.4.43-1.mga7.x86_64
- apache-commons-daemon-jsvc-1.0.15-16.mga7.x86_64
- lib64apr-util1_0-1.6.1-3.mga7.x86_64
- tomcat-admin-webapps-9.0.36-1.mga7.noarch
- tomcat-docs-webapp-9.0.36-1.mga7.noarch
- tomcat-jsvc-9.0.36-1.mga7.noarch
- tomcat-taglibs-standard-1.2.5-4.mga7.noarch
- tomcat-webapps-9.0.36-1.mga7.noarch
- webserver-base-2.0-12.mga7.noarch

9.2MB of additional disk space will be used.


after they installed I went in and started services for httpd, tomcat-svc

-----

I edited the /etc/tomcat/tomcat-users.xml file and enabled the admin ID.

---

Restarted the tomcat services

---

I was able to get into the administration module and navigate around looking at settings.

Works for me.

Whiteboard: (none) => MGA7-64-OK
CC: (none) => brtians1

Comment 7 Thomas Andrews 2020-07-14 13:42:07 CEST
Has the issue from Comment 1 and Comment 5 been addressed? If so, I'll be fine with validating based on Brian's test.

CC: (none) => andrewsfarm

Comment 8 David Walser 2020-07-14 17:51:21 CEST
David just addressed it.  A clean install/upgrade test should be good for this.

tomcat-9.0.36-1.1.mga7
tomcat-admin-webapps-9.0.36-1.1.mga7
tomcat-docs-webapp-9.0.36-1.1.mga7
tomcat-jsvc-9.0.36-1.1.mga7
tomcat-jsp-2.3-api-9.0.36-1.1.mga7
tomcat-lib-9.0.36-1.1.mga7
tomcat-servlet-4.0-api-9.0.36-1.1.mga7
tomcat-el-3.0-api-9.0.36-1.1.mga7
tomcat-webapps-9.0.36-1.1.mga7

from tomcat-9.0.36-1.1.mga7.src.rpm
Comment 9 David Walser 2020-07-14 20:36:39 CEST
Or not :o(

Two issues fixed upstream in 9.0.37 have been announced today (July 14):
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37

Pausing this so we can update it again.

Whiteboard: MGA7-64-OK => (none)
Keywords: (none) => feedback
Summary: tomcat new security issue CVE-2020-11996 => tomcat new security issues CVE-2020-11996 and CVE-2020-1393[45]

Comment 10 Brian Rockwell 2020-07-14 22:47:45 CEST
No problem.  I'll watch for the update.
Comment 11 David GEIGER 2020-07-15 11:22:21 CEST
(In reply to David Walser from comment #9)
> Or not :o(
> 
> Two issues fixed upstream in 9.0.37 have been announced today (July 14):
> http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37
> 
> Pausing this so we can update it again.

Done for both Cauldron and mga7!
Comment 12 David Walser 2020-07-15 17:42:32 CEST
Advisory:
========================

Updated tomcat packages fix security vulnerabilities:

A specially crafted sequence of HTTP/2 requests could trigger high CPU usage
for several seconds. If a sufficient number of such requests were made on
concurrent HTTP/2 connections, the server could become unresponsive
(CVE-2020-11996).

An h2c direct connection did not release the HTTP/1.1 processor after the
upgrade to HTTP/2. If a sufficient number of such requests were made, an
OutOfMemoryException could occur leading to a denial of service
(CVE-2020-13934).

The payload length in a WebSocket frame was not correctly validated. Invalid
payload lengths could trigger an infinite loop. Multiple requests with invalid
payload lengths could lead to a denial of service (CVE-2020-13935).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11996
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13934
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13935
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.36
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.37
========================

Updated packages in core/updates_testing:
========================
tomcat-9.0.37-1.1.mga7
tomcat-admin-webapps-9.0.37-1.1.mga7
tomcat-docs-webapp-9.0.37-1.1.mga7
tomcat-jsvc-9.0.37-1.1.mga7
tomcat-jsp-2.3-api-9.0.37-1.1.mga7
tomcat-lib-9.0.37-1.1.mga7
tomcat-servlet-4.0-api-9.0.37-1.1.mga7
tomcat-el-3.0-api-9.0.37-1.1.mga7
tomcat-webapps-9.0.37-1.1.mga7

from tomcat-9.0.37-1.1.mga7.src.rpm

Keywords: feedback => (none)

Comment 13 Brian Rockwell 2020-07-15 23:30:39 CEST
installed the following:

- apache-2.4.43-1.mga7.x86_64
- apache-commons-daemon-1.0.15-16.mga7.x86_64
- ecj-4.10-1.mga7.noarch
- glibc-devel-2.29-20.mga7.x86_64
- kernel-userspace-headers-5.6.14-2.mga7.x86_64
- lib64apr-devel-1.7.0-1.mga7.x86_64
- lib64apr-util1_0-1.6.1-3.mga7.x86_64
- lib64apr1_0-1.7.0-1.mga7.x86_64
- lib64openssl-devel-1.1.0l-1.1.mga7.x86_64
- lib64uuid-devel-2.33.2-1.mga7.x86_64
- lib64xcrypt-devel-4.4.6-1.mga7.x86_64
- lib64zlib-devel-1.2.11-7.mga7.x86_64
- libtool-2.4.6-9.mga7.x86_64
- libtool-base-2.4.6-9.mga7.x86_64
- multiarch-utils-1.0.14-2.mga7.noarch
- tomcat-9.0.37-1.1.mga7.noarch
- tomcat-admin-webapps-9.0.37-1.1.mga7.noarch
- tomcat-docs-webapp-9.0.37-1.1.mga7.noarch
- tomcat-el-3.0-api-9.0.37-1.1.mga7.noarch
- tomcat-jsp-2.3-api-9.0.37-1.1.mga7.noarch
- tomcat-lib-9.0.37-1.1.mga7.noarch
- tomcat-native-1.2.23-1.mga7.x86_64
- tomcat-servlet-4.0-api-9.0.37-1.1.mga7.noarch
- tomcat-taglibs-standard-1.2.5-4.mga7.noarch
- tomcat-webapps-9.0.37-1.1.mga7.noarch
- webserver-base-2.0-12.mga7.noarch

58MB of additional disk space will be used.

-- enabled services

-- configured user-id and rebootted

-------------

Not working


confirmed services are working, but I see the following:

Jul 15 16:19:31 linux.local server[863]: 15-Jul-2020 16:19:30.999 SEVERE [main] org.apache.tomcat.util.modeler.Registry.registerComponent Error registering MBean
Jul 15 16:19:31 linux.local server[863]:         java.lang.ClassNotFoundException: org.apache.tomcat.util.modeler.modules.MbeansDescriptorsIntrospectionSource
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.modeler.Registry.getModelerSource(Registry.java:737)
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.modeler.Registry.load(Registry.java:611)
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.modeler.Registry.findManagedBean(Registry.java:518)
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.modeler.Registry.registerComponent(Registry.java:641)
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
Jul 15 16:19:31 linux.local server[863]: 15-Jul-2020 16:19:31.001 SEVERE [main] org.apache.catalina.startup.HostConfig.deployDirectory Error deploying web application directory [/var/lib/tomcat/webapps/examples]
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.threads.InlineExecutorService.execute(InlineExecutorService.java:75)
Jul 15 16:19:31 linux.local server[863]:         Caused by: java.lang.ClassNotFoundException: org.apache.tomcat.util.modeler.modules.MbeansDescriptorsIntrospectionSource
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.modeler.Registry.getModelerSource(Registry.java:737)
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.modeler.Registry.load(Registry.java:611)
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.modeler.Registry.findManagedBean(Registry.java:518)
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.modeler.Registry.registerComponent(Registry.java:641)
Jul 15 16:19:31 linux.local server[863]: 15-Jul-2020 16:19:31.004 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deployment of web application directory [/var/lib/tomcat/webapps/examples] has finished in [221] ms
Jul 15 16:19:31 linux.local server[863]: 15-Jul-2020 16:19:31.015 SEVERE [main] org.apache.tomcat.util.modeler.Registry.registerComponent Error registering MBean
Jul 15 16:19:31 linux.local server[863]:         java.lang.ClassNotFoundException: org.apache.tomcat.util.modeler.modules.MbeansDescriptorsIntrospectionSource
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.modeler.Registry.getModelerSource(Registry.java:737)
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.modeler.Registry.load(Registry.java:611)
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.modeler.Registry.findManagedBean(Registry.java:518)
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.modeler.Registry.registerComponent(Registry.java:641)
Jul 15 16:19:31 linux.local server[863]:         java.lang.ClassNotFoundException: org.apache.tomcat.util.modeler.modules.MbeansDescriptorsIntrospectionSource
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.modeler.Registry.getModelerSource(Registry.java:737)
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.modeler.Registry.load(Registry.java:611)
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.modeler.Registry.findManagedBean(Registry.java:518)
Jul 15 16:19:31 linux.local server[863]:                 at org.apache.tomcat.util.modeler.Registry.registerComponent(Registry.java:641)


I can connect to apache http.  Tomcat shows running, but cannot get to the first hello page or the administration module.

What'd I do wrong?
Comment 14 Herman Viaene 2020-07-25 15:26:02 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
Ref to my tests in bug 23045, but the situation is as bad as Comment 13.
# systemctl start tomcat.service

# systemctl -l status tomcat.service
● tomcat.service - Apache Tomcat Web Application Container
   Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-07-25 15:10:44 CEST; 3s ago
 Main PID: 23292 (java)
    Tasks: 17 (limit: 4915)
   Memory: 52.2M
   CGroup: /system.slice/tomcat.service
           └─23292 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -c>

Jul 25 15:10:44 mach5.hviaene.thuis systemd[1]: Started Apache Tomcat Web Application Container.
Jul 25 15:10:44 mach5.hviaene.thuis server[23292]: Java virtual machine used: /usr/lib/jvm/jre/bin/java
Jul 25 15:10:44 mach5.hviaene.thuis server[23292]: classpath used: /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/>
Jul 25 15:10:44 mach5.hviaene.thuis server[23292]: main class used: org.apache.catalina.startup.Bootstrap
Jul 25 15:10:44 mach5.hviaene.thuis server[23292]: flags used: -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDa>
Jul 25 15:10:44 mach5.hviaene.thuis server[23292]: options used: -Dcatalina.base=/usr/share/tomcat -Dcatalina.home=/usr/share>
Jul 25 15:10:44 mach5.hviaene.thuis server[23292]: arguments used: start

# systemctl restart httpd

# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
   Active: active (running) since Sat 2020-07-25 15:10:59 CEST; 10s ago
 Main PID: 24634 (httpd)
   Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
    Tasks: 6 (limit: 4915)
   Memory: 23.4M
   CGroup: /system.slice/httpd.service
           ├─24634 /usr/sbin/httpd -DFOREGROUND
           ├─24637 /usr/sbin/httpd -DFOREGROUND
           ├─24638 /usr/sbin/httpd -DFOREGROUND
           ├─24639 /usr/sbin/httpd -DFOREGROUND
           ├─24640 /usr/sbin/httpd -DFOREGROUND
           └─24641 /usr/sbin/httpd -DFOREGROUND

Jul 25 15:10:58 mach5.hviaene.thuis systemd[1]: Starting The Apache HTTP Server...
Jul 25 15:10:59 mach5.hviaene.thuis systemd[1]: Started The Apache HTTP Server.

But when I try to access tomcat from the browser, I get "Unable to connect 
Firefox can’t establish a connection to the server at localhost:8080."
while http://localhost says:it works. No firewall active, but I cann't get into port 8080 (tried telnet)

CC: (none) => herman.viaene

Comment 15 Brian Rockwell 2020-07-25 23:24:35 CEST
Thanks for confirming Herman.
Comment 16 Herman Viaene 2020-07-26 14:06:07 CEST
Used at CLI
# netstat -tulpn
port 8080 nor tomcat is listed.
Brian Rockwell 2020-07-29 23:01:52 CEST

Keywords: (none) => feedback


Note You need to log in before you can comment on or make changes to this bug.