Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALASTOMCAT8.5-2023-007

Related Vulnerabilities: CVE-2021-30640   CVE-2021-33037  

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640) Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. (CVE-2021-33037)

Source

ALASTOMCAT8.5-2023-007

Amazon Linux 2 Security Advisory: ALASTOMCAT8.5-2023-007
Advisory Release Date: 2023-08-21 20:58 Pacific
Advisory Updated Date: 2023-09-25 21:58 Pacific
Severity: Medium
Issue Overview:

A vulnerability in the JNDI Realm of Apache Tomcat allows an attacker to authenticate using variations of a valid user name and/or to bypass some of the protection provided by the LockOut Realm. This issue affects Apache Tomcat 10.0.0-M1 to 10.0.5; 9.0.0.M1 to 9.0.45; 8.5.0 to 8.5.65. (CVE-2021-30640)

Apache Tomcat 10.0.0-M1 to 10.0.6, 9.0.0.M1 to 9.0.46 and 8.5.0 to 8.5.66 did not correctly parse the HTTP transfer-encoding request header in some circumstances leading to the possibility to request smuggling when used with a reverse proxy. Specifically: - Tomcat incorrectly ignored the transfer encoding header if the client declared it would only accept an HTTP/1.0 response; - Tomcat honoured the identify encoding; and - Tomcat did not ensure that, if present, the chunked encoding was the final encoding. (CVE-2021-33037)


Affected Packages:

tomcat


Issue Correction:
Run yum update tomcat to update your system.

New Packages:
noarch:
    tomcat-8.5.69-1.amzn2.0.1.noarch
    tomcat-admin-webapps-8.5.69-1.amzn2.0.1.noarch
    tomcat-docs-webapp-8.5.69-1.amzn2.0.1.noarch
    tomcat-javadoc-8.5.69-1.amzn2.0.1.noarch
    tomcat-jsvc-8.5.69-1.amzn2.0.1.noarch
    tomcat-jsp-2.3-api-8.5.69-1.amzn2.0.1.noarch
    tomcat-lib-8.5.69-1.amzn2.0.1.noarch
    tomcat-servlet-3.1-api-8.5.69-1.amzn2.0.1.noarch
    tomcat-el-3.0-api-8.5.69-1.amzn2.0.1.noarch
    tomcat-webapps-8.5.69-1.amzn2.0.1.noarch

src:
    tomcat-8.5.69-1.amzn2.0.1.src

Additional References

Red Hat: CVE-2021-30640, CVE-2021-33037

Mitre: CVE-2021-30640, CVE-2021-33037

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started