Bug 33863 - tomcat new security issues CVE-2024-50379 and CVE-2024-54677
Summary: tomcat new security issues CVE-2024-50379 and CVE-2024-54677
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-12-18 15:57 CET by Nicolas Salguero
Modified: 2024-12-21 21:17 CET (History)
3 users (show)

See Also:
Source RPM: tomcat-9.0.97-1.mga9.src.rpm
CVE: CVE-2024-50379, CVE-2024-54677
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Nicolas Salguero 2024-12-18 15:59:12 CET

Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-50379, CVE-2024-54677
Source RPM: (none) => tomcat-9.0.97-1.mga10.src.rpm, tomcat-9.0.97-1.mga9.src.rpm
Status comment: (none) => Fixed upstream in 9.0.98

Comment 1 Lewis Smith 2024-12-18 20:53:09 CET 
Assigning this one globally.

Assignee: bugsquad => pkg-bugs

Comment 2 Nicolas Salguero 2024-12-19 14:55:29 CET 
Suggested advisory:
========================

The updated packages fix security vulnerabilities:

RCE due to TOCTOU issue in JSP compilation. (CVE-2024-50379)

DoS in examples web application. (CVE-2024-54677)

References:
https://www.openwall.com/lists/oss-security/2024/12/17/4
https://www.openwall.com/lists/oss-security/2024/12/17/5
https://www.openwall.com/lists/oss-security/2024/12/17/6
========================

Updated packages in core/updates_testing:
========================
tomcat-9.0.98-1.mga9
tomcat-admin-webapps-9.0.98-1.mga9
tomcat-docs-webapp-9.0.98-1.mga9
tomcat-el-3.0-api-9.0.98-1.mga9
tomcat-jsp-2.3-api-9.0.98-1.mga9
tomcat-lib-9.0.98-1.mga9
tomcat-servlet-4.0-api-9.0.98-1.mga9
tomcat-webapps-9.0.98-1.mga9

from SRPM:
tomcat-9.0.98-1.mga9.src.rpm

Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)
Status: NEW => ASSIGNED
Status comment: Fixed upstream in 9.0.98 => (none)
Assignee: pkg-bugs => qa-bugs

katnatek 2024-12-20 21:17:59 CET

Source RPM: tomcat-9.0.97-1.mga10.src.rpm, tomcat-9.0.97-1.mga9.src.rpm => tomcat-9.0.97-1.mga9.src.rpm
Keywords: (none) => advisory

Comment 3 Herman Viaene 2024-12-21 14:57:55 CET 
MGA9-64 Plasma Wayland on Compaq H000SB
No installation issues.
Ref bugs 5261 and 33781.
Added following lines to /etc/tomcat/tomcat-users.xml before the end line:
<role rolename="manager-gui"/>
<user name="tester9" password="tester" roles="manager-gui" />
Download http://tomcat.apache.org/tomcat-6.0-doc/appdev/sample/sample.war
and cpoy to /var/lib/tomcat/webapps.
Then take care of httpd and tomcat.service
# systemctl start httpd
[root@mach3 ~]# systemctl -l status httpd
● httpd.service - The Apache HTTP Server
     Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; preset: disabled)
     Active: active (running) since Sat 2024-12-21 14:47:02 CET; 12s ago
   Main PID: 14876 (/usr/sbin/httpd)
     Status: "Total requests: 0; Idle/Busy workers 100/0;Requests/sec: 0; Bytes served/sec:   0 B/sec"
      Tasks: 6 (limit: 8806)
     Memory: 22.7M
        CPU: 631ms
     CGroup: /system.slice/httpd.service
             ├─14876 /usr/sbin/httpd -DFOREGROUND
             ├─14878 /usr/sbin/httpd -DFOREGROUND
             ├─14879 /usr/sbin/httpd -DFOREGROUND
             ├─14880 /usr/sbin/httpd -DFOREGROUND
             ├─14881 /usr/sbin/httpd -DFOREGROUND
             └─14882 /usr/sbin/httpd -DFOREGROUND

Dec 21 14:47:00 mach3.hviaene.thuis systemd[1]: Starting httpd.service...
Dec 21 14:47:02 mach3.hviaene.thuis systemd[1]: Started httpd.service.
[root@mach3 ~]# systemctl restart tomcat.service
[root@mach3 ~]# systemctl -l status tomcat.service
● tomcat.service - Apache Tomcat Web Application Container
     Loaded: loaded (/usr/lib/systemd/system/tomcat.service; disabled; preset: disabled)
     Active: active (running) since Sat 2024-12-21 14:47:38 CET; 14s ago
   Main PID: 14925 (java)
      Tasks: 23 (limit: 8806)
     Memory: 136.6M
        CPU: 16.963s
     CGroup: /system.slice/tomcat.service
             └─14925 /usr/lib/jvm/jre/bin/java -Djavax.sql.DataSource.Factory=org.apache.commons.dbcp.BasicDa>

Dec 21 14:47:43 mach3.hviaene.thuis server[14925]: 21-Dec-2024 14:47:43.592 INFO [main] org.apache.catalina.s>
Dec 21 14:47:43 mach3.hviaene.thuis server[14925]: 21-Dec-2024 14:47:43.626 INFO [main] org.apache.catalina.c>
Dec 21 14:47:43 mach3.hviaene.thuis server[14925]: 21-Dec-2024 14:47:43.629 INFO [main] org.apache.catalina.c>
Dec 21 14:47:43 mach3.hviaene.thuis server[14925]: 21-Dec-2024 14:47:43.631 INFO [main] org.apache.catalina.c>
Dec 21 14:47:43 mach3.hviaene.thuis server[14925]: 21-Dec-2024 14:47:43.657 INFO [main] org.apache.catalina.c>
Dec 21 14:47:47 mach3.hviaene.thuis server[14925]: 21-Dec-2024 14:47:47.551 INFO [main] org.apache.coyote.Abs>
Dec 21 14:47:48 mach3.hviaene.thuis server[14925]: 21-Dec-2024 14:47:48.019 INFO [main] org.apache.catalina.s>
Dec 21 14:47:48 mach3.hviaene.thuis server[14925]: 21-Dec-2024 14:47:48.581 INFO [main] org.apache.catalina.c>
Dec 21 14:47:48 mach3.hviaene.thuis server[14925]: 21-Dec-2024 14:47:48.582 INFO [main] org.apache.catalina.c>
Dec 21 14:47:48 mach3.hviaene.thuis server[14925]: 21-Dec-2024 14:47:48.681 INFO [main] org.apache.catalina.s>

Them I could connect to http://localhost:8080 to exercise the the manager app and http://localhost:8080/sample to display the  samples.
OK for me

CC: (none) => herman.viaene
Whiteboard: (none) => MGA9-64-OK

Comment 4 Thomas Andrews 2024-12-21 15:07:54 CET 
Validating.

Keywords: (none) => validated_update
CC: (none) => andrewsfarm, sysadmin-bugs

Comment 5 Mageia Robot 2024-12-21 21:17:33 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0394.html

Resolution: (none) => FIXED
Status: ASSIGNED => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.