Bug 28501 - tomcat new security issues CVE-2021-25122 and CVE-2021-25329
Summary: tomcat new security issues CVE-2021-25122 and CVE-2021-25329
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7TOO
Keywords: feedback
Depends on:
Blocks:
 
Reported: 2021-03-01 18:16 CET by David Walser
Modified: 2021-03-12 20:17 CET (History)
2 users (show)

See Also:
Source RPM: tomcat-9.0.41-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2021-03-01 18:16:51 CET
Apache has issued advisories today (March 1):
https://www.openwall.com/lists/oss-security/2021/03/01/1
https://www.openwall.com/lists/oss-security/2021/03/01/2

The issues are fixed upstream in 9.0.43:
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43

Mageia 7 and Mageia 8 are also affected.
David Walser 2021-03-01 18:17:06 CET

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Fixed upstream in 9.0.43

Comment 1 Nicolas Lécureuil 2021-03-02 10:47:50 CET
Fixed in mga7/8:

src:
     - tomcat-9.0.39-1.2.mga7
     - tomcat-9.0.41-1.1.mga8

cauldron fix in progress, no need to retain this security update

CC: (none) => mageia
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Status comment: Fixed upstream in 9.0.43 => (none)
Version: Cauldron => 8
Assignee: java => qa-bugs

Comment 2 David Walser 2021-03-02 14:07:34 CET
Package list:
tomcat-9.0.39-1.2.mga7
tomcat-admin-webapps-9.0.39-1.2.mga7
tomcat-docs-webapp-9.0.39-1.2.mga7
tomcat-jsvc-9.0.39-1.2.mga7
tomcat-jsp-2.3-api-9.0.39-1.2.mga7
tomcat-lib-9.0.39-1.2.mga7
tomcat-servlet-4.0-api-9.0.39-1.2.mga7
tomcat-el-3.0-api-9.0.39-1.2.mga7
tomcat-webapps-9.0.39-1.2.mga7
tomcat-9.0.41-1.1.mga8
tomcat-servlet-4.0-api-9.0.41-1.1.mga8
tomcat-webapps-9.0.41-1.1.mga8
tomcat-admin-webapps-9.0.41-1.1.mga8
tomcat-el-3.0-api-9.0.41-1.1.mga8
tomcat-jsp-2.3-api-9.0.41-1.1.mga8
tomcat-jsvc-9.0.41-1.1.mga8
tomcat-lib-9.0.41-1.1.mga8
tomcat-docs-webapp-9.0.41-1.1.mga8
Comment 3 David Walser 2021-03-03 01:42:50 CET
Advisory:
========================

Updated tomcat packages fix security vulnerabilities:

When responding to new h2c connection requests, Apache Tomcat versions 
9.0.0.M1 to 9.0.41 could duplicate request headers and a limited amount of
request body from one request to another meaning user A and user B could both
see the results of user A's request (CVE-2021-25122).

The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 9.0.0.M1 to
9.0.41 with a configuration edge case that was highly unlikely to be used, the
Tomcat instance was still vulnerable to CVE-2020-9494 (CVE-2021-25329).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25329
https://www.openwall.com/lists/oss-security/2021/03/01/1
https://www.openwall.com/lists/oss-security/2021/03/01/2
http://tomcat.apache.org/security-9.html#Fixed_in_Apache_Tomcat_9.0.43
Comment 4 Brian Rockwell 2021-03-05 17:38:26 CET
The following 12 packages are going to be installed:

- apache-commons-daemon-jsvc-1.0.15-16.mga7.x86_64
- tomcat-9.0.39-1.2.mga7.noarch
- tomcat-admin-webapps-9.0.39-1.2.mga7.noarch
- tomcat-docs-webapp-9.0.39-1.2.mga7.noarch
- tomcat-el-3.0-api-9.0.39-1.2.mga7.noarch
- tomcat-jsp-2.3-api-9.0.39-1.2.mga7.noarch
- tomcat-jsvc-9.0.39-1.2.mga7.noarch
- tomcat-lib-9.0.39-1.2.mga7.noarch
- tomcat-native-1.2.23-1.mga7.x86_64
- tomcat-servlet-4.0-api-9.0.39-1.2.mga7.noarch
- tomcat-taglibs-standard-1.2.5-4.mga7.noarch
- tomcat-webapps-9.0.39-1.2.mga7.noarch


I think you have a configuration issue

Mar 05 10:36:16 linux.local server[3988]: 05-Mar-2021 10:36:16.324 SEVERE [Catalina-utility-1] org.apache.catalina.users.MemoryUserDatabase.open The specified user database [conf/tomcat-users.xml] could not be found


in past this has been sitting in 

/etc/tomcat/tomcat-users.xml

CC: (none) => brtians1

Brian Rockwell 2021-03-12 20:17:38 CET

Keywords: (none) => feedback


Note You need to log in before you can comment on or make changes to this bug.