Bug 32980 - tomcat new security issues CVE-2024-23672 and CVE-2024-24549
Summary: tomcat new security issues CVE-2024-23672 and CVE-2024-24549
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-03-18 10:32 CET by Nicolas Salguero
Modified: 2024-04-10 16:28 CEST (History)
3 users (show)

See Also:
Source RPM: tomcat-9.0.82-1.mga9.src.rpm
CVE: CVE-2024-23672, CVE-2024-24549
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Nicolas Salguero 2024-03-18 10:32:22 CET 
Hi,

Those CVEs were announced here:
https://www.openwall.com/lists/oss-security/2024/03/13/3
https://www.openwall.com/lists/oss-security/2024/03/13/4

They are fixed in version 9.0.86.

Mageia 9 is also affected.

Best regards,

Nico.
Nicolas Salguero 2024-03-18 10:32:40 CET

CVE: (none) => CVE-2024-23672, CVE-2024-24549
Source RPM: (none) => tomcat-9.0.82-1.mga9.src.rpm
Whiteboard: (none) => MGA9TOO

Comment 1 Nicolas Salguero 2024-03-19 16:20:12 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

Denial of Service via incomplete cleanup vulnerability in Apache Tomcat. It was possible for WebSocket clients to keep WebSocket connections open leading to increased resource consumption. (CVE-2024-23672)

Denial of Service due to improper input validation vulnerability for HTTP/2 requests in Apache Tomcat. When processing an HTTP/2 request, if the request exceeded any of the configured limits for headers, the associated HTTP/2 stream was not reset until after all of the headers had been processed. (CVE-2024-24549)

References:
https://www.openwall.com/lists/oss-security/2024/03/13/3
https://www.openwall.com/lists/oss-security/2024/03/13/4
========================

Updated packages in core/updates_testing:
========================
tomcat-9.0.87-1.mga9
tomcat-admin-webapps-9.0.87-1.mga9
tomcat-docs-webapp-9.0.87-1.mga9
tomcat-el-3.0-api-9.0.87-1.mga9
tomcat-jsp-2.3-api-9.0.87-1.mga9
tomcat-lib-9.0.87-1.mga9
tomcat-servlet-4.0-api-9.0.87-1.mga9
tomcat-webapps-9.0.87-1.mga9

from SRPM:
tomcat-9.0.87-1.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Status: NEW => ASSIGNED
Whiteboard: MGA9TOO => (none)
Version: Cauldron => 9

katnatek 2024-03-19 20:22:33 CET

Keywords: (none) => advisory

Comment 2 Herman Viaene 2024-03-26 11:59:01 CET 
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
Added lines to /etc/tomcat/tomcat-users.xml as in bug 5261, then
# systemctl restart tomcat.service
# systemctl status tomcat.service
● tomcat.service - Apache Tomcat Web Application Container
     Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; preset: disabled)
     Active: active (running) since Tue 2024-03-26 11:42:06 CET; 26s ago
   Main PID: 78548 (java)
      Tasks: 39 (limit: 4495)
     Memory: 167.8M
        CPU: 17.415s
     CGroup: /system.slice/tomcat.service
             └─78548 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDataSourceFactory -classpath >

Mar 26 11:42:17 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:17.664 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At>
Mar 26 11:42:17 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:17.671 INFO [main] org.apache.catalina.startup.HostConfig.deployDir>
Mar 26 11:42:17 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:17.672 INFO [main] org.apache.catalina.startup.HostConfig.deployDir>
Mar 26 11:42:18 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:18.160 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At>
Mar 26 11:42:18 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:18.182 INFO [main] org.apache.catalina.startup.HostConfig.deployDir>
Mar 26 11:42:18 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:18.183 INFO [main] org.apache.catalina.startup.HostConfig.deployDir>
Mar 26 11:42:18 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:18.694 INFO [main] org.apache.jasper.servlet.TldScanner.scanJars At>
Mar 26 11:42:18 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:18.702 INFO [main] org.apache.catalina.startup.HostConfig.deployDir>
Mar 26 11:42:18 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:18.716 INFO [main] org.apache.coyote.AbstractProtocol.start Startin>
Mar 26 11:42:18 mach4.hviaene.thuis server[78548]: 26-Mar-2024 11:42:18.855 INFO [main] org.apache.catalina.startup.Catalina.start Serve>
# systemctl restart httpd
Added sample.war  file to /usr/share/tomcat/webapps as in bug 8307 Comment 13 and then was able to connect to http://localhost:8080 to exercise the the manager app and http://localhost:8080/sample to display the  samples.
OK for me

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

katnatek 2024-03-26 17:14:22 CET

CC: (none) => andrewsfarm

Comment 3 Thomas Andrews 2024-03-26 18:10:57 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2024-03-26 23:03:52 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0090.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED

Nicolas Salguero 2024-04-10 16:00:57 CEST

Blocks: (none) => 33087

Nicolas Salguero 2024-04-10 16:27:46 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=33087

Nicolas Salguero 2024-04-10 16:28:09 CEST

Blocks: 33087 => (none)
Note You need to log in before you can comment on or make changes to this bug.